kallithea Changeset - 5746cc3b3fa5

Changeset - 5746cc3b3fa5

Parent rev.

Child rev.

[Not reviewed]

stable

0 2 0

Mads Kiilerich - 7 years ago 2018-10-21 17:44:06
mads@kiilerich.com

Grafted from: 35cfc37c3c9b

lib: use bleach to sanitize HTML generated from markdown - fix XSS issue when repo front page shows README.md

Reported by Bob Hogg <wombat@rwhogg.site> .

2 files changed with 21 insertions and 7 deletions:

kallithea/lib/markup_renderer.py

setup.py

0 comments (0 inline, 0 general)

kallithea/lib/markup_renderer.py

➞

Show inline comments

@@ @@ -10,48 +10,49 @@ @@
 # GNU General Public License for more details.
+#
 # You should have received a copy of the GNU General Public License
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
 """
 kallithea.lib.markup_renderer
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 Renderer for markup languages with ability to parse using rst or markdown
 This file was forked by the Kallithea project in July 2014.
 Original author and date, and relevant copyright and licensing information is below:
 :created_on: Oct 27, 2011
 :author: marcink
 :copyright: (c) 2013 RhodeCode GmbH, and others.
 :license: GPLv3, see LICENSE.md for more details.
 """
 import re
 import logging
 import traceback
 import markdown as markdown_mod
 import bleach
 from kallithea.lib.utils2 import safe_unicode, MENTIONS_REGEX
 log = logging.getLogger(__name__)
 url_re = re.compile(r'''(\bhttps?://(?:[\da-zA-Z0-9@:.-]+)'''
                     r'''(?:[/a-zA-Z0-9_=@#~&+%.,:;?!*()-]*[/a-zA-Z0-9_=@#~])?)''')
 class MarkupRenderer(object):
     RESTRUCTUREDTEXT_DISALLOWED_DIRECTIVES = ['include', 'meta', 'raw']
     MARKDOWN_PAT = re.compile(r'md|mkdn?|mdown|markdown', re.IGNORECASE)
     RST_PAT = re.compile(r're?st', re.IGNORECASE)
     PLAIN_PAT = re.compile(r'readme', re.IGNORECASE)
     def _detect_renderer(self, source, filename=None):
         """
         runs detection of what renderer should be used for generating html
         from a markup language
         filename can be also explicitly a renderer name
         :param source:
@@ @@ -121,70 +122,82 @@ class MarkupRenderer(object): @@
         :param file_name:
         :param source:
         """
         renderer = self._detect_renderer(source, filename)
         readme_data = renderer(source)
         return readme_data
     @classmethod
     def plain(cls, source, universal_newline=True):
         source = safe_unicode(source)
         if universal_newline:
             newline = '\n'
             source = newline.join(source.splitlines())
         def url_func(match_obj):
             url_full = match_obj.groups()[0]
             return '<a href="%(url)s">%(url)s</a>' % ({'url': url_full})
         source = url_re.sub(url_func, source)
         return '<br />' + source.replace("\n", '<br />')
     @classmethod
     def markdown(cls, source, safe=True, flavored=False):
         """
         Convert Markdown (possibly GitHub Flavored) to HTML, possibly
+        Convert Markdown (possibly GitHub Flavored) to XSS safe HTML, possibly
         with "safe" fall-back to plaintext.
         >>> MarkupRenderer.markdown('''<img id="a" style="margin-top:-1000px;color:red" src="http://example.com/test.jpg">''')
-        u'<p><img id="a" style="margin-top:-1000px;color:red" src="http://example.com/test.jpg"></p>'
+        u'<p><img id="a" src="http://example.com/test.jpg" style="color: red;"></p>'
         >>> MarkupRenderer.markdown('''<img class="c d" src="file://localhost/test.jpg">''')
-        u'<p><img class="c d" src="file://localhost/test.jpg"></p>'
         u'<p><img class="c d"></p>'
         >>> MarkupRenderer.markdown('''<a href="foo">foo</a>''')
         u'<p><a href="foo">foo</a></p>'
         >>> MarkupRenderer.markdown('''<script>alert(1)</script>''')
-        u'<script>alert(1)</script>'
+        u'&lt;script&gt;alert(1)&lt;/script&gt;'
         >>> MarkupRenderer.markdown('''<div onclick="alert(2)">yo</div>''')
-        u'<div onclick="alert(2)">yo</div>'
         u'<div>yo</div>'
         >>> MarkupRenderer.markdown('''<a href="javascript:alert(3)">yo</a>''')
-        u'<p><a href="javascript:alert(3)">yo</a></p>'
         u'<p><a>yo</a></p>'
         """
         source = safe_unicode(source)
         try:
             if flavored:
                 source = cls._flavored_markdown(source)
             markdown_html = markdown_mod.markdown(source, ['codehilite', 'extra'])
             return markdown_html
             # Allow most HTML, while preventing XSS issues:
             # no <script> tags, no onclick attributes, no javascript
             # "protocol", and also limit styling to prevent defacing.
             return bleach.clean(markdown_html,
                 tags=['a', 'abbr', 'b', 'blockquote', 'br', 'code', 'dd',
                       'div', 'dl', 'dt', 'em', 'h1', 'h2', 'h3', 'h4', 'h5',
                       'h6', 'hr', 'i', 'img', 'li', 'ol', 'p', 'pre', 'span',
                       'strong', 'sub', 'sup', 'table', 'tbody', 'td', 'th',
                       'thead', 'tr', 'ul'],
                 attributes=['class', 'id', 'style', 'label', 'title', 'alt', 'href', 'src'],
                 styles=['color'],
                 protocols=['http', 'https', 'mailto'],
+                )
         except Exception:
             log.error(traceback.format_exc())
             if safe:
                 log.debug('Falling back to render in plain mode')
                 return cls.plain(source)
             else:
                 raise
     @classmethod
     def rst(cls, source, safe=True):
         source = safe_unicode(source)
         try:
             from docutils.core import publish_parts
             from docutils.parsers.rst import directives
             docutils_settings = dict([(alias, None) for alias in
                                 cls.RESTRUCTUREDTEXT_DISALLOWED_DIRECTIVES])
             docutils_settings.update({'input_encoding': 'unicode',
                                       'report_level': 4})
             for k, v in docutils_settings.iteritems():
                 directives.register_directive(k, v)
             parts = publish_parts(source=source,

