Fix XSS in Banzai's `#data_attributes_for`

We were allowing users to store XSS in `#data_attributes_for` by not dealing with HTML Entities. We now escape HTML entities out, thus fixing the problem.

Fix XSS in Banzai's `#data_attributes_for`
We were allowing users to store XSS in `#data_attributes_for` by not dealing with HTML Entities. We now escape HTML entities out, thus fixing the problem.
aa0e9b33 · Mario de la Ossa · 7afb0295 · aa0e9b33 · aa0e9b33 · aa0e9b33
Commit aa0e9b33 authored May 29, 2020 by Mario de la Ossa
7 changed files
--- a/changelogs/unreleased/security-150-xss-reference-redactor.yml
+++ b/changelogs/unreleased/security-150-xss-reference-redactor.yml
+---
+title: Fix stored XSS in markdown renderer
+merge_request:
+author:
+type: security
--- a/ee/lib/ee/banzai/filter/epic_reference_filter.rb
+++ b/ee/lib/ee/banzai/filter/epic_reference_filter.rb
@@ -30,7 +30,7 @@ module EE

        def data_attributes_for(text, group, object, link_content: false, link_reference: false)
          {
-            original:       text,
+            original:       escape_html_entities(text),
            link:           link_content,
            link_reference: link_reference,
            group:          group.id,

--- a/ee/spec/lib/banzai/filter/epic_reference_filter_spec.rb
+++ b/ee/spec/lib/banzai/filter/epic_reference_filter_spec.rb
@@ -62,7 +62,7 @@ RSpec.describe Banzai::Filter::EpicReferenceFilter do
      link = doc.css('a').first

      expect(link).to have_attribute('data-original')
-      expect(link.attr('data-original')).to eq(reference)
+      expect(link.attr('data-original')).to eq(CGI.escapeHTML(reference))
    end

    it 'ignores invalid epic IIDs' do

--- a/lib/banzai/filter/abstract_reference_filter.rb
+++ b/lib/banzai/filter/abstract_reference_filter.rb
@@ -253,7 +253,7 @@ module Banzai
        object_parent_type = parent.is_a?(Group) ? :group : :project

        {
-          original:             text,
+          original:             escape_html_entities(text),
          link:                 link_content,
          link_reference:       link_reference,
          object_parent_type => parent.id,

--- a/lib/gitlab/markdown_cache.rb
+++ b/lib/gitlab/markdown_cache.rb
@@ -3,7 +3,7 @@
 module Gitlab
  module MarkdownCache
    # Increment this number every time the renderer changes its output
-    CACHE_COMMONMARK_VERSION        = 22
+    CACHE_COMMONMARK_VERSION        = 23
    CACHE_COMMONMARK_VERSION_START  = 10

    BaseError = Class.new(StandardError)

--- a/spec/lib/banzai/filter/abstract_reference_filter_spec.rb
+++ b/spec/lib/banzai/filter/abstract_reference_filter_spec.rb
@@ -20,6 +20,18 @@ RSpec.describe Banzai::Filter::AbstractReferenceFilter do
    end
  end

+  describe '#data_attributes_for' do
+    let_it_be(:issue) { create(:issue, project: project) }
+
+    it 'is not an XSS vector' do
+      allow(described_class).to receive(:object_class).and_return(Issue)
+
+      data_attributes = filter.data_attributes_for('xss &lt;img onerror=alert(1) src=x&gt;', project, issue, link_content: true)
+
+      expect(data_attributes[:original]).to eq('xss &amp;lt;img onerror=alert(1) src=x&amp;gt;')
+    end
+  end
+
  describe '#parent_per_reference' do
    it 'returns a Hash containing projects grouped per parent paths' do
      expect(filter).to receive(:references_per_parent)

--- a/spec/lib/banzai/pipeline/full_pipeline_spec.rb
+++ b/spec/lib/banzai/pipeline/full_pipeline_spec.rb
@@ -24,7 +24,7 @@ RSpec.describe Banzai::Pipeline::FullPipeline do
    it 'escapes the data-original attribute on a reference' do
      markdown = %Q{[">bad things](#{issue.to_reference})}
      result = described_class.to_html(markdown, project: project)
-      expect(result).to include(%{data-original='\"&gt;bad things'})
+      expect(result).to include(%{data-original='\"&amp;gt;bad things'})
    end
  end