Skip to content
Projects
Groups
Snippets
Help
Loading...
Help
Support
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in / Register
Toggle navigation
G
gitlab-ce
Project overview
Project overview
Details
Activity
Releases
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Issues
0
Issues
0
List
Boards
Labels
Milestones
Merge Requests
1
Merge Requests
1
Analytics
Analytics
Repository
Value Stream
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Create a new issue
Commits
Issue Boards
Open sidebar
nexedi
gitlab-ce
Commits
52ade20e
Commit
52ade20e
authored
Feb 14, 2017
by
Ruben Davila
Browse files
Options
Browse Files
Download
Plain Diff
Merge 'dev/8-17-stable' into 8-17-stable
parents
872a530b
79b56c8a
Changes
15
Show whitespace changes
Inline
Side-by-side
Showing
15 changed files
with
113 additions
and
7 deletions
+113
-7
VERSION
VERSION
+1
-1
app/uploaders/file_uploader.rb
app/uploaders/file_uploader.rb
+1
-1
app/uploaders/uploader_helper.rb
app/uploaders/uploader_helper.rb
+8
-1
changelogs/unreleased/asciidocs-xss-patch.yml
changelogs/unreleased/asciidocs-xss-patch.yml
+4
-0
changelogs/unreleased/fix-xss-svg.yml
changelogs/unreleased/fix-xss-svg.yml
+4
-0
changelogs/unreleased/labels-assigned-to-wrong-project.yml
changelogs/unreleased/labels-assigned-to-wrong-project.yml
+4
-0
changelogs/unreleased/patch-rdoc-xss.yml
changelogs/unreleased/patch-rdoc-xss.yml
+4
-0
db/migrate/20160519203051_add_developers_can_merge_to_protected_branches.rb
...9203051_add_developers_can_merge_to_protected_branches.rb
+2
-0
lib/gitlab/asciidoc.rb
lib/gitlab/asciidoc.rb
+3
-0
lib/gitlab/github_import/importer.rb
lib/gitlab/github_import/importer.rb
+7
-3
lib/gitlab/other_markup.rb
lib/gitlab/other_markup.rb
+3
-0
spec/controllers/uploads_controller_spec.rb
spec/controllers/uploads_controller_spec.rb
+22
-0
spec/factories/notes.rb
spec/factories/notes.rb
+5
-1
spec/lib/gitlab/asciidoc_spec.rb
spec/lib/gitlab/asciidoc_spec.rb
+23
-0
spec/lib/gitlab/other_markup.rb
spec/lib/gitlab/other_markup.rb
+22
-0
No files found.
VERSION
View file @
52ade20e
8.17.0-rc
1
8.17.0-rc
2
app/uploaders/file_uploader.rb
View file @
52ade20e
...
...
@@ -36,7 +36,7 @@ class FileUploader < GitlabUploader
escaped_filename
=
filename
.
gsub
(
"]"
,
"
\\
]"
)
markdown
=
"[
#{
escaped_filename
}
](
#{
self
.
secure_url
}
)"
markdown
.
prepend
(
"!"
)
if
image_or_video?
markdown
.
prepend
(
"!"
)
if
image_or_video?
||
dangerous?
{
alt:
filename
,
...
...
app/uploaders/uploader_helper.rb
View file @
52ade20e
# Extra methods for uploader
module
UploaderHelper
IMAGE_EXT
=
%w[png jpg jpeg gif bmp tiff
svg
]
IMAGE_EXT
=
%w[png jpg jpeg gif bmp tiff]
# We recommend using the .mp4 format over .mov. Videos in .mov format can
# still be used but you really need to make sure they are served with the
# proper MIME type video/mp4 and not video/quicktime or your videos won't play
# on IE >= 9.
# http://archive.sublimevideo.info/20150912/docs.sublimevideo.net/troubleshooting.html
VIDEO_EXT
=
%w[mp4 m4v mov webm ogv]
# These extension types can contain dangerous code and should only be embedded inline with
# proper filtering. They should always be tagged as "Content-Disposition: attachment", not "inline".
DANGEROUS_EXT
=
%w[svg]
def
image?
extension_match?