setup.py

➞

Show inline comments

@@ @@ -36,48 +36,49 @@ is_windows = __platform__ in ['Windows'] @@
 requirements = [
     "setuptools<34", # setuptools==34 has an undeclared requirement of pyparsing >=2.1, but celery<2.3 requires pyparsing<2
     "waitress==0.8.8",
     "webob>=1.0.8,<=1.1.1",
     "webtest==1.4.3",
     "Pylons>=1.0.0,<=1.0.3",
     "Beaker==1.6.4",
     "WebHelpers==1.3",
     "formencode>=1.2.4,<=1.2.6",
     "SQLAlchemy==0.7.10",
     "Mako>=0.9.0,<=1.0.0",
     "pygments>=1.5",
     "whoosh>=2.4.0,<=2.5.7",
     "celery>=2.2.5,<2.3",
     "babel>=0.9.6,<=1.3",
     "python-dateutil>=1.5.0,<2.0.0",
     "markdown==2.2.1",
     "docutils>=0.8.1,<=0.11",
     "mock",
     "URLObject==2.3.4",
     "Routes==1.13",
     "dulwich>=0.9.9,<=0.9.9",
     "mercurial>=2.9,<4.3",
     "bleach >= 3.0, < 3.1",
+]
 if sys.version_info < (2, 7):
     requirements.append("importlib==1.0.1")
     requirements.append("unittest2")
     requirements.append("argparse")
 if not is_windows:
     requirements.append("py-bcrypt>=0.3.0,<=0.4")
 dependency_links = [
+]
 classifiers = [
     'Development Status :: 4 - Beta',
     'Environment :: Web Environment',
     'Framework :: Pylons',
     'Intended Audience :: Developers',
     'License :: OSI Approved :: GNU General Public License (GPL)',
     'Operating System :: OS Independent',
     'Programming Language :: Python',
     'Programming Language :: Python :: 2.6',
     'Programming Language :: Python :: 2.7',

0 comments (0 inline, 0 general)