Commit 182bbc09 authored by GitLab Release Tools Bot's avatar GitLab Release Tools Bot

Merge branch 'security/sh-mermaid-avoid-html-injection' into 'master'

Fix XSS in Mermaid Markdown rendering

See merge request gitlab-org/security/gitlab!1466
parents 44a8f67b 7ba708f3
...@@ -66,6 +66,7 @@ export function initMermaid(mermaid) { ...@@ -66,6 +66,7 @@ export function initMermaid(mermaid) {
useMaxWidth: true, useMaxWidth: true,
htmlLabels: true, htmlLabels: true,
}, },
secure: ['secure', 'securityLevel', 'startOnLoad', 'maxTextSize', 'htmlLabels'],
securityLevel: 'strict', securityLevel: 'strict',
}); });
......
...@@ -260,8 +260,6 @@ RSpec.describe 'Mermaid rendering', :js do ...@@ -260,8 +260,6 @@ RSpec.describe 'Mermaid rendering', :js do
description *= 51 description *= 51
project = create(:project, :public)
wiki_page = build(:wiki_page, { container: project, content: description }) wiki_page = build(:wiki_page, { container: project, content: description })
wiki_page.create message: 'mermaid test commit' # rubocop:disable Rails/SaveBang wiki_page.create message: 'mermaid test commit' # rubocop:disable Rails/SaveBang
wiki_page = project.wiki.find_page(wiki_page.slug) wiki_page = project.wiki.find_page(wiki_page.slug)
...@@ -277,6 +275,27 @@ RSpec.describe 'Mermaid rendering', :js do ...@@ -277,6 +275,27 @@ RSpec.describe 'Mermaid rendering', :js do
expect(page).not_to have_selector('.js-lazy-render-mermaid-container') expect(page).not_to have_selector('.js-lazy-render-mermaid-container')
end end
end end
it 'does not allow HTML injection' do
description = <<~MERMAID
```mermaid
%%{init: {"flowchart": {"htmlLabels": "false"}} }%%
flowchart
A["<iframe></iframe>"]
```
MERMAID
issue = create(:issue, project: project, description: description)
visit project_issue_path(project, issue)
wait_for_requests
wait_for_mermaid
page.within('.description') do
expect(page).not_to have_xpath("//iframe")
end
end
end end
def wait_for_mermaid def wait_for_mermaid
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment