Patch Kramdown syntax highlighter gem

This restricts Rouge formatters to the Rouge::Formatters namespace to prevent arbitrary classes from being instantiated. Relates to https://gitlab.com/gitlab-org/gitlab/-/issues/324452

Patch Kramdown syntax highlighter gem
This restricts Rouge formatters to the Rouge::Formatters namespace to prevent arbitrary classes from being instantiated. Relates to https://gitlab.com/gitlab-org/gitlab/-/issues/324452
15204769 · Stan Hu · 395233b7 · 15204769 · 15204769 · 15204769
Commit 15204769 authored Mar 14, 2021 by Stan Hu
3 changed files
--- a/changelogs/unreleased/security-patch-kramdown.yml
+++ b/changelogs/unreleased/security-patch-kramdown.yml
+---
+title: Patch Kramdown syntax highlighter gem
+merge_request:
+author:
+type: security
--- a/config/initializers/kramdown_patch.rb
+++ b/config/initializers/kramdown_patch.rb
+# frozen_string_literal: true
+#
+# This pulls in https://github.com/gettalong/kramdown/pull/708 for kramdown v2.3.0.
+# Remove this file when that pull request is merged and released.
+require 'kramdown/converter'
+require 'kramdown/converter/syntax_highlighter/rouge'
+module Kramdown::Converter::SyntaxHighlighter
+  module Rouge
+    def self.formatter_class(opts = {})
+      case formatter = opts[:formatter]
+      when Class
+        formatter
+      when /\A[[:upper:]][[:alnum:]_]*\z/
+        ::Rouge::Formatters.const_get(formatter, false)
+      else
+        # Available in Rouge 2.0 or later
+        ::Rouge::Formatters::HTMLLegacy
+      end
+    rescue NameError
+      # Fallback to Rouge 1.x
+      ::Rouge::Formatters::HTML
+    end
+  end
+end
--- a/spec/initializers/kramdown_patch_spec.rb
+++ b/spec/initializers/kramdown_patch_spec.rb
+# frozen_string_literal: true
+require 'spec_helper'
+RSpec.describe 'Kramdown patch for syntax highlighting formatters' do
+  subject { Kramdown::Document.new(options + "\n" + code).to_html }
+  let(:code) do
+    <<-RUBY
+~~~ ruby
+    def what?
+      42
+    end
+~~~
+    RUBY
+  end
+  context 'with invalid formatter' do
+    let(:options) { %({::options auto_ids="false" footnote_nr="5" syntax_highlighter="rouge" syntax_highlighter_opts="{formatter: CSV, line_numbers: true\\}" /}) }
+    it 'falls back to standard HTML and disallows CSV' do
+      expect(CSV).not_to receive(:new)
+      expect(::Rouge::Formatters::HTML).to receive(:new).and_call_original
+      expect(subject).to be_present
+    end
+  end
+  context 'with valid formatter' do
+    let(:options) { %({::options auto_ids="false" footnote_nr="5" syntax_highlighter="rouge" syntax_highlighter_opts="{formatter: HTMLLegacy\\}" /}) }
+    it 'allows formatter' do
+      expect(::Rouge::Formatters::HTMLLegacy).to receive(:new).and_call_original
+      expect(subject).to be_present
+    end
+  end
+end