diff options
| author | Kerri Miller <kerrizor@kerrizor.com> | 2019-05-20 13:24:22 -0700 |
|---|---|---|
| committer | Kerri Miller <kerrizor@kerrizor.com> | 2019-05-24 12:33:24 -0700 |
| commit | a76fdcb7a30c6244ffb11a2e672e16d1e5b413b2 (patch) | |
| tree | 2df0435eaf290a601f8eb91346a4bed2d1153893 /spec/lib/banzai | |
| parent | a600c0a78d7f9660d8f37f0f6fc98b61bdc275fb (diff) | |
| download | gitlab-ce-a76fdcb7a30c6244ffb11a2e672e16d1e5b413b2.tar.gz | |
Reject slug+uri concat if slug is deemed unsafe
First reported:
https://gitlab.com/gitlab-org/gitlab-ce/issues/60143
When the page slug is "javascript:" and we attempt to link to a relative
path (using `.` or `..`) the code will concatenate the slug and the uri.
This MR adds a guard to that concat step that will return `nil` if the
incoming slug matches against any of the "unsafe" slug regexes;
currently this is only for the slug "javascript:" but can be extended if
needed. Manually tested against a non-exhaustive list from OWASP of
common javascript XSS exploits that have to to with mangling the
"javascript:" method, and all are caught by this change or by existing
code that ingests the user-specified slug.
Diffstat (limited to 'spec/lib/banzai')
| -rw-r--r-- | spec/lib/banzai/filter/wiki_link_filter_spec.rb | 42 |
1 files changed, 42 insertions, 0 deletions
diff --git a/spec/lib/banzai/filter/wiki_link_filter_spec.rb b/spec/lib/banzai/filter/wiki_link_filter_spec.rb index b9059b85fdc..cce1cd0b284 100644 --- a/spec/lib/banzai/filter/wiki_link_filter_spec.rb +++ b/spec/lib/banzai/filter/wiki_link_filter_spec.rb @@ -70,5 +70,47 @@ describe Banzai::Filter::WikiLinkFilter do expect(filtered_link.attribute('href').value).to eq(invalid_link) end end + + context "when the slug is deemed unsafe or invalid" do + let(:link) { "alert(1);" } + + invalid_slugs = [ + "javascript:", + "JaVaScRiPt:", + "\u0001java\u0003script:", + "javascript :", + "javascript: ", + "javascript : ", + ":javascript:", + "javascript:", + "javascript:", + "javascript:", + "javascript:", + "java\0script:", + "  javascript:" + ] + + invalid_slugs.each do |slug| + context "with the slug #{slug}" do + it "doesn't rewrite a (.) relative link" do + filtered_link = filter( + "<a href='.#{link}'>Link</a>", + project_wiki: wiki, + page_slug: slug).children[0] + + expect(filtered_link.attribute('href').value).not_to include(slug) + end + + it "doesn't rewrite a (..) relative link" do + filtered_link = filter( + "<a href='..#{link}'>Link</a>", + project_wiki: wiki, + page_slug: slug).children[0] + + expect(filtered_link.attribute('href').value).not_to include(slug) + end + end + end + end end end |