[ARVADOS] created: 1.3.0-2368-g7573d0e8f

Git user git at public.arvados.org
Mon Mar 23 21:09:02 UTC 2020


        at  7573d0e8f4e6bd045e0d91e34e76d1ea02ce77ba (commit)


commit 7573d0e8f4e6bd045e0d91e34e76d1ea02ce77ba
Author: Lucas Di Pentima <lucas at di-pentima.com.ar>
Date:   Mon Mar 23 18:07:56 2020 -0300

    16266: Applies monkeypatch to fix CVE-2020-5267 on workbench1.
    
    As adviced on https://github.com/advisories/GHSA-65cv-r6x7-79hv
    
    Arvados-DCO-1.1-Signed-off-by: Lucas Di Pentima <lucas at di-pentima.com.ar>

diff --git a/apps/workbench/lib/actionview_xss_fix.rb b/apps/workbench/lib/actionview_xss_fix.rb
new file mode 100644
index 000000000..3f5e239ef
--- /dev/null
+++ b/apps/workbench/lib/actionview_xss_fix.rb
@@ -0,0 +1,32 @@
+# Copyright (C) The Arvados Authors. All rights reserved.
+#
+# SPDX-License-Identifier: AGPL-3.0
+
+# This is related to:
+# * https://github.com/advisories/GHSA-65cv-r6x7-79hv
+# * https://nvd.nist.gov/vuln/detail/CVE-2020-5267
+#
+# Until we upgrade to rails 5.2, this monkeypatch should be enough
+ActionView::Helpers::JavaScriptHelper::JS_ESCAPE_MAP.merge!(
+  {
+    "`" => "\\`",
+    "$" => "\\$"
+  }
+)
+
+module ActionView::Helpers::JavaScriptHelper
+  alias :old_ej :escape_javascript
+  alias :old_j :j
+
+  def escape_javascript(javascript)
+    javascript = javascript.to_s
+    if javascript.empty?
+      result = ""
+    else
+      result = javascript.gsub(/(\\|<\/|\r\n|\342\200\250|\342\200\251|[\n\r"']|[`]|[$])/u, JS_ESCAPE_MAP)
+    end
+    javascript.html_safe? ? result.html_safe : result
+  end
+
+  alias :j :escape_javascript
+end
\ No newline at end of file

-----------------------------------------------------------------------


hooks/post-receive
-- 




More information about the arvados-commits mailing list