Sanitize output by dependency linkers

When there are URLs defined in some dependency file (e.g. Gemfile, gemspec, etc), they get converted to links. We are not sanitizing it so if some `javascript:` code is added as a URL, it can cause XSS vulnerability.

Sanitize output by dependency linkers
When there are URLs defined in some dependency file (e.g. Gemfile, gemspec, etc), they get converted to links. We are not sanitizing it so if some `javascript:` code is added as a URL, it can cause XSS vulnerability.
17015e66 · Patrick Bajao · edece6f7 · 17015e66 · 17015e66 · 17015e66
Commit 17015e66 authored Jan 28, 2020 by Patrick Bajao
3 changed files
--- a/changelogs/unreleased/security-pb-fix-xss-dependency-link.yml
+++ b/changelogs/unreleased/security-pb-fix-xss-dependency-link.yml
+---
+title: Sanitize output by dependency linkers
+merge_request:
+author:
+type: security
--- a/lib/gitlab/dependency_linker/base_linker.rb
+++ b/lib/gitlab/dependency_linker/base_linker.rb
@@ -7,6 +7,8 @@ module Gitlab
      GIT_INVALID_URL_REGEX = /^git\+#{URL_REGEX}/.freeze
      REPO_REGEX = %r{[^/'" ]+/[^/'" ]+}.freeze

+      include ActionView::Helpers::SanitizeHelper
+
      class_attribute :file_type

      def self.support?(blob_name)
@@ -62,7 +64,10 @@ module Gitlab
      end

      def link_tag(name, url)
-        %{<a href="#{ERB::Util.html_escape_once(url)}" rel="nofollow noreferrer noopener" target="_blank">#{ERB::Util.html_escape_once(name)}</a>}.html_safe
+        sanitize(
+          %{<a href="#{ERB::Util.html_escape_once(url)}" rel="nofollow noreferrer noopener" target="_blank">#{ERB::Util.html_escape_once(name)}</a>},
+          attributes: %w[href rel target]
+        )
      end

      # Links package names based on regex.

--- a/spec/lib/gitlab/dependency_linker/base_linker_spec.rb
+++ b/spec/lib/gitlab/dependency_linker/base_linker_spec.rb
+# frozen_string_literal: true
+
+require 'spec_helper'
+
+describe Gitlab::DependencyLinker::BaseLinker do
+  let(:linker_class) do
+    Class.new(described_class) do
+      def link_dependencies
+        link_regex(%r{^(?<name>https?://[^ ]+)}, &:itself)
+      end
+    end
+  end
+
+  let(:plain_content) do
+    <<~CONTENT
+      http://\\njavascript:alert(1)
+      https://gitlab.com/gitlab-org/gitlab
+    CONTENT
+  end
+
+  let(:highlighted_content) do
+    <<~CONTENT
+      <span><span>http://</span><span>\\n</span><span>javascript:alert(1)</span></span>
+      <span><span>https://gitlab.com/gitlab-org/gitlab</span></span>
+    CONTENT
+  end
+
+  let(:linker) { linker_class.new(plain_content, highlighted_content) }
+
+  describe '#link' do
+    subject { linker.link }
+
+    it 'only converts valid links' do
+      expect(subject).to eq(
+        <<~CONTENT
+          <span><span>#{link('http://')}</span><span>#{link('\n', url: '%5Cn')}</span><span>#{link('javascript:alert(1)', url: nil)}</span></span>
+          <span><span>#{link('https://gitlab.com/gitlab-org/gitlab')}</span></span>
+        CONTENT
+      )
+    end
+  end
+
+  def link(text, url: text)
+    attrs = [
+      'rel="nofollow noreferrer noopener"',
+      'target="_blank"'
+    ]
+
+    attrs.unshift(%{href="#{url}"}) if url
+
+    %{<a #{attrs.join(' ')}>#{text}</a>}
+  end
+end