Merge branch...

Merge branch 'security-11-3-xss-in-markdown-following-unrecognized-html-element' into 'security-11-3' [11.3] XSS in markdown following unrecognized HTML element See merge request gitlab/gitlabhq!2633

Merge branch...
5a26a1ea · Steve Xuereb · d0dadd3b · 918a7424 · 5a26a1ea · 5a26a1ea
Commit 5a26a1ea authored 6 years ago by Steve Xuereb
--- a/app/models/concerns/cache_markdown_field.rb
+++ b/app/models/concerns/cache_markdown_field.rb
@@ -15,7 +15,7 @@ module CacheMarkdownField
  # Increment this number every time the renderer changes its output
  CACHE_REDCARPET_VERSION         = 3
  CACHE_COMMONMARK_VERSION_START  = 10
-  CACHE_COMMONMARK_VERSION        = 11
+  CACHE_COMMONMARK_VERSION        = 12
  
  # changes to these attributes cause the cache to be invalidates
  INVALIDATED_BY = %w[author project].freeze

--- a/changelogs/unreleased/security-11-3-xss-in-markdown-following-unrecognized-html-element.yml
+++ b/changelogs/unreleased/security-11-3-xss-in-markdown-following-unrecognized-html-element.yml
+---
+title: Fix possible XSS attack in Markdown urls with spaces
+merge_request:
+author:
+type: security
--- a/lib/banzai/filter/spaced_link_filter.rb
+++ b/lib/banzai/filter/spaced_link_filter.rb
@@ -17,6 +17,9 @@ module Banzai
    # This is a small extension to the CommonMark spec.  If they start allowing
    # spaces in urls, we could then remove this filter.
    #
+    # Note: Filter::SanitizationFilter should always be run sometime after this filter
+    # to prevent XSS attacks
+    #
    class SpacedLinkFilter < HTML::Pipeline::Filter
      include ActionView::Helpers::TagHelper
  

--- a/lib/banzai/pipeline/gfm_pipeline.rb
+++ b/lib/banzai/pipeline/gfm_pipeline.rb
@@ -10,13 +10,16 @@ module Banzai
      def self.filters
        @filters ||= FilterArray[
          Filter::PlantumlFilter,
+
+          # Must always be before the SanitizationFilter to prevent XSS attacks
+          Filter::SpacedLinkFilter,
+
          Filter::SanitizationFilter,
          Filter::SyntaxHighlightFilter,
  
          Filter::MathFilter,
          Filter::ColorFilter,
          Filter::MermaidFilter,
-          Filter::SpacedLinkFilter,
          Filter::VideoLinkFilter,
          Filter::ImageLazyLoadFilter,
          Filter::ImageLinkFilter,

--- a/spec/lib/banzai/pipeline/gfm_pipeline_spec.rb
+++ b/spec/lib/banzai/pipeline/gfm_pipeline_spec.rb
@@ -104,5 +104,17 @@ describe Banzai::Pipeline::GfmPipeline do
  
      expect(output).to include("src=\"test%20image.png\"")
    end
+
+    it 'sanitizes the fixed link' do
+      markdown_xss = "[xss](javascript: alert%28document.domain%29)"
+      output = described_class.to_html(markdown_xss, project: project)
+
+      expect(output).not_to include("javascript")
+
+      markdown_xss = "<invalidtag>\n[xss](javascript:alert%28document.domain%29)"
+      output = described_class.to_html(markdown_xss, project: project)
+
+      expect(output).not_to include("javascript")
+    end
  end
 end