From a43fc9ad17d4337dd26b9b8d867470ca8c548b41 Mon Sep 17 00:00:00 2001 From: ᴜɴᴋɴᴡᴏɴ Date: Sat, 21 Mar 2020 00:12:38 +0800 Subject: ipynb: sanitize rendered HTML (#5996) * ipynb: sanitize rendered HTML Fixes #5170 * Remove hardcode URL * Add tests --- internal/app/api.go | 36 ++++++++++++++++++ internal/app/api_test.go | 95 ++++++++++++++++++++++++++++++++++++++++++++++++ internal/app/metrics.go | 29 +++++++++++++++ 3 files changed, 160 insertions(+) create mode 100644 internal/app/api.go create mode 100644 internal/app/api_test.go create mode 100644 internal/app/metrics.go (limited to 'internal/app') diff --git a/internal/app/api.go b/internal/app/api.go new file mode 100644 index 00000000..c64e946e --- /dev/null +++ b/internal/app/api.go @@ -0,0 +1,36 @@ +// Copyright 2020 The Gogs Authors. All rights reserved. +// Use of this source code is governed by a MIT-style +// license that can be found in the LICENSE file. + +package app + +import ( + "net/http" + + "github.com/microcosm-cc/bluemonday" + "gopkg.in/macaron.v1" + + "gogs.io/gogs/internal/context" +) + +func ipynbSanitizer() *bluemonday.Policy { + p := bluemonday.UGCPolicy() + p.AllowAttrs("class", "data-prompt-number").OnElements("div") + p.AllowAttrs("class").OnElements("img") + p.AllowURLSchemes("data") + return p +} + +func SanitizeIpynb() macaron.Handler { + p := ipynbSanitizer() + + return func(c *context.Context) { + html, err := c.Req.Body().String() + if err != nil { + c.Error(err, "read body") + return + } + + c.PlainText(http.StatusOK, p.Sanitize(html)) + } +} diff --git a/internal/app/api_test.go b/internal/app/api_test.go new file mode 100644 index 00000000..8b123078 --- /dev/null +++ b/internal/app/api_test.go @@ -0,0 +1,95 @@ +// Copyright 2020 The Gogs Authors. All rights reserved. +// Use of this source code is governed by a MIT-style +// license that can be found in the LICENSE file. + +package app + +import ( + "testing" + + "github.com/stretchr/testify/assert" +) + +func Test_ipynbSanitizer(t *testing.T) { + p := ipynbSanitizer() + + tests := []struct { + name string + input string + want string + }{ + { + name: "allow 'class' and 'data-prompt-number' attributes", + input: ` +
+
+
Hello world
+
+
+
+
+
+
+`, + want: ` +
+
+
Hello world
+
+
+
+
+
+
+`, + }, + { + name: "allow base64 encoded images", + input: ` +
+ +
+`, + want: ` +
+ +
+`, + }, + { + name: "prevent XSS", + input: ` +
+
+ + +
+
+`, + want: ` +
+
+ + +
+
+`, + }, + } + for _, test := range tests { + t.Run(test.name, func(t *testing.T) { + assert.Equal(t, test.want, p.Sanitize(test.input)) + }) + } +} diff --git a/internal/app/metrics.go b/internal/app/metrics.go new file mode 100644 index 00000000..80ff32f6 --- /dev/null +++ b/internal/app/metrics.go @@ -0,0 +1,29 @@ +// Copyright 2020 The Gogs Authors. All rights reserved. +// Use of this source code is governed by a MIT-style +// license that can be found in the LICENSE file. + +package app + +import ( + "net/http" + + "gopkg.in/macaron.v1" + + "gogs.io/gogs/internal/conf" + "gogs.io/gogs/internal/context" +) + +func MetricsFilter() macaron.Handler { + return func(c *context.Context) { + if !conf.Prometheus.Enabled { + c.Status(http.StatusNotFound) + return + } + + if !conf.Prometheus.EnableBasicAuth { + return + } + + c.RequireBasicAuth(conf.Prometheus.BasicAuthUsername, conf.Prometheus.BasicAuthPassword) + } +} -- cgit v1.2.3