Whitelist pages in mermaid rendering

Changelog: fixed

Whitelist pages in mermaid rendering
Changelog: fixed
e1a4b221 · Rajat Jain · 9728d78a · e1a4b221 · e1a4b221
Commit e1a4b221 authored Jun 03, 2021 by Rajat Jain
Showing with 56 additions and 5 deletions

app/assets/javascripts/behaviors/markdown/render_mermaid.js app/assets/javascripts/behaviors/markdown/render_mermaid.js +26 -5

spec/features/markdown/mermaid_spec.rb spec/features/markdown/mermaid_spec.rb +30 -0

No files found.
--- a/app/assets/javascripts/behaviors/markdown/render_mermaid.js
+++ b/app/assets/javascripts/behaviors/markdown/render_mermaid.js
@@ -30,6 +30,24 @@ let renderedMermaidBlocks = 0;

 let mermaidModule = {};

+// Whitelist pages where we won't impose any restrictions
+// on mermaid rendering
+const WHITELISTED_PAGES = [
+  // Group wiki
+  'groups:wikis:show',
+  'groups:wikis:edit',
+  'groups:wikis:create',
+
+  // Project wiki
+  'projects:wikis:show',
+  'projects:wikis:edit',
+  'projects:wikis:create',
+
+  // Project files
+  'projects:show',
+  'projects:blob:show',
+];
+
 export function initMermaid(mermaid) {
  let theme = 'neutral';

@@ -120,8 +138,10 @@ function renderMermaidEl(el) {
 function renderMermaids($els) {
  if (!$els.length) return;

+  const pageName = document.querySelector('body').dataset.page;
+
  // A diagram may have been truncated in search results which will cause errors, so abort the render.
-  if (document.querySelector('body').dataset.page === 'search:show') return;
+  if (pageName === 'search:show') return;

  importMermaidModule()
    .then(() => {
@@ -140,10 +160,11 @@ function renderMermaids($els) {
         * up the entire thread and causing a DoS.
         */
        if (
-          (source && source.length > MAX_CHAR_LIMIT) ||
-          renderedChars > MAX_CHAR_LIMIT ||
-          renderedMermaidBlocks >= MAX_MERMAID_BLOCK_LIMIT ||
-          shouldLazyLoadMermaidBlock(source)
+          !WHITELISTED_PAGES.includes(pageName) &&
+          ((source && source.length > MAX_CHAR_LIMIT) ||
+            renderedChars > MAX_CHAR_LIMIT ||
+            renderedMermaidBlocks >= MAX_MERMAID_BLOCK_LIMIT ||
+            shouldLazyLoadMermaidBlock(source))
        ) {
          const html = `
          <div class="alert gl-alert gl-alert-warning alert-dismissible lazy-render-mermaid-container js-lazy-render-mermaid-container fade show" role="alert">

--- a/spec/features/markdown/mermaid_spec.rb
+++ b/spec/features/markdown/mermaid_spec.rb
@@ -200,6 +200,36 @@ RSpec.describe 'Mermaid rendering', :js do
      expect(page).to have_selector('.js-lazy-render-mermaid-container')
    end
  end
+
+  it 'renders without any limits on wiki page', :js do
+    graph_edges = "A-->B;B-->A;"
+
+    description = <<~MERMAID
+    ```mermaid
+    graph LR
+    #{graph_edges}
+    ```
+    MERMAID
+
+    description *= 51
+
+    project = create(:project, :public)
+
+    wiki_page = build(:wiki_page, { container: project, content: description })
+    wiki_page.create message: 'mermaid test commit' # rubocop:disable Rails/SaveBang
+    wiki_page = project.wiki.find_page(wiki_page.slug)
+
+    visit project_wiki_path(project, wiki_page)
+
+    wait_for_requests
+    wait_for_mermaid
+
+    page.within('.js-wiki-page-content') do
+      expect(page).not_to have_selector('.lazy-alert-shown')
+
+      expect(page).not_to have_selector('.js-lazy-render-mermaid-container')
+    end
+  end
 end

 def wait_for_mermaid