Commit 8649d1fc authored by Robert Speicher's avatar Robert Speicher

Merge branch 'rs-issue-36098' into 'security-9-5'

[9.5] Limit `style` attribute on `th` and `td` elements to specific properties

See merge request gitlab/gitlabhq!2155
parents fc2f48ac 228cf4f6
---
title: Disallow arbitrary properties in `th` and `td` `style` attributes
merge_request:
author:
...@@ -5,6 +5,7 @@ module Banzai ...@@ -5,6 +5,7 @@ module Banzai
# Extends HTML::Pipeline::SanitizationFilter with a custom whitelist. # Extends HTML::Pipeline::SanitizationFilter with a custom whitelist.
class SanitizationFilter < HTML::Pipeline::SanitizationFilter class SanitizationFilter < HTML::Pipeline::SanitizationFilter
UNSAFE_PROTOCOLS = %w(data javascript vbscript).freeze UNSAFE_PROTOCOLS = %w(data javascript vbscript).freeze
TABLE_ALIGNMENT_PATTERN = /text-align: (?<alignment>center|left|right)/
def whitelist def whitelist
whitelist = super whitelist = super
...@@ -24,7 +25,8 @@ module Banzai ...@@ -24,7 +25,8 @@ module Banzai
# Only push these customizations once # Only push these customizations once
return if customized?(whitelist[:transformers]) return if customized?(whitelist[:transformers])
# Allow table alignment # Allow table alignment; we whitelist specific style properties in a
# transformer below
whitelist[:attributes]['th'] = %w(style) whitelist[:attributes]['th'] = %w(style)
whitelist[:attributes]['td'] = %w(style) whitelist[:attributes]['td'] = %w(style)
...@@ -55,6 +57,9 @@ module Banzai ...@@ -55,6 +57,9 @@ module Banzai
# Remove `rel` attribute from `a` elements # Remove `rel` attribute from `a` elements
whitelist[:transformers].push(self.class.remove_rel) whitelist[:transformers].push(self.class.remove_rel)
# Remove any `style` properties not required for table alignment
whitelist[:transformers].push(self.class.remove_unsafe_table_style)
whitelist whitelist
end end
...@@ -84,6 +89,21 @@ module Banzai ...@@ -84,6 +89,21 @@ module Banzai
end end
end end
end end
def remove_unsafe_table_style
lambda do |env|
node = env[:node]
return unless node.name == 'th' || node.name == 'td'
return unless node.has_attribute?('style')
if node['style'] =~ TABLE_ALIGNMENT_PATTERN
node['style'] = "text-align: #{$~[:alignment]}"
else
node.remove_attribute('style')
end
end
end
end end
end end
end end
......
...@@ -49,7 +49,7 @@ describe Banzai::Filter::SanitizationFilter do ...@@ -49,7 +49,7 @@ describe Banzai::Filter::SanitizationFilter do
instance = described_class.new('Foo') instance = described_class.new('Foo')
3.times { instance.whitelist } 3.times { instance.whitelist }
expect(instance.whitelist[:transformers].size).to eq 4 expect(instance.whitelist[:transformers].size).to eq 5
end end
it 'sanitizes `class` attribute from all elements' do it 'sanitizes `class` attribute from all elements' do
...@@ -63,8 +63,8 @@ describe Banzai::Filter::SanitizationFilter do ...@@ -63,8 +63,8 @@ describe Banzai::Filter::SanitizationFilter do
expect(filter(act).to_html).to eq %q{<span>def</span>} expect(filter(act).to_html).to eq %q{<span>def</span>}
end end
it 'allows `style` attribute on table elements' do it 'allows `text-align` property in `style` attribute on table elements' do
html = <<-HTML.strip_heredoc html = <<~HTML
<table> <table>
<tr><th style="text-align: center">Head</th></tr> <tr><th style="text-align: center">Head</th></tr>
<tr><td style="text-align: right">Body</th></tr> <tr><td style="text-align: right">Body</th></tr>
...@@ -77,6 +77,20 @@ describe Banzai::Filter::SanitizationFilter do ...@@ -77,6 +77,20 @@ describe Banzai::Filter::SanitizationFilter do
expect(doc.at_css('td')['style']).to eq 'text-align: right' expect(doc.at_css('td')['style']).to eq 'text-align: right'
end end
it 'disallows other properties in `style` attribute on table elements' do
html = <<~HTML
<table>
<tr><th style="text-align: foo">Head</th></tr>
<tr><td style="position: fixed; height: 50px; width: 50px; background: red; z-index: 999; font-size: 36px; text-align: center">Body</th></tr>
</table>
HTML
doc = filter(html)
expect(doc.at_css('th')['style']).to be_nil
expect(doc.at_css('td')['style']).to eq 'text-align: center'
end
it 'allows `span` elements' do it 'allows `span` elements' do
exp = act = %q{<span>Hello</span>} exp = act = %q{<span>Hello</span>}
expect(filter(act).to_html).to eq exp expect(filter(act).to_html).to eq exp
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment