Commit c45c64ce authored by GitLab Release Tools Bot's avatar GitLab Release Tools Bot

Merge branch 'security-fix-project-existence-disclosure-master' into 'master'

Fix url redaction for issue links

See merge request gitlab/gitlabhq!3091
parents 4dc442f1 b0fbf001
---
title: Fix url redaction for issue links
merge_request:
author:
type: security
...@@ -70,8 +70,11 @@ module Banzai ...@@ -70,8 +70,11 @@ module Banzai
# Build the raw <a> tag just with a link as href and content if # Build the raw <a> tag just with a link as href and content if
# it's originally a link pattern. We shouldn't return a plain text href. # it's originally a link pattern. We shouldn't return a plain text href.
original_link = original_link =
if link_reference == 'true' && href = original_content if link_reference == 'true'
%(<a href="#{href}">#{href}</a>) href = node.attr('href')
content = original_content
%(<a href="#{href}">#{content}</a>)
end end
# The reference should be replaced by the original link's content, # The reference should be replaced by the original link's content,
......
...@@ -13,10 +13,10 @@ describe Banzai::Redactor do ...@@ -13,10 +13,10 @@ describe Banzai::Redactor do
it 'redacts an array of documents' do it 'redacts an array of documents' do
doc1 = Nokogiri::HTML doc1 = Nokogiri::HTML
.fragment('<a class="gfm" data-reference-type="issue">foo</a>') .fragment('<a class="gfm" href="https://www.gitlab.com" data-reference-type="issue">foo</a>')
doc2 = Nokogiri::HTML doc2 = Nokogiri::HTML
.fragment('<a class="gfm" data-reference-type="issue">bar</a>') .fragment('<a class="gfm" href="https://www.gitlab.com" data-reference-type="issue">bar</a>')
redacted_data = redactor.redact([doc1, doc2]) redacted_data = redactor.redact([doc1, doc2])
...@@ -27,7 +27,7 @@ describe Banzai::Redactor do ...@@ -27,7 +27,7 @@ describe Banzai::Redactor do
end end
it 'replaces redacted reference with inner HTML' do it 'replaces redacted reference with inner HTML' do
doc = Nokogiri::HTML.fragment("<a class='gfm' data-reference-type='issue'>foo</a>") doc = Nokogiri::HTML.fragment("<a class='gfm' href='https://www.gitlab.com' data-reference-type='issue'>foo</a>")
redactor.redact([doc]) redactor.redact([doc])
expect(doc.to_html).to eq('foo') expect(doc.to_html).to eq('foo')
end end
...@@ -35,20 +35,24 @@ describe Banzai::Redactor do ...@@ -35,20 +35,24 @@ describe Banzai::Redactor do
context 'when data-original attribute provided' do context 'when data-original attribute provided' do
let(:original_content) { '<code>foo</code>' } let(:original_content) { '<code>foo</code>' }
it 'replaces redacted reference with original content' do it 'replaces redacted reference with original content' do
doc = Nokogiri::HTML.fragment("<a class='gfm' data-reference-type='issue' data-original='#{original_content}'>bar</a>") doc = Nokogiri::HTML.fragment("<a class='gfm' href='https://www.gitlab.com' data-reference-type='issue' data-original='#{original_content}'>bar</a>")
redactor.redact([doc]) redactor.redact([doc])
expect(doc.to_html).to eq(original_content) expect(doc.to_html).to eq(original_content)
end end
end
it 'returns <a> tag with original href if it is originally a link reference' do
href = 'http://localhost:3000'
doc = Nokogiri::HTML
.fragment("<a class='gfm' data-reference-type='issue' data-original=#{href} data-link-reference='true'>#{href}</a>")
it 'does not replace redacted reference with original content if href is given' do
html = "<a href='https://www.gitlab.com' data-link-reference='true' class='gfm' data-reference-type='issue' data-reference-type='issue' data-original='Marge'>Marge</a>"
doc = Nokogiri::HTML.fragment(html)
redactor.redact([doc]) redactor.redact([doc])
expect(doc.to_html).to eq('<a href="https://www.gitlab.com">Marge</a>')
end
expect(doc.to_html).to eq('<a href="http://localhost:3000">http://localhost:3000</a>') it 'uses the original content as the link content if given' do
html = "<a href='https://www.gitlab.com' data-link-reference='true' class='gfm' data-reference-type='issue' data-reference-type='issue' data-original='Homer'>Marge</a>"
doc = Nokogiri::HTML.fragment(html)
redactor.redact([doc])
expect(doc.to_html).to eq('<a href="https://www.gitlab.com">Homer</a>')
end
end end
end end
...@@ -61,7 +65,7 @@ describe Banzai::Redactor do ...@@ -61,7 +65,7 @@ describe Banzai::Redactor do
end end
it 'redacts an issue attached' do it 'redacts an issue attached' do
doc = Nokogiri::HTML.fragment("<a class='gfm' data-reference-type='issue' data-issue='#{issue.id}'>foo</a>") doc = Nokogiri::HTML.fragment("<a class='gfm' href='https://www.gitlab.com' data-reference-type='issue' data-issue='#{issue.id}'>foo</a>")
redactor.redact([doc]) redactor.redact([doc])
...@@ -69,7 +73,7 @@ describe Banzai::Redactor do ...@@ -69,7 +73,7 @@ describe Banzai::Redactor do
end end
it 'redacts an external issue' do it 'redacts an external issue' do
doc = Nokogiri::HTML.fragment("<a class='gfm' data-reference-type='issue' data-external-issue='#{issue.id}' data-project='#{project.id}'>foo</a>") doc = Nokogiri::HTML.fragment("<a class='gfm' href='https://www.gitlab.com' data-reference-type='issue' data-external-issue='#{issue.id}' data-project='#{project.id}'>foo</a>")
redactor.redact([doc]) redactor.redact([doc])
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment