Basic xss prevention

tokarchuk/v1.17
Unknwon 10 years ago
parent 6a79b76531
commit 263d409326
  1. 1
      .gopmfile
  2. 2
      gogs.go
  3. 5
      models/repo.go
  4. 48
      modules/base/markdown.go
  5. 27
      modules/base/tool.go
  6. 2
      templates/.VERSION

@ -24,6 +24,7 @@ github.com/macaron-contrib/session =
github.com/macaron-contrib/toolbox = commit:57127bcc89
github.com/mattn/go-sqlite3 = commit:a80c27ba33
github.com/nfnt/resize = commit:581d15cb53
github.com/russross/blackfriday =
github.com/saintfish/chardet = commit:3af4cd4741
[res]

@ -17,7 +17,7 @@ import (
"github.com/gogits/gogs/modules/setting"
)
const APP_VER = "0.5.4.1003 Beta"
const APP_VER = "0.5.4.1004 Beta"
func init() {
runtime.GOMAXPROCS(runtime.NumCPU())

@ -23,6 +23,7 @@ import (
"github.com/Unknwon/cae/zip"
"github.com/Unknwon/com"
"github.com/gogits/gogs/modules/base"
"github.com/gogits/gogs/modules/git"
"github.com/gogits/gogs/modules/log"
"github.com/gogits/gogs/modules/process"
@ -48,7 +49,7 @@ var (
)
var (
DescriptionPattern = regexp.MustCompile(`https?://\S+`)
DescPattern = regexp.MustCompile(`https?://\S+`)
)
func LoadRepoConfig() {
@ -181,7 +182,7 @@ func (repo *Repository) DescriptionHtml() template.HTML {
ss := html.EscapeString(s)
return fmt.Sprintf(`<a href="%s" target="_blank">%s</a>`, ss, ss)
}
return template.HTML(DescriptionPattern.ReplaceAllStringFunc(repo.Description, sanitize))
return template.HTML(DescPattern.ReplaceAllStringFunc(base.XSSString(repo.Description), sanitize))
}
// IsRepositoryExist returns true if the repository with given name under user has already existed.

@ -13,7 +13,8 @@ import (
"regexp"
"strings"
"github.com/gogits/gfm"
"github.com/russross/blackfriday"
"github.com/gogits/gogs/modules/setting"
)
@ -74,7 +75,7 @@ func IsReadmeFile(name string) bool {
}
type CustomRender struct {
gfm.Renderer
blackfriday.Renderer
urlPrefix string
}
@ -154,39 +155,40 @@ func RenderSpecialLink(rawBytes []byte, urlPrefix string) []byte {
func RenderRawMarkdown(body []byte, urlPrefix string) []byte {
htmlFlags := 0
// htmlFlags |= gfm.HTML_USE_XHTML
// htmlFlags |= gfm.HTML_USE_SMARTYPANTS
// htmlFlags |= gfm.HTML_SMARTYPANTS_FRACTIONS
// htmlFlags |= gfm.HTML_SMARTYPANTS_LATEX_DASHES
// htmlFlags |= gfm.HTML_SKIP_HTML
htmlFlags |= gfm.HTML_SKIP_STYLE
htmlFlags |= gfm.HTML_SKIP_SCRIPT
htmlFlags |= gfm.HTML_GITHUB_BLOCKCODE
htmlFlags |= gfm.HTML_OMIT_CONTENTS
// htmlFlags |= gfm.HTML_COMPLETE_PAGE
// htmlFlags |= blackfriday.HTML_USE_XHTML
// htmlFlags |= blackfriday.HTML_USE_SMARTYPANTS
// htmlFlags |= blackfriday.HTML_SMARTYPANTS_FRACTIONS
// htmlFlags |= blackfriday.HTML_SMARTYPANTS_LATEX_DASHES
// htmlFlags |= blackfriday.HTML_SKIP_HTML
htmlFlags |= blackfriday.HTML_SKIP_STYLE
// htmlFlags |= blackfriday.HTML_SKIP_SCRIPT
// htmlFlags |= blackfriday.HTML_GITHUB_BLOCKCODE
htmlFlags |= blackfriday.HTML_OMIT_CONTENTS
// htmlFlags |= blackfriday.HTML_COMPLETE_PAGE
renderer := &CustomRender{
Renderer: gfm.HtmlRenderer(htmlFlags, "", ""),
Renderer: blackfriday.HtmlRenderer(htmlFlags, "", ""),
urlPrefix: urlPrefix,
}
// set up the parser
extensions := 0
extensions |= gfm.EXTENSION_NO_INTRA_EMPHASIS
extensions |= gfm.EXTENSION_TABLES
extensions |= gfm.EXTENSION_FENCED_CODE
extensions |= gfm.EXTENSION_AUTOLINK
extensions |= gfm.EXTENSION_STRIKETHROUGH
extensions |= gfm.EXTENSION_HARD_LINE_BREAK
extensions |= gfm.EXTENSION_SPACE_HEADERS
extensions |= gfm.EXTENSION_NO_EMPTY_LINE_BEFORE_BLOCK
body = gfm.Markdown(body, renderer, extensions)
extensions |= blackfriday.EXTENSION_NO_INTRA_EMPHASIS
extensions |= blackfriday.EXTENSION_TABLES
extensions |= blackfriday.EXTENSION_FENCED_CODE
extensions |= blackfriday.EXTENSION_AUTOLINK
extensions |= blackfriday.EXTENSION_STRIKETHROUGH
extensions |= blackfriday.EXTENSION_HARD_LINE_BREAK
extensions |= blackfriday.EXTENSION_SPACE_HEADERS
extensions |= blackfriday.EXTENSION_NO_EMPTY_LINE_BEFORE_BLOCK
body = blackfriday.Markdown(body, renderer, extensions)
return body
}
func RenderMarkdown(rawBytes []byte, urlPrefix string) []byte {
body := RenderSpecialLink(rawBytes, urlPrefix)
body = RenderRawMarkdown(body, urlPrefix)
body = XSS(body)
return body
}

@ -14,6 +14,7 @@ import (
"hash"
"html/template"
"math"
"regexp"
"strings"
"time"
@ -446,3 +447,29 @@ func DateFormat(t time.Time, format string) string {
format = replacer.Replace(format)
return t.Format(format)
}
type xssFilter struct {
reg *regexp.Regexp
repl []byte
}
var (
whiteSpace = []byte(" ")
xssFilters = []xssFilter{
{regexp.MustCompile(`\ [ONon]\w*=["]*`), whiteSpace},
{regexp.MustCompile(`<[SCRIPTscript]{6}`), whiteSpace},
{regexp.MustCompile(`=[` + "`" + `'"]*[JAVASCRIPTjavascript \t\0&#x0D;]*:`), whiteSpace},
}
)
// XSS goes through all the XSS filters to make user input content as safe as possible.
func XSS(in []byte) []byte {
for _, filter := range xssFilters {
in = filter.reg.ReplaceAll(in, filter.repl)
}
return in
}
func XSSString(in string) string {
return string(XSS([]byte(in)))
}

@ -1 +1 @@
0.5.4.1003 Beta
0.5.4.1004 Beta
Loading…
Cancel
Save