Commit 70c02bf3 authored by Alessio Caiazza's avatar Alessio Caiazza

Merge branch 'security-fj-bumping-sanitize-gem' into 'master'

[master] Update sanitize gem to 4.6.5 to fix HTML injection vulnerability

See merge request gitlab/gitlabhq!2399
parents 4605d27d 039b0c0d
...@@ -230,7 +230,7 @@ gem 'ruby-fogbugz', '~> 0.2.1' ...@@ -230,7 +230,7 @@ gem 'ruby-fogbugz', '~> 0.2.1'
gem 'kubeclient', '~> 3.1.0' gem 'kubeclient', '~> 3.1.0'
# Sanitize user input # Sanitize user input
gem 'sanitize', '~> 2.0' gem 'sanitize', '~> 4.6.5'
gem 'babosa', '~> 1.0.2' gem 'babosa', '~> 1.0.2'
# Sanitizes SVG input # Sanitizes SVG input
......
...@@ -295,13 +295,13 @@ GEM ...@@ -295,13 +295,13 @@ GEM
flowdock (~> 0.7) flowdock (~> 0.7)
gitlab-grit (>= 2.4.1) gitlab-grit (>= 2.4.1)
multi_json multi_json
gitlab-gollum-lib (4.2.7.4) gitlab-gollum-lib (4.2.7.5)
gemojione (~> 3.2) gemojione (~> 3.2)
github-markup (~> 1.6) github-markup (~> 1.6)
gollum-grit_adapter (~> 1.0) gollum-grit_adapter (~> 1.0)
nokogiri (>= 1.6.1, < 2.0) nokogiri (>= 1.6.1, < 2.0)
rouge (~> 3.1) rouge (~> 3.1)
sanitize (~> 2.1) sanitize (~> 4.6.4)
stringex (~> 2.6) stringex (~> 2.6)
gitlab-gollum-rugged_adapter (0.4.4.1) gitlab-gollum-rugged_adapter (0.4.4.1)
mime-types (>= 1.15) mime-types (>= 1.15)
...@@ -514,6 +514,8 @@ GEM ...@@ -514,6 +514,8 @@ GEM
netrc (0.11.0) netrc (0.11.0)
nokogiri (1.8.2) nokogiri (1.8.2)
mini_portile2 (~> 2.3.0) mini_portile2 (~> 2.3.0)
nokogumbo (1.5.0)
nokogiri
numerizer (0.1.1) numerizer (0.1.1)
oauth (0.5.4) oauth (0.5.4)
oauth2 (1.4.0) oauth2 (1.4.0)
...@@ -804,8 +806,10 @@ GEM ...@@ -804,8 +806,10 @@ GEM
et-orbi (~> 1.0) et-orbi (~> 1.0)
rugged (0.27.2) rugged (0.27.2)
safe_yaml (1.0.4) safe_yaml (1.0.4)
sanitize (2.1.0) sanitize (4.6.5)
crass (~> 1.0.2)
nokogiri (>= 1.4.4) nokogiri (>= 1.4.4)
nokogumbo (~> 1.4)
sass (3.5.5) sass (3.5.5)
sass-listen (~> 4.0.0) sass-listen (~> 4.0.0)
sass-listen (4.0.0) sass-listen (4.0.0)
...@@ -1151,7 +1155,7 @@ DEPENDENCIES ...@@ -1151,7 +1155,7 @@ DEPENDENCIES
ruby_parser (~> 3.8) ruby_parser (~> 3.8)
rufus-scheduler (~> 3.4) rufus-scheduler (~> 3.4)
rugged (~> 0.27) rugged (~> 0.27)
sanitize (~> 2.0) sanitize (~> 4.6.5)
sass-rails (~> 5.0.6) sass-rails (~> 5.0.6)
scss_lint (~> 0.56.0) scss_lint (~> 0.56.0)
seed-fu (~> 2.3.7) seed-fu (~> 2.3.7)
......
...@@ -298,13 +298,13 @@ GEM ...@@ -298,13 +298,13 @@ GEM
flowdock (~> 0.7) flowdock (~> 0.7)
gitlab-grit (>= 2.4.1) gitlab-grit (>= 2.4.1)
multi_json multi_json
gitlab-gollum-lib (4.2.7.4) gitlab-gollum-lib (4.2.7.5)
gemojione (~> 3.2) gemojione (~> 3.2)
github-markup (~> 1.6) github-markup (~> 1.6)
gollum-grit_adapter (~> 1.0) gollum-grit_adapter (~> 1.0)
nokogiri (>= 1.6.1, < 2.0) nokogiri (>= 1.6.1, < 2.0)
rouge (~> 3.1) rouge (~> 3.1)
sanitize (~> 2.1) sanitize (~> 4.6.4)
stringex (~> 2.6) stringex (~> 2.6)
gitlab-gollum-rugged_adapter (0.4.4.1) gitlab-gollum-rugged_adapter (0.4.4.1)
mime-types (>= 1.15) mime-types (>= 1.15)
...@@ -518,6 +518,8 @@ GEM ...@@ -518,6 +518,8 @@ GEM
nio4r (2.3.1) nio4r (2.3.1)