(
IMAGE_EXT
)
...
...
@@ -20,6 +23,10 @@ module UploaderHelper
image?
||
video?
end
def
dangerous?
extension_match?
(
DANGEROUS_EXT
)
end
def
extension_match?
(
extensions
)
return
false
unless
file
...
...
changelogs/unreleased/asciidocs-xss-patch.yml
0 → 100644
View file @
52ade20e
---
title
:
Patch Asciidocs rendering to block XSS
merge_request
:
author
:
changelogs/unreleased/fix-xss-svg.yml
0 → 100644
View file @
52ade20e
---
title
:
Fix XSS vulnerability in SVG attachments
merge_request
:
author
:
changelogs/unreleased/labels-assigned-to-wrong-project.yml
0 → 100644
View file @
52ade20e
---
title
:
Prevent the GitHub importer from assigning labels and comments to merge requests or issues belonging to other projects.
merge_request
:
author
:
changelogs/unreleased/patch-rdoc-xss.yml
0 → 100644
View file @
52ade20e
---
title
:
Patch XSS vulnerability in RDOC support
merge_request
:
author
:
db/migrate/20160519203051_add_developers_can_merge_to_protected_branches.rb
View file @
52ade20e
class
AddDevelopersCanMergeToProtectedBranches
<
ActiveRecord
::
Migration
include
Gitlab
::
Database
::
MigrationHelpers
DOWNTIME
=
false
disable_ddl_transaction!
def
change
...
...
lib/gitlab/asciidoc.rb
View file @
52ade20e
...
...
@@ -36,6 +36,9 @@ module Gitlab
html
=
Banzai
.
post_process
(
html
,
context
)
filter
=
Banzai
::
Filter
::
SanitizationFilter
.
new
(
html
)
html
=
filter
.
call
.
to_s
html
.
html_safe
end
...
...
lib/gitlab/github_import/importer.rb
View file @
52ade20e
...
...
@@ -115,7 +115,7 @@ module Gitlab
begin
issuable
=
if
gh_issue
.
pull_request?
MergeRequest
.
find_by
_iid
(
gh_issue
.
number
)
MergeRequest
.
find_by
(
target_project_id:
project
.
id
,
iid:
gh_issue
.
number
)
else
gh_issue
.
create!
end
...
...
@@ -212,8 +212,12 @@ module Gitlab
comment
=
CommentFormatter
.
new
(
project
,
raw
)
# GH does not return info about comment's parent, so we guess it by checking its URL!
*
_
,
parent
,
iid
=
URI
(
raw
.
html_url
).
path
.
split
(
'/'
)
issuable_class
=
parent
==
'issues'
?
Issue
:
MergeRequest
issuable
=
issuable_class
.
find_by_iid
(
iid
)
if
parent
==
'issues'
issuable
=
Issue
.
find_by
(
project_id:
project
.
id
,
iid:
iid
)
else
issuable
=
MergeRequest
.
find_by
(
target_project_id:
project
.
id
,
iid:
iid
)
end
next
unless
issuable
issuable
.
notes
.
create!
(
comment
.
attributes
)
...
...
lib/gitlab/other_markup.rb
View file @
52ade20e
...
...
@@ -17,6 +17,9 @@ module Gitlab
html
=
Banzai
.
post_process
(
html
,
context
)
filter
=
Banzai
::
Filter
::
SanitizationFilter
.
new
(
html
)
html
=
filter
.
call
.
to_s
html
.
html_safe
end
end
...
...
spec/controllers/uploads_controller_spec.rb
View file @
52ade20e
...
...
@@ -4,6 +4,28 @@ describe UploadsController do
let!
