Commit adedcb32 authored by Yorick Peterse's avatar Yorick Peterse

Merge branch 'security-mermaid' into 'master'

Limit number of characters allowed in mermaidjs

See merge request gitlab/gitlabhq!2964
parents d21a6a45 0ea35096
import flash from '~/flash'; import flash from '~/flash';
import { sprintf, __ } from '../../locale';
// Renders diagrams and flowcharts from text using Mermaid in any element with the // Renders diagrams and flowcharts from text using Mermaid in any element with the
// `js-render-mermaid` class. // `js-render-mermaid` class.
...@@ -14,6 +15,9 @@ import flash from '~/flash'; ...@@ -14,6 +15,9 @@ import flash from '~/flash';
// </pre> // </pre>
// //
// This is an arbitary number; Can be iterated upon when suitable.
const MAX_CHAR_LIMIT = 5000;
export default function renderMermaid($els) { export default function renderMermaid($els) {
if (!$els.length) return; if (!$els.length) return;
...@@ -34,6 +38,21 @@ export default function renderMermaid($els) { ...@@ -34,6 +38,21 @@ export default function renderMermaid($els) {
$els.each((i, el) => { $els.each((i, el) => {
const source = el.textContent; const source = el.textContent;
/**
* Restrict the rendering to a certain amount of character to
* prevent mermaidjs from hanging up the entire thread and
* causing a DoS.
*/
if (source && source.length > MAX_CHAR_LIMIT) {
el.textContent = sprintf(
__(
'Cannot render the image. Maximum character count (%{charLimit}) has been exceeded.',
),
{ charLimit: MAX_CHAR_LIMIT },
);
return;
}
// Remove any extra spans added by the backend syntax highlighting. // Remove any extra spans added by the backend syntax highlighting.
Object.assign(el, { textContent: source }); Object.assign(el, { textContent: source });
......
---
title: Limit mermaid rendering to 5K characters
merge_request:
author:
type: security
...@@ -1320,6 +1320,9 @@ msgstr "" ...@@ -1320,6 +1320,9 @@ msgstr ""
msgid "Cannot modify managed Kubernetes cluster" msgid "Cannot modify managed Kubernetes cluster"
msgstr "" msgstr ""
msgid "Cannot render the image. Maximum character count (%{charLimit}) has been exceeded."
msgstr ""
msgid "Certificate" msgid "Certificate"
msgstr "" msgstr ""
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment