Skip to content
Projects
Groups
Snippets
Help
Loading...
Help
Support
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in / Register
Toggle navigation
G
gitlab-ce
Project overview
Project overview
Details
Activity
Releases
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Issues
0
Issues
0
List
Boards
Labels
Milestones
Merge Requests
0
Merge Requests
0
Analytics
Analytics
Repository
Value Stream
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Create a new issue
Commits
Issue Boards
Open sidebar
Léo-Paul Géneau
gitlab-ce
Commits
aa86e17e
Commit
aa86e17e
authored
Nov 28, 2018
by
Winnie Hellmann
Committed by
Cindy Pallares
Nov 28, 2018
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
[master] Fix XSS in mermaid diagrams
parent
c8313d2f
Changes
4
Show whitespace changes
Inline
Side-by-side
Showing
4 changed files
with
21 additions
and
1 deletion
+21
-1
app/assets/javascripts/behaviors/markdown/render_mermaid.js
app/assets/javascripts/behaviors/markdown/render_mermaid.js
+3
-0
changelogs/unreleased/security-mermaid-xss.yml
changelogs/unreleased/security-mermaid-xss.yml
+5
-0
spec/features/issues/user_comments_on_issue_spec.rb
spec/features/issues/user_comments_on_issue_spec.rb
+12
-0
spec/features/markdown/mermaid_spec.rb
spec/features/markdown/mermaid_spec.rb
+1
-1
No files found.
app/assets/javascripts/behaviors/markdown/render_mermaid.js
View file @
aa86e17e
...
...
@@ -26,6 +26,9 @@ export default function renderMermaid($els) {
},
// mermaidAPI options
theme
:
'
neutral
'
,
flowchart
:
{
htmlLabels
:
false
,
},
});
$els
.
each
((
i
,
el
)
=>
{
...
...
changelogs/unreleased/security-mermaid-xss.yml
0 → 100644
View file @
aa86e17e
---
title
:
Configure mermaid to not render HTML content in diagrams
merge_request
:
author
:
type
:
security
spec/features/issues/user_comments_on_issue_spec.rb
View file @
aa86e17e
...
...
@@ -40,6 +40,18 @@ describe "User comments on issue", :js do
expect
(
page
.
find
(
'pre code'
).
text
).
to
eq
code_block_content
end
it
"does not render html content in mermaid"
do
html_content
=
"<img onerror=location=`javascript
\\
u003aalert
\\
u0028document.domain
\\
u0029` src=x>"
mermaid_content
=
"graph LR
\n
B-->D(
#{
html_content
}
);"
comment
=
"```mermaid
\n
#{
mermaid_content
}
\n
```"
add_note
(
comment
)
wait_for_requests
expect
(
page
.
find
(
'svg.mermaid'
)).
to
have_content
html_content
end
end
context
"when editing comments"
do
...
...
spec/features/markdown/mermaid_spec.rb
View file @
aa86e17e
...
...
@@ -18,7 +18,7 @@ describe 'Mermaid rendering', :js do
visit
project_issue_path
(
project
,
issue
)
%w[A B C D]
.
each
do
|
label
|
expect
(
page
).
to
have_selector
(
'svg
foreignObjec
t'
,
text:
label
)
expect
(
page
).
to
have_selector
(
'svg
tex
t'
,
text:
label
)
end
end
end
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment