[master] Resolve "[Security] Stored XSS via KaTeX"

2dfa614c · Constance Okoghenun · Yorick Peterse · cb3e3835 · 2dfa614c · 2dfa614c
Commit 2dfa614c authored Jan 24, 2019 by Constance Okoghenun Committed by Yorick Peterse Jan 24, 2019
Showing with 22 additions and 1 deletion

changelogs/unreleased/security-stored-xss-via-katex.yml changelogs/unreleased/security-stored-xss-via-katex.yml +5 -0

spec/features/markdown/math_spec.rb spec/features/markdown/math_spec.rb +17 -1

No files found.
--- a/changelogs/unreleased/security-stored-xss-via-katex.yml
+++ b/changelogs/unreleased/security-stored-xss-via-katex.yml
+---
+title: Fixed XSS content in KaTex links
+merge_request:
+author:
+type: security
--- a/spec/features/markdown/math_spec.rb
+++ b/spec/features/markdown/math_spec.rb
 require 'spec_helper'

 describe 'Math rendering', :js do
+  let!(:project)   { create(:project, :public) }
+
  it 'renders inline and display math correctly' do
    description = <<~MATH
      This math is inline $`a^2+b^2=c^2`$.
@@ -11,7 +13,6 @@ describe 'Math rendering', :js do
      ```
    MATH

-    project = create(:project, :public)
    issue = create(:issue, project: project, description: description)

    visit project_issue_path(project, issue)
@@ -19,4 +20,19 @@ describe 'Math rendering', :js do
    expect(page).to have_selector('.katex .mord.mathdefault', text: 'b')
    expect(page).to have_selector('.katex-display .mord.mathdefault', text: 'b')
  end
+
+  it 'only renders non XSS links' do
+    description = <<~MATH
+      This link is valid $`\\href{javascript:alert('xss');}{xss}`$.
+
+      This link is valid $`\\href{https://gitlab.com}{Gitlab}`$.
+    MATH
+
+    issue = create(:issue, project: project, description: description)
+
+    visit project_issue_path(project, issue)
+
+    expect(page).to have_selector('.katex-error', text: "\href{javascript:alert('xss');}{xss}")
+    expect(page).to have_selector('.katex-html a', text: 'Gitlab')
+  end
 end