Merge branch 'master' of dev.gitlab.org:gitlab/gitlab-ee

ee/app/models/ee/epic.rb

@@ -107,6 +107,10 @@ module EE
         end
       end
 
+      def reference_valid?(reference)
+        reference.to_i > 0 && reference.to_i <= ::Gitlab::Database::MAX_INT_VALUE
+      end
+
       def link_reference_pattern
         %r{
           (?<url>

ee/changelogs/unreleased/security-60143-address-xss-issue-in-wiki-links.yml

+---
+title: Filter relative links in wiki for XSS
+merge_request:
+author:
+type: security

ee/spec/lib/banzai/filter/epic_reference_filter_spec.rb

@@ -69,6 +69,12 @@ describe Banzai::Filter::EpicReferenceFilter do
       expect(doc(text).to_s).to eq(ERB::Util.html_escape_once(text))
     end
 
+    it 'ignores out of range epic IDs' do
+      text = "Check &1161452270761535925900804973910297"
+
+      expect(doc(text).to_s).to eq(ERB::Util.html_escape_once(text))
+    end
+
     it 'does not process links containing epic numbers followed by text' do
       href = "#{reference}st"
       link = doc("<a href='#{href}'></a>").css('a').first.attr('href')

lib/banzai/filter/wiki_link_filter/rewriter.rb

@@ -4,6 +4,8 @@ module Banzai
   module Filter
     class WikiLinkFilter < HTML::Pipeline::Filter
       class Rewriter
+        UNSAFE_SLUG_REGEXES = [/\Ajavascript:/i].freeze
+
         def initialize(link_string, wiki:, slug:)
           @uri = Addressable::URI.parse(link_string)
           @wiki_base_path = wiki && wiki.wiki_base_path
@@ -35,6 +37,8 @@ module Banzai
 
         # Of the form `./link`, `../link`, or similar
         def apply_hierarchical_link_rules!
+          return if slug_considered_unsafe?
+
           @uri = Addressable::URI.join(@slug, @uri) if @uri.to_s[0] == '.'
         end
 
@@ -54,6 +58,10 @@ module Banzai
         def repository_upload?
           @uri.relative? && @uri.path.starts_with?(Wikis::CreateAttachmentService::ATTACHMENT_PATH)
         end
+
+        def slug_considered_unsafe?
+          !!UNSAFE_SLUG_REGEXES.detect { |r| r.match?(@slug) }
+        end
       end
     end
   end

spec/lib/banzai/filter/wiki_link_filter_spec.rb

@@ -70,5 +70,47 @@ describe Banzai::Filter::WikiLinkFilter do
         expect(filtered_link.attribute('href').value).to eq(invalid_link)
       end
     end
+
+    context "when the slug is deemed unsafe or invalid" do
+      let(:link) { "alert(1);" }
+
+      invalid_slugs = [
+        "javascript:",
+        "JaVaScRiPt:",
+        "\u0001java\u0003script:",
+        "javascript    :",
+        "javascript:    ",
+        "javascript    :   ",
+        ":javascript:",
+        "javascript:",
+        "javascript:",
+        "javascript:",
+        "javascript:",
+        "java\0script:",
+        "   javascript:"
+      ]
+
+      invalid_slugs.each do |slug|
+        context "with the slug #{slug}" do
+          it "doesn't rewrite a (.) relative link" do
+            filtered_link = filter(
+              "<a href='.#{link}'>Link</a>",
+              project_wiki: wiki,
+              page_slug: slug).children[0]
+
+            expect(filtered_link.attribute('href').value).not_to include(slug)
+          end
+
+          it "doesn't rewrite a (..) relative link" do
+            filtered_link = filter(
+              "<a href='..#{link}'>Link</a>",
+              project_wiki: wiki,
+              page_slug: slug).children[0]
+
+            expect(filtered_link.attribute('href').value).not_to include(slug)
+          end
+        end
+      end
+    end
   end
 end