[master] Resolve "[Security] Stored XSS via KaTeX"

645f7ee8 · Constance Okoghenun · Yorick Peterse · 77528641 · 645f7ee8 · 645f7ee8
Unverified Commit 645f7ee8 authored 6 years ago by Constance Okoghenun Committed by Yorick Peterse 6 years ago
--- a/changelogs/unreleased/security-stored-xss-via-katex.yml
+++ b/changelogs/unreleased/security-stored-xss-via-katex.yml
+---
+title: Fixed XSS content in KaTex links
+merge_request:
+author:
+type: security
--- a/spec/features/markdown/math_spec.rb
+++ b/spec/features/markdown/math_spec.rb
 require 'spec_helper'
  
 describe 'Math rendering', :js do
+  let!(:project)   { create(:project, :public) }
+
  it 'renders inline and display math correctly' do
    description = <<~MATH
      This math is inline $`a^2+b^2=c^2`$.
@@ -11,7 +13,6 @@ describe 'Math rendering', :js do
      ```
    MATH
  
-    project = create(:project, :public)
    issue = create(:issue, project: project, description: description)
  
    visit project_issue_path(project, issue)
@@ -19,4 +20,19 @@ describe 'Math rendering', :js do
    expect(page).to have_selector('.katex .mord.mathdefault', text: 'b')
    expect(page).to have_selector('.katex-display .mord.mathdefault', text: 'b')
  end
+
+  it 'only renders non XSS links' do
+    description = <<~MATH
+      This link is valid $`\\href{javascript:alert('xss');}{xss}`$.
+
+      This link is valid $`\\href{https://gitlab.com}{Gitlab}`$.
+    MATH
+
+    issue = create(:issue, project: project, description: description)
+
+    visit project_issue_path(project, issue)
+
+    expect(page).to have_selector('.katex-error', text: "\href{javascript:alert('xss');}{xss}")
+    expect(page).to have_selector('.katex-html a', text: 'Gitlab')
+  end
 end