Merge branch 'fix-reverse-tabnabbing-with-invalid-protocol-delimiter' into 'master'

Fix reverse tabnabbing vulnerability with improper URL protocol See merge request gitlab-org/gitlab!79727

Merge branch 'fix-reverse-tabnabbing-with-invalid-protocol-delimiter' into 'master'
Fix reverse tabnabbing vulnerability with improper URL protocol See merge request gitlab-org/gitlab!79727
5e671be6 · Michael Kozono · 81e6cebd · 2a025add · 5e671be6 · 5e671be6
Commit 5e671be6 authored Feb 02, 2022 by Michael Kozono
Showing with 9 additions and 2 deletions

lib/banzai/filter/external_link_filter.rb lib/banzai/filter/external_link_filter.rb +2 -2

spec/lib/banzai/filter/external_link_filter_spec.rb spec/lib/banzai/filter/external_link_filter_spec.rb +7 -0

No files found.
--- a/lib/banzai/filter/external_link_filter.rb
+++ b/lib/banzai/filter/external_link_filter.rb
@@ -64,8 +64,8 @@ module Banzai

      def internal_url?(uri)
        return false if uri.nil?
-        # Relative URLs miss a hostname
-        return true unless uri.hostname
+        # Relative URLs miss a hostname AND a scheme
+        return true if !uri.hostname && !uri.scheme

        uri.hostname == internal_url.hostname
      end

--- a/spec/lib/banzai/filter/external_link_filter_spec.rb
+++ b/spec/lib/banzai/filter/external_link_filter_spec.rb
@@ -71,6 +71,13 @@ RSpec.describe Banzai::Filter::ExternalLinkFilter do

      expect(doc.to_html).to eq(expected)
    end
+
+    it 'adds rel and target attributes to improperly formatted protocols' do
+      doc = filter %q(<p><a target="_blank" href="http:evil.com">Reverse Tabnabbing</a></p>)
+      expected = %q(<p><a target="_blank" href="http:evil.com" rel="nofollow noreferrer noopener">Reverse Tabnabbing</a></p>)
+
+      expect(doc.to_html).to eq(expected)
+    end
  end

  context 'for links with a username' do