Commit 2a025add authored by Magdalena Frankiewicz's avatar Magdalena Frankiewicz

Fix reverse tabnabbing vulnerability with improper URL protocol

URLs with an invalid protocol delimiter like `http:evil.com` were
mistakenly considered internal URLs by Banzai `ExternalLinkFilter`.

Therefore, the `rel="nofollow noreferrer noopener"` attribute was not
added to the anchor, leaving the site vulnerable to reverse tabnabbing.

This commit fixes it.

Changelog: fixed
parent c6eb1760
...@@ -64,8 +64,8 @@ module Banzai ...@@ -64,8 +64,8 @@ module Banzai
def internal_url?(uri) def internal_url?(uri)
return false if uri.nil? return false if uri.nil?
# Relative URLs miss a hostname # Relative URLs miss a hostname AND a scheme
return true unless uri.hostname return true if !uri.hostname && !uri.scheme
uri.hostname == internal_url.hostname uri.hostname == internal_url.hostname
end end
......
...@@ -71,6 +71,13 @@ RSpec.describe Banzai::Filter::ExternalLinkFilter do ...@@ -71,6 +71,13 @@ RSpec.describe Banzai::Filter::ExternalLinkFilter do
expect(doc.to_html).to eq(expected) expect(doc.to_html).to eq(expected)
end end
it 'adds rel and target attributes to improperly formatted protocols' do
doc = filter %q(<p><a target="_blank" href="http:evil.com">Reverse Tabnabbing</a></p>)
expected = %q(<p><a target="_blank" href="http:evil.com" rel="nofollow noreferrer noopener">Reverse Tabnabbing</a></p>)
expect(doc.to_html).to eq(expected)
end
end end
context 'for links with a username' do context 'for links with a username' do
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment