Commit b7204098 authored by Patrick Derichs's avatar Patrick Derichs

Fix invalid byte sequence for uploads links

parent f93f3565
---
title: Fix 500 error caused by invalid byte sequences in uploads links
merge_request:
author:
type: security
...@@ -116,7 +116,7 @@ module Banzai ...@@ -116,7 +116,7 @@ module Banzai
end end
def process_link_to_upload_attr(html_attr) def process_link_to_upload_attr(html_attr)
path_parts = [Addressable::URI.unescape(html_attr.value)] path_parts = [unescape_and_scrub_uri(html_attr.value)]
if project if project
path_parts.unshift(relative_url_root, project.full_path) path_parts.unshift(relative_url_root, project.full_path)
...@@ -172,7 +172,7 @@ module Banzai ...@@ -172,7 +172,7 @@ module Banzai
end end
def cleaned_file_path(uri) def cleaned_file_path(uri)
Addressable::URI.unescape(uri.path).scrub.delete("\0").chomp("/") unescape_and_scrub_uri(uri.path).delete("\0").chomp("/")
end end
def relative_file_path(uri) def relative_file_path(uri)
...@@ -184,7 +184,7 @@ module Banzai ...@@ -184,7 +184,7 @@ module Banzai
def request_path def request_path
return unless context[:requested_path] return unless context[:requested_path]
Addressable::URI.unescape(context[:requested_path]).chomp("/") unescape_and_scrub_uri(context[:requested_path]).chomp("/")
end end
# Convert a relative path into its correct location based on the currently # Convert a relative path into its correct location based on the currently
...@@ -266,6 +266,12 @@ module Banzai ...@@ -266,6 +266,12 @@ module Banzai
def repository def repository
@repository ||= project&.repository @repository ||= project&.repository
end end
private
def unescape_and_scrub_uri(uri)
Addressable::URI.unescape(uri).scrub
end
end end
end end
end end
...@@ -128,6 +128,15 @@ describe Banzai::Filter::RelativeLinkFilter do ...@@ -128,6 +128,15 @@ describe Banzai::Filter::RelativeLinkFilter do
expect { filter(act) }.not_to raise_error expect { filter(act) }.not_to raise_error
end end
it 'does not raise an exception on URIs containing invalid utf-8 byte sequences in uploads' do
act = link("/uploads/%FF")
expect { filter(act) }.not_to raise_error
end
it 'does not raise an exception on URIs containing invalid utf-8 byte sequences in context requested path' do
expect { filter(link("files/test.md"), requested_path: '%FF') }.not_to raise_error
end
it 'does not raise an exception with a garbled path' do it 'does not raise an exception with a garbled path' do
act = link("open(/var/tmp/):%20/location%0Afrom:%20/test") act = link("open(/var/tmp/):%20/location%0Afrom:%20/test")
expect { filter(act) }.not_to raise_error expect { filter(act) }.not_to raise_error
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment