[ARVADOS] created: 1.1.4-788-ga9a202895

Git user git at public.curoverse.com
Tue Aug 14 13:34:48 EDT 2018 

        at  a9a202895a63f29e8bc045c50f5518800b008275 (commit)


commit a9a202895a63f29e8bc045c50f5518800b008275
Author: Lucas Di Pentima <ldipentima at veritasgenetics.com>
Date:   Tue Aug 14 14:01:36 2018 -0300

    14028: Sanitize RedCloth's output.
    
    Arvados-DCO-1.1-Signed-off-by: Lucas Di Pentima <ldipentima at veritasgenetics.com>

diff --git a/apps/workbench/app/helpers/application_helper.rb b/apps/workbench/app/helpers/application_helper.rb
index 106716a0f..cba0c6269 100644
--- a/apps/workbench/app/helpers/application_helper.rb
+++ b/apps/workbench/app/helpers/application_helper.rb
@@ -16,7 +16,7 @@ module ApplicationHelper
   end
 
   def render_markup(markup)
-    raw RedCloth.new(markup.to_s).to_html(:refs_arvados, :textile) if markup
+    sanitize(raw(RedCloth.new(markup.to_s).to_html(:refs_arvados, :textile))) if markup
   end
 
   def human_readable_bytes_html(n)

commit d06843b42863fb2db47d11f18ce60b80cc5a8c55
Author: Lucas Di Pentima <ldipentima at veritasgenetics.com>
Date:   Tue Aug 14 14:32:47 2018 -0300

    14028: Add test exposing the bug
    
    Arvados-DCO-1.1-Signed-off-by: Lucas Di Pentima <ldipentima at veritasgenetics.com>

diff --git a/apps/workbench/test/controllers/projects_controller_test.rb b/apps/workbench/test/controllers/projects_controller_test.rb
index ada0e33e7..c35d83ffc 100644
--- a/apps/workbench/test/controllers/projects_controller_test.rb
+++ b/apps/workbench/test/controllers/projects_controller_test.rb
@@ -341,6 +341,16 @@ class ProjectsControllerTest < ActionController::TestCase
     assert_includes @response.body, 'Textile description with link to home page <a href="/">take me home</a>.'
   end
 
+  test "find a project and edit description to unsafe html description" do
+    project = api_fixture('groups')['aproject']
+    use_token :active
+    found = Group.find(project['uuid'])
+    found.description = 'Textile description with unsafe script tag <script language="javascript">alert("Hello there")</script>.'
+    found.save!
+    get(:show, {id: project['uuid']}, session_for(:active))
+    assert_includes @response.body, 'Textile description with unsafe script tag alert("Hello there").'
+  end
+
   test "find a project and edit description to textile description with link to object" do
     project = api_fixture('groups')['aproject']
     use_token :active

-----------------------------------------------------------------------


hooks/post-receive
--

More information about the arvados-commits mailing list