Prevent XSS on notebooks

Prevented the use of data attributes for notebooks. Changelog: security

Prevent XSS on notebooks
Prevented the use of data attributes for notebooks. Changelog: security
1f23ad42 · jerasmus · 6b4679d8 · 1f23ad42 · 1f23ad42
Commit 1f23ad42 authored Apr 26, 2021 by jerasmus
Showing with 13 additions and 1 deletion

app/assets/javascripts/notebook/cells/markdown.vue app/assets/javascripts/notebook/cells/markdown.vue +1 -0

spec/frontend/notebook/cells/markdown_spec.js spec/frontend/notebook/cells/markdown_spec.js +12 -1

No files found.
--- a/app/assets/javascripts/notebook/cells/markdown.vue
+++ b/app/assets/javascripts/notebook/cells/markdown.vue
@@ -195,6 +195,7 @@ export default {
          'var',
        ],
        ALLOWED_ATTR: ['class', 'style', 'href', 'src'],
+        ALLOW_DATA_ATTR: false,
      });
    },
  },

--- a/spec/frontend/notebook/cells/markdown_spec.js
+++ b/spec/frontend/notebook/cells/markdown_spec.js
@@ -39,7 +39,7 @@ describe('Markdown component', () => {
    expect(vm.$el.querySelector('.markdown h1')).not.toBeNull();
  });

-  it('sanitizes output', async () => {
+  it('sanitizes Markdown output', async () => {
    Object.assign(cell, {
      source: [
        '[XSS](data:text/html;base64,PHNjcmlwdD5hbGVydChkb2N1bWVudC5kb21haW4pPC9zY3JpcHQ+Cg==)\n',
@@ -50,6 +50,17 @@ describe('Markdown component', () => {
    expect(vm.$el.querySelector('a').getAttribute('href')).toBeNull();
  });

+  it('sanitizes HTML', async () => {
+    const findLink = () => vm.$el.querySelector('.xss-link');
+    Object.assign(cell, {
+      source: ['<a href="test.js" data-remote=true data-type="script" class="xss-link">XSS</a>\n'],
+    });
+
+    await vm.$nextTick();
+    expect(findLink().getAttribute('data-remote')).toBe(null);
+    expect(findLink().getAttribute('data-type')).toBe(null);
+  });
+
  describe('tables', () => {
    beforeEach(() => {
      json = getJSONFixture('blob/notebook/markdown-table.json');