Merge branch 'rs-data-links' into 'master'

Sanitize `data` and `vbscript` links Closes #13625 Closes https://dev.gitlab.org/gitlab/gitlabhq/issues/2660 See merge request !2905

Merge branch 'rs-data-links' into 'master'
Sanitize `data` and `vbscript` links Closes #13625 Closes https://dev.gitlab.org/gitlab/gitlabhq/issues/2660 See merge request !2905
cd391b66 · Douwe Maan · 2ea8f71b · 989946f3 · cd391b66 · cd391b66
Commit cd391b66 authored Feb 29, 2016 by Douwe Maan
Showing with 21 additions and 5 deletions

lib/banzai/filter/sanitization_filter.rb lib/banzai/filter/sanitization_filter.rb +6 -4

spec/lib/banzai/filter/sanitization_filter_spec.rb spec/lib/banzai/filter/sanitization_filter_spec.rb +15 -1

No files found.
--- a/lib/banzai/filter/sanitization_filter.rb
+++ b/lib/banzai/filter/sanitization_filter.rb
@@ -7,6 +7,8 @@ module Banzai
    #
    # Extends HTML::Pipeline::SanitizationFilter with a custom whitelist.
    class SanitizationFilter < HTML::Pipeline::SanitizationFilter
+      UNSAFE_PROTOCOLS = %w(javascript :javascript data vbscript).freeze
+
      def whitelist
        whitelist = super

@@ -43,8 +45,8 @@ module Banzai
        # Allow any protocol in `a` elements...
        whitelist[:protocols].delete('a')

-        # ...but then remove links with the `javascript` protocol
-        whitelist[:transformers].push(remove_javascript_links)
+        # ...but then remove links with unsafe protocols
+        whitelist[:transformers].push(remove_unsafe_links)

        # Remove `rel` attribute from `a` elements
        whitelist[:transformers].push(remove_rel)
@@ -55,14 +57,14 @@ module Banzai
        whitelist
      end

-      def remove_javascript_links
+      def remove_unsafe_links
        lambda do |env|
          node = env[:node]

          return unless node.name == 'a'
          return unless node.has_attribute?('href')

-          if node['href'].start_with?('javascript', ':javascript')
+          if node['href'].start_with?(*UNSAFE_PROTOCOLS)
            node.remove_attribute('href')
          end
        end

--- a/spec/lib/banzai/filter/sanitization_filter_spec.rb
+++ b/spec/lib/banzai/filter/sanitization_filter_spec.rb
@@ -156,13 +156,27 @@ describe Banzai::Filter::SanitizationFilter, lib: true do
    }

    protocols.each do |name, data|
-      it "handles #{name}" do
+      it "disallows #{name}" do
        doc = filter(data[:input])

        expect(doc.to_html).to eq data[:output]
      end
    end

+    it 'disallows data links' do
+      input = '<a href="data:text/html;base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4K">XSS</a>'
+      output = filter(input)
+
+      expect(output.to_html).to eq '<a>XSS</a>'
+    end
+
+    it 'disallows vbscript links' do
+      input = '<a href="vbscript:alert(document.domain)">XSS</a>'
+      output = filter(input)
+
+      expect(output.to_html).to eq '<a>XSS</a>'
+    end
+
    it 'allows non-standard anchor schemes' do
      exp = %q{<a href="irc://irc.freenode.net/git">IRC</a>}
      act = filter(exp)