nokogiri (1.8.2) nokogiri (1.8.2)
mini_portile2 (~> 2.3.0) mini_portile2 (~> 2.3.0)
nokogumbo (1.5.0)
nokogiri
numerizer (0.1.1) numerizer (0.1.1)
oauth (0.5.4) oauth (0.5.4)
oauth2 (1.4.0) oauth2 (1.4.0)
...@@ -813,8 +815,10 @@ GEM ...@@ -813,8 +815,10 @@ GEM
et-orbi (~> 1.0) et-orbi (~> 1.0)
rugged (0.27.1) rugged (0.27.1)
safe_yaml (1.0.4) safe_yaml (1.0.4)
sanitize (2.1.0) sanitize (4.6.5)
crass (~> 1.0.2)
nokogiri (>= 1.4.4) nokogiri (>= 1.4.4)
nokogumbo (~> 1.4)
sass (3.5.5) sass (3.5.5)
sass-listen (~> 4.0.0) sass-listen (~> 4.0.0)
sass-listen (4.0.0) sass-listen (4.0.0)
...@@ -1162,7 +1166,7 @@ DEPENDENCIES ...@@ -1162,7 +1166,7 @@ DEPENDENCIES
ruby_parser (~> 3.8) ruby_parser (~> 3.8)
rufus-scheduler (~> 3.4) rufus-scheduler (~> 3.4)
rugged (~> 0.27) rugged (~> 0.27)
sanitize (~> 2.0) sanitize (~> 4.6.5)
sass-rails (~> 5.0.6) sass-rails (~> 5.0.6)
scss_lint (~> 0.56.0) scss_lint (~> 0.56.0)
seed-fu (~> 2.3.7) seed-fu (~> 2.3.7)
......
---
title: Update sanitize gem to 4.6.5 to fix HTML injection vulnerability
merge_request:
author:
type: security
...@@ -25,10 +25,11 @@ module Banzai ...@@ -25,10 +25,11 @@ module Banzai
# Only push these customizations once # Only push these customizations once
return if customized?(whitelist[:transformers]) return if customized?(whitelist[:transformers])
# Allow table alignment; we whitelist specific style properties in a # Allow table alignment; we whitelist specific text-align values in a
# transformer below # transformer below
whitelist[:attributes]['th'] = %w(style) whitelist[:attributes]['th'] = %w(style)
whitelist[:attributes]['td'] = %w(style) whitelist[:attributes]['td'] = %w(style)
whitelist[:css] = { properties: ['text-align'] }
# Allow span elements # Allow span elements
whitelist[:elements].push('span') whitelist[:elements].push('span')
......
...@@ -93,6 +93,16 @@ describe Banzai::Filter::SanitizationFilter do ...@@ -93,6 +93,16 @@ describe Banzai::Filter::SanitizationFilter do
expect(doc.at_css('td')['style']).to eq 'text-align: center' expect(doc.at_css('td')['style']).to eq 'text-align: center'
end end
it 'disallows `text-align` property in `style` attribute on other elements' do
html = <<~HTML
<div style="text-align: center">Text</div>
HTML
doc = filter(html)
expect(doc.at_css('div')['style']).to be_nil
end
it 'allows `span` elements' do it 'allows `span` elements' do
exp = act = %q{<span>Hello</span>} exp = act = %q{<span>Hello</span>}
expect(filter(act).to_html).to eq exp expect(filter(act).to_html).to eq exp
...@@ -224,7 +234,7 @@ describe Banzai::Filter::SanitizationFilter do ...@@ -224,7 +234,7 @@ describe Banzai::Filter::SanitizationFilter do
'protocol-based JS injection: spaces and entities' => { 'protocol-based JS injection: spaces and entities' => {
input: '<a href=" &#14; javascript:alert(\'XSS\');">foo</a>', input: '<a href=" &#14; javascript:alert(\'XSS\');">foo</a>',
output: '<a href="">foo</a>' output: '<a href>foo</a>'
}, },
'protocol whitespace' => { 'protocol whitespace' => {
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment