Fix security issue in mermaid markdown

Add data attr to close issue link and avoid getting url from href which can be set via mermaid

Fix security issue in mermaid markdown
Add data attr to close issue link and avoid getting url from href which can be set via mermaid
1270e68c · sstern · d0064ea8 · 1270e68c · 1270e68c · 1270e68c
Commit 1270e68c authored Apr 15, 2020 by sstern
6 changed files
--- a/app/assets/javascripts/issue.js
+++ b/app/assets/javascripts/issue.js
@@ -108,7 +108,11 @@ export default class Issue {
        } else {
          this.disableCloseReopenButton($button);

-          const url = $button.attr('href');
+          const url = $button.data('close-reopen-url');
+          if (!url) {
+            return;
+          }
+
          return axios
            .put(url)
            .then(({ data }) => {

--- a/app/views/shared/issuable/_close_reopen_report_toggle.html.haml
+++ b/app/views/shared/issuable/_close_reopen_report_toggle.html.haml
@@ -11,7 +11,7 @@

 .float-left.btn-group.prepend-left-10.issuable-close-dropdown.droplab-dropdown.js-issuable-close-dropdown
  = link_to "#{display_button_action} #{display_issuable_type}", close_reopen_issuable_path(issuable),
-            method: button_method, class: "#{button_class} btn-#{button_action} #{(add_blocked_class ? 'btn-issue-blocked' : '')}", title: "#{display_button_action} #{display_issuable_type}", data: { qa_selector: 'close_issue_button' }
+            method: button_method, class: "#{button_class} btn-#{button_action} #{(add_blocked_class ? 'btn-issue-blocked' : '')}", title: "#{display_button_action} #{display_issuable_type}", data: { qa_selector: 'close_issue_button', 'close-reopen-url': close_reopen_issuable_path(issuable) }

  = button_tag type: 'button', class: "#{toggle_class} btn-#{button_action}-color",
               data: { 'dropdown-trigger' => '#issuable-close-menu' }, 'aria-label' => _('Toggle dropdown') do

--- a/changelogs/unreleased/security-fix-mermaid-issue.yml
+++ b/changelogs/unreleased/security-fix-mermaid-issue.yml
+---
+title: Disallow user to control PUT request using mermaid markdown in issue description
+merge_request:
+author:
+type: security
--- a/ee/app/views/projects/issues/_alert_blocked.html.haml
+++ b/ee/app/views/projects/issues/_alert_blocked.html.haml
@@ -10,6 +10,6 @@
      = _('This issue is currently blocked by the following issues: %{issues}.').html_safe % { issues: blocked_by_issues_links }
    .gl-alert-actions
      = link_to _("Yes, close issue"), close_issuable_path(issue), rel: 'nofollow', method: '',
-                class: "btn btn-close-anyway gl-alert-action btn-warning btn-md gl-button", title: _("Yes, close issue")
+                class: "btn btn-close-anyway gl-alert-action btn-warning btn-md gl-button", title: _("Yes, close issue"), 'data-close-reopen-url' => close_issuable_path(issue)
      %button.btn.gl-alert-action.btn-warning.btn-md.gl-button.btn-secondary
        = s_('Cancel')
--- a/spec/frontend/fixtures/static/issue_with_mermaid_graph.html
+++ b/spec/frontend/fixtures/static/issue_with_mermaid_graph.html
+<div class="description" updated-at="">
+  <div class="md issue-realtime-trigger-pulse">
+    <svg
+      id="mermaid-1587752414912"
+      width="100%"
+      xmlns="http://www.w3.org/2000/svg"
+      style="max-width: 185.35000610351562px;"
+      viewBox="0 0 185.35000610351562 50.5"
+      class="mermaid"
+    >
+      <g transform="translate(0, 0)">
+        <g class="output">
+          <g class="clusters"></g>
+          <g class="edgePaths"></g>
+          <g class="edgeLabels"></g>
+          <g class="nodes">
+            <g
+              class="node js-issuable-actions btn-close clickable"
+              style="opacity: 1;"
+              id="A"
+              transform="translate(92.67500305175781,25.25)"
+              title="click to PUT"
+            >
+              <a
+                class="js-issuable-actions btn-close clickable"
+                href="https://invalid"
+                rel="noopener"
+              >
+                <rect
+                  rx="0"
+                  ry="0"
+                  x="-84.67500305175781"
+                  y="-17.25"
+                  width="169.35000610351562"
+                  height="34.5"
+                  class="label-container"
+                ></rect>
+                <g class="label" transform="translate(0,0)">
+                  <g transform="translate(-74.67500305175781,-7.25)">
+                    <text style="">
+                      <tspan xml:space="preserve" dy="1em" x="1">Click to send a PUT request</tspan>
+                    </text>
+                  </g>
+                </g>
+              </a>
+            </g>
+          </g>
+        </g>
+      </g>
+      <text class="source" display="none">
+        Click to send a PUT request
+      </text>
+    </svg>
+  </div>
+  <textarea
+    data-update-url="/h5bp/html5-boilerplate/-/issues/35.json"
+    dir="auto"
+    class="hidden js-task-list-field"
+  ></textarea>
+  <div class="modal-open recaptcha-modal js-recaptcha-modal" style="display: none;">
+    <div role="dialog" tabindex="-1" class="modal d-block">
+      <div role="document" class="modal-dialog">
+        <div class="modal-content">
+          <div class="modal-header">
+            <h4 class="modal-title float-left">Please solve the reCAPTCHA</h4>
+            <button type="button" data-dismiss="modal" aria-label="Close" class="close float-right">
+              <span aria-hidden="true">×</span>
+            </button>
+          </div>
+          <div class="modal-body">
+            <div>
+              <p>We want to be sure it is you, please confirm you are not a robot.</p>
+              <div></div>
+            </div>
+          </div>
+          <!---->
+        </div>
+      </div>
+    </div>
+    <div class="modal-backdrop fade show"></div>
+  </div>
+</div>
--- a/spec/frontend/issue_spec.js
+++ b/spec/frontend/issue_spec.js
@@ -18,6 +18,7 @@ describe('Issue', () => {
  preloadFixtures('issues/closed-issue.html');
  preloadFixtures('issues/issue-with-task-list.html');
  preloadFixtures('issues/open-issue.html');
+  preloadFixtures('static/issue_with_mermaid_graph.html');

  function expectErrorMessage() {
    const $flashMessage = $('div.flash-alert');
@@ -228,4 +229,30 @@ describe('Issue', () => {
      });
    });
  });
+
+  describe('when not displaying blocked warning', () => {
+    describe('when clicking a mermaid graph inside an issue description', () => {
+      let mock;
+      let spy;
+
+      beforeEach(() => {
+        loadFixtures('static/issue_with_mermaid_graph.html');
+        mock = new MockAdapter(axios);
+        spy = jest.spyOn(axios, 'put');
+      });
+
+      afterEach(() => {
+        mock.restore();
+        jest.clearAllMocks();
+      });
+
+      it('does not make a PUT request', () => {
+        Issue.prototype.initIssueBtnEventListeners();
+
+        $('svg a.js-issuable-actions').trigger('click');
+
+        expect(spy).not.toHaveBeenCalled();
+      });
+    });
+  });
 });