Merge remote-tracking branch 'dev/master'

c3b0e5c0 · GitLab Release Tools Bot · f49ec613 · 60530366 · c3b0e5c0 · c3b0e5c0
Commit c3b0e5c0 authored Mar 17, 2021 by GitLab Release Tools Bot
4 changed files
--- a/CHANGELOG-EE.md
+++ b/CHANGELOG-EE.md
 Please view this file on the master branch, on stable branches it's out of date.
+## 13.9.4 (2021-03-17)
+- No changes.
 ## 13.9.3 (2021-03-08)
 - No changes.
@@ -166,6 +170,10 @@ Please view this file on the master branch, on stable branches it's out of date.
 - Review UI text - repo push rules settings. !52797
+## 13.8.6 (2021-03-17)
+- No changes.
 ## 13.8.5 (2021-03-04)
 - No changes.
@@ -312,6 +320,10 @@ Please view this file on the master branch, on stable branches it's out of date.
 - Enable DevOps Adoption Report feature flag if any Segments already exist. !51602
+## 13.7.9 (2021-03-17)
+- No changes.
 ## 13.7.8 (2021-03-04)
 - No changes.

--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -2,6 +2,13 @@
 documentation](doc/development/changelog.md) for instructions on adding your own
 entry.
+## 13.9.4 (2021-03-17)
+### Security (1 change)
+- Patch Kramdown syntax highlighter gem.
 ## 13.9.3 (2021-03-08)
 ### Fixed (4 changes)
@@ -610,6 +617,13 @@ entry.
 - Apply new GitLab UI for buttons in pipeline schedules.
+## 13.8.6 (2021-03-17)
+### Security (1 change)
+- Patch Kramdown syntax highlighter gem.
 ## 13.8.5 (2021-03-04)
 ### Security (6 changes)
@@ -1022,6 +1036,13 @@ entry.
 - Add verbiage + link sast to show it's in core. !51935
+## 13.7.9 (2021-03-17)
+### Security (1 change)
+- Patch Kramdown syntax highlighter gem.
 ## 13.7.8 (2021-03-04)
 ### Security (5 changes)

--- a/config/initializers/kramdown_patch.rb
+++ b/config/initializers/kramdown_patch.rb
+# frozen_string_literal: true
+#
+# This pulls in https://github.com/gettalong/kramdown/pull/708 for kramdown v2.3.0.
+# Remove this file when that pull request is merged and released.
+require 'kramdown/converter'
+require 'kramdown/converter/syntax_highlighter/rouge'
+module Kramdown::Converter::SyntaxHighlighter
+  module Rouge
+    def self.formatter_class(opts = {})
+      case formatter = opts[:formatter]
+      when Class
+        formatter
+      when /\A[[:upper:]][[:alnum:]_]*\z/
+        ::Rouge::Formatters.const_get(formatter, false)
+      else
+        # Available in Rouge 2.0 or later
+        ::Rouge::Formatters::HTMLLegacy
+      end
+    rescue NameError
+      # Fallback to Rouge 1.x
+      ::Rouge::Formatters::HTML
+    end
+  end
+end
--- a/spec/initializers/kramdown_patch_spec.rb
+++ b/spec/initializers/kramdown_patch_spec.rb
+# frozen_string_literal: true
+require 'spec_helper'
+RSpec.describe 'Kramdown patch for syntax highlighting formatters' do
+  subject { Kramdown::Document.new(options + "\n" + code).to_html }
+  let(:code) do
+    <<-RUBY
+~~~ ruby
+    def what?
+      42
+    end
+~~~
+    RUBY
+  end
+  context 'with invalid formatter' do
+    let(:options) { %({::options auto_ids="false" footnote_nr="5" syntax_highlighter="rouge" syntax_highlighter_opts="{formatter: CSV, line_numbers: true\\}" /}) }
+    it 'falls back to standard HTML and disallows CSV' do
+      expect(CSV).not_to receive(:new)
+      expect(::Rouge::Formatters::HTML).to receive(:new).and_call_original
+      expect(subject).to be_present
+    end
+  end
+  context 'with valid formatter' do
+    let(:options) { %({::options auto_ids="false" footnote_nr="5" syntax_highlighter="rouge" syntax_highlighter_opts="{formatter: HTMLLegacy\\}" /}) }
+    it 'allows formatter' do
+      expect(::Rouge::Formatters::HTMLLegacy).to receive(:new).and_call_original
+      expect(subject).to be_present
+    end
+  end
+end