(
:user
)
{
create
(
:user
,
avatar:
fixture_file_upload
(
Rails
.
root
+
"spec/fixtures/dk.png"
,
"image/png"
))
}
describe
"GET show"
do
context
'Content-Disposition security measures'
do
let
(
:project
)
{
create
(
:empty_project
,
:public
)
}
context
'for PNG files'
do
it
'returns Content-Disposition: inline'
do
note
=
create
(
:note
,
:with_attachment
,
project:
project
)
get
:show
,
model:
'note'
,
mounted_as:
'attachment'
,
id:
note
.
id
,
filename:
'image.png'
expect
(
response
[
'Content-Disposition'
]).
to
start_with
(
'inline;'
)
end
end
context
'for SVG files'
do
it
'returns Content-Disposition: attachment'
do
note
=
create
(
:note
,
:with_svg_attachment
,
project:
project
)
get
:show
,
model:
'note'
,
mounted_as:
'attachment'
,
id:
note
.
id
,
filename:
'image.svg'
expect
(
response
[
'Content-Disposition'
]).
to
start_with
(
'attachment;'
)
end
end
end
context
"when viewing a user avatar"
do
context
"when signed in"
do
before
do
...
...
spec/factories/notes.rb
View file @
52ade20e
...
...
@@ -97,7 +97,11 @@ FactoryGirl.define do
end
trait
:with_attachment
do
attachment
{
fixture_file_upload
(
Rails
.
root
+
"spec/fixtures/dk.png"
,
"`/png"
)
}
attachment
{
fixture_file_upload
(
Rails
.
root
+
"spec/fixtures/dk.png"
,
"image/png"
)
}
end
trait
:with_svg_attachment
do
attachment
{
fixture_file_upload
(
Rails
.
root
+
"spec/fixtures/unsanitized.svg"
,
"image/svg+xml"
)
}
end
end
end
spec/lib/gitlab/asciidoc_spec.rb
View file @
52ade20e
...
...
@@ -41,6 +41,29 @@ module Gitlab
render
(
input
,
context
,
asciidoc_opts
)
end
end
context
"XSS"
do
links
=
{
'links'
=>
{
input:
'link:mylink"onmouseover="alert(1)[Click Here]'
,
output:
"<div>
\n
<p><a href=
\"
mylink
\"
>Click Here</a></p>
\n
</div>"
},
'images'
=>
{
input:
'image:https://localhost.com/image.png[Alt text" onerror="alert(7)]'
,
output:
"<div>
\n
<p><span><img src=
\"
https://localhost.com/image.png
\"
alt=
\"
Alt text
\"
></span></p>
\n
</div>"
},
'pre'
=>
{
input:
'```mypre"><script>alert(3)</script>'
,
output:
"<div>
\n
<div>
\n
<pre lang=
\"
mypre
\"
>
\"
><code></code></pre>
\n
</div>
\n
</div>"
}
}
links
.
each
do
|
name
,
data
|
it
"does not convert dangerous
#{
name
}
into HTML"
do
expect
(
render
(
data
[
:input
],
context
)).
to
eql
data
[
:output
]
end
end
end
end
def
render
(
*
args
)
...
...
spec/lib/gitlab/other_markup.rb
0 → 100644
View file @
52ade20e
require
'spec_helper'
describe
Gitlab
::
OtherMarkup
,
lib:
true
do
context
"XSS Checks"
do
links
=
{
'links'
=>
{
file:
'file.rdoc'
,
input:
'XSS[JaVaScriPt:alert(1)]'
,
output:
'<p><a>XSS</a></p>'
}
}
links
.
each
do
|
name
,
data
|
it
"does not convert dangerous
#{
name
}
into HTML"
do
expect
(
render
(
data
[
:file
],
data
[
:input
],
context
)).
to
eql
data
[
:output
]
end
end
end
def
render
(
*
args
)
described_class
.
render
(
*
args
)
end
end
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment