[ARVADOS] created: 1.3.0-2368-g7573d0e8f
Git user
git at public.arvados.org
Mon Mar 23 21:09:02 UTC 2020
at 7573d0e8f4e6bd045e0d91e34e76d1ea02ce77ba (commit)
commit 7573d0e8f4e6bd045e0d91e34e76d1ea02ce77ba
Author: Lucas Di Pentima <lucas at di-pentima.com.ar>
Date: Mon Mar 23 18:07:56 2020 -0300
16266: Applies monkeypatch to fix CVE-2020-5267 on workbench1.
As adviced on https://github.com/advisories/GHSA-65cv-r6x7-79hv
Arvados-DCO-1.1-Signed-off-by: Lucas Di Pentima <lucas at di-pentima.com.ar>
diff --git a/apps/workbench/lib/actionview_xss_fix.rb b/apps/workbench/lib/actionview_xss_fix.rb
new file mode 100644
index 000000000..3f5e239ef
--- /dev/null
+++ b/apps/workbench/lib/actionview_xss_fix.rb
@@ -0,0 +1,32 @@
+# Copyright (C) The Arvados Authors. All rights reserved.
+#
+# SPDX-License-Identifier: AGPL-3.0
+
+# This is related to:
+# * https://github.com/advisories/GHSA-65cv-r6x7-79hv
+# * https://nvd.nist.gov/vuln/detail/CVE-2020-5267
+#
+# Until we upgrade to rails 5.2, this monkeypatch should be enough
+ActionView::Helpers::JavaScriptHelper::JS_ESCAPE_MAP.merge!(
+ {
+ "`" => "\\`",
+ "$" => "\\$"
+ }
+)
+
+module ActionView::Helpers::JavaScriptHelper
+ alias :old_ej :escape_javascript
+ alias :old_j :j
+
+ def escape_javascript(javascript)
+ javascript = javascript.to_s
+ if javascript.empty?
+ result = ""
+ else
+ result = javascript.gsub(/(\\|<\/|\r\n|\342\200\250|\342\200\251|[\n\r"']|[`]|[$])/u, JS_ESCAPE_MAP)
+ end
+ javascript.html_safe? ? result.html_safe : result
+ end
+
+ alias :j :escape_javascript
+end
\ No newline at end of file
-----------------------------------------------------------------------
hooks/post-receive
--
More information about the arvados-commits
mailing list