Files @ 2ac4499b25eb
Branch filter:

Location: kallithea/scripts/validate-commits

2ac4499b25eb 1.4 KiB text/plain Show Annotation Show as Raw Download as Raw
Thomas De Schampheleire
lib: sanitize HTML for all types of README rendering, not only markdown

The repository summary page will display a rendered version of the
repository 'readme' based on its file extension. In commit 5746cc3b3fa5,
the rendered output was already sanitized when the input was markdown.
However, also readmes written in other formats, like ReStructuredText (RST)
or plain text could have content that we want sanitized.

Therefore, move the sanitizing one level up so it covers all renderers, for
now and the future.

This fixes an XSS issue when a repository readme contains javascript code,
which would be executed when the repository summary page is visited by a
user.

Reported by Bob Hogg <wombat@rwhogg.site> (thanks!).
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
#!/usr/bin/env bash
# Validate the specified commits against test suite and other checks.

if [ -n "$VIRTUAL_ENV" ]; then
    echo "Please run this script from outside a virtualenv."
    exit 1
fi

if ! hg update --check -q .; then
    echo "Working dir is not clean, please commit/revert changes first."
    exit 1
fi

venv=$(mktemp -d kallithea-validatecommits-env-XXXXXX)
resultfile=$(mktemp kallithea-validatecommits-result-XXXXXX)
echo > "$resultfile"

cleanup()
{
    rm -rf /tmp/kallithea-test*
    rm -rf "$venv"
}
finish()
{
    cleanup
    # print (possibly intermediate) results
    cat "$resultfile"
    rm "$resultfile"
}
trap finish EXIT

for rev in $(hg log -r "$1" -T '{node}\n'); do
    hg log -r "$rev"
    hg update "$rev"

    cleanup
    virtualenv -p "$(command -v python2)" "$venv"
    source "$venv/bin/activate"
    pip install --upgrade pip setuptools
    pip install -e .
    pip install -r dev_requirements.txt
    pip install python-ldap python-pam

    # run-all-cleanup
    scripts/run-all-cleanup
    if ! hg update --check -q .; then
        echo "run-all-cleanup did not give clean results!"
        result="NOK"
        hg diff
        hg revert -a
    else
        result=" OK"
    fi
    echo "$result: $rev (run-all-cleanup)" >> "$resultfile"

    # pytest
    if py.test; then
        result=" OK"
    else
        result="NOK"
    fi
    echo "$result: $rev (pytest)" >> "$resultfile"

    deactivate
    echo
done
This site is powered by Kallithea 0.7.0, which is © 2010–2025 by various authors & licensed under GPLv3.