Merge branch 'security-master-url-rel' into 'master'

[master] Set URL rel attribute for broken URLs See merge request gitlab/gitlabhq!2695

Merge branch 'security-master-url-rel' into 'master'
[master] Set URL rel attribute for broken URLs See merge request gitlab/gitlabhq!2695
e035e469 · John Jarvis · 1bc6dc28 · 08bfec57 · e035e469 · e035e469
Commit e035e469 authored Jan 02, 2019 by John Jarvis
3 changed files
--- a/changelogs/unreleased/security-master-url-rel.yml
+++ b/changelogs/unreleased/security-master-url-rel.yml
+---
+title: Set URL rel attribute for broken URLs.
+merge_request:
+author:
+type: security
--- a/lib/banzai/filter/external_link_filter.rb
+++ b/lib/banzai/filter/external_link_filter.rb
@@ -9,11 +9,10 @@ module Banzai
      def call
        links.each do |node|
          uri = uri(node['href'].to_s)
-          next unless uri
-          node.set_attribute('href', uri.to_s)
+          node.set_attribute('href', uri.to_s) if uri
-          if SCHEMES.include?(uri.scheme) && external_url?(uri)
+          if SCHEMES.include?(uri&.scheme) && !internal_url?(uri)
            node.set_attribute('rel', 'nofollow noreferrer noopener')
            node.set_attribute('target', '_blank')
          end
@@ -35,11 +34,12 @@ module Banzai
        doc.xpath(query)
      end
-      def external_url?(uri)
+      def internal_url?(uri)
+        return false if uri.nil?
        # Relative URLs miss a hostname
-        return false unless uri.hostname
+        return true unless uri.hostname
-        uri.hostname != internal_url.hostname
+        uri.hostname == internal_url.hostname
      end
      def internal_url

--- a/spec/lib/banzai/filter/external_link_filter_spec.rb
+++ b/spec/lib/banzai/filter/external_link_filter_spec.rb
@@ -49,16 +49,16 @@ describe Banzai::Filter::ExternalLinkFilter do
  end
  context 'for invalid urls' do
-    it 'skips broken hrefs' do
+    it 'adds rel and target attributes to broken hrefs' do
      doc = filter %q(<p><a href="don't crash on broken urls">Google</a></p>)
-      expected = %q(<p><a href="don't%20crash%20on%20broken%20urls">Google</a></p>)
+      expected = %q(<p><a href="don't%20crash%20on%20broken%20urls" rel="nofollow noreferrer noopener" target="_blank">Google</a></p>)
      expect(doc.to_html).to eq(expected)
    end
-    it 'skips improperly formatted mailtos' do
+    it 'adds rel and target to improperly formatted mailtos' do
      doc = filter %q(<p><a href="mailto://jblogs@example.com">Email</a></p>)
-      expected = %q(<p><a href="mailto://jblogs@example.com">Email</a></p>)
+      expected = %q(<p><a href="mailto://jblogs@example.com" rel="nofollow noreferrer noopener" target="_blank">Email</a></p>)
      expect(doc.to_html).to eq(expected)
    end