domi/forgejo-domi
1
0
Fork 0
forked from forgejo/forgejo
Code Pull requests Activity

Disallow dangerous URL schemes (#25960) (#25964)

Browse source 
Regression: https://github.com/go-gitea/gitea/pull/24805
Closes: #25945

- Disallow `javascript`, `vbscript` and `data` (data uri images still
work) url schemes even if all other schemes are allowed
- Fixed older `cbthunderlink` tests

---------

Co-authored-by: delvh <dev.lh@web.de>
(cherry picked from commit ab54310731)
This commit is contained in:
KN4CK3R 2023-07-18 21:48:52 +02:00 committed by Earl Warren
parent 16102d3787
commit 7ad63bc41e
No known key found for this signature in database
GPG key ID: 0579CB2928A78A00
4 changed files with 32 additions and 17 deletions
Download patch file Download diff file Expand all files Collapse all files

9
modules/markup/sanitizer.go
View file

@ -6,6 +6,7 @@ package markup
import (
"io"
"net/url"
"regexp"
"sync"
@ -79,6 +80,14 @@ func createDefaultPolicy() *bluemonday.Policy {
policy.AllowURLSchemes(setting.Markdown.CustomURLSchemes...)
} else {
policy.AllowURLSchemesMatching(allowAllRegex)
// Even if every scheme is allowed, these three are blocked for security reasons
disallowScheme := func(*url.URL) bool {
return false
}
policy.AllowURLSchemeWithCustomPolicy("javascript", disallowScheme)
policy.AllowURLSchemeWithCustomPolicy("vbscript", disallowScheme)
policy.AllowURLSchemeWithCustomPolicy("data", disallowScheme)
}
// Allow classes for anchors

9
modules/markup/sanitizer_test.go
View file

@ -59,8 +59,13 @@ func Test_Sanitizer(t *testing.T) {
`<li class="indeterminate"></li>`, `<li class="indeterminate"></li>`,
// URLs
`[my custom URL scheme](cbthunderlink://somebase64string)`, `[my custom URL scheme](cbthunderlink://somebase64string)`,
`[my custom URL scheme](matrix:roomid/psumPMeAfzgAeQpXMG:feneas.org?action=join)`, `[my custom URL scheme](matrix:roomid/psumPMeAfzgAeQpXMG:feneas.org?action=join)`,
`<a href="cbthunderlink://somebase64string)">my custom URL scheme</a>`, `<a href="cbthunderlink://somebase64string)" rel="nofollow">my custom URL scheme</a>`,
`<a href="matrix:roomid/psumPMeAfzgAeQpXMG:feneas.org?action=join">my custom URL scheme</a>`, `<a href="matrix:roomid/psumPMeAfzgAeQpXMG:feneas.org?action=join" rel="nofollow">my custom URL scheme</a>`,
// Disallow dangerous url schemes
`<a href="javascript:alert('xss')">bad</a>`, `bad`,
`<a href="vbscript:no">bad</a>`, `bad`,
`<a href="data:1234">bad</a>`, `bad`,
}
for i := 0; i < len(testCases); i += 2 {