SECURITY: Fixes for main (#28137)

* SECURITY: Update default allowed iframes list Change the default iframe url list to all include 3 slashes. * SECURITY: limit group tag's name length Limit the size of a group tag's name to 100 characters. Internal ref - t/130059 * SECURITY: Improve sanitization of SVGs in Onebox --------- Co-authored-by: Blake Erickson <o.blakeerickson@gmail.com> Co-authored-by: Régis Hanol <regis@hanol.fr> Co-authored-by: David Taylor <david@taylorhq.com>
2025-06-04 11:11:13 +08:00 · 2024-07-30 14:19:01 +08:00
parent 2d5f323ca3
commit 188cb58daa
9 changed files with 75 additions and 8 deletions
--- a/spec/lib/onebox/preview_spec.rb
+++ b/spec/lib/onebox/preview_spec.rb
@ -118,4 +118,36 @@ RSpec.describe Onebox::Preview do
      expect(result).to include ' src="https://thirdparty.example.com"'
    end
  end
+
+  describe "svg sanitization" do
+    it "does not allow unexpected elements inside svg" do
+      preview = described_class.new(preview_url)
+      preview.stubs(:engine_html).returns <<~HTML.strip
+        <svg><style>/*Text*/</style></svg>
+      HTML
+
+      result = preview.to_s
+      expect(result).to eq("<svg></svg>")
+    end
+
+    it "does not allow text inside svg" do
+      preview = described_class.new(preview_url)
+      preview.stubs(:engine_html).returns <<~HTML.strip
+        <svg>Hello world</svg>
+      HTML
+
+      result = preview.to_s
+      expect(result).to eq("<svg></svg>")
+    end
+
+    it "allows simple svg" do
+      simple_svg =
+        '<svg height="210" width="400"><path d="M150 5 L75 200 L225 200 Z" style="fill:none;stroke:green;stroke-width:3"></path></svg>'
+      preview = described_class.new(preview_url)
+      preview.stubs(:engine_html).returns simple_svg
+
+      result = preview.to_s
+      expect(result).to eq(simple_svg)
+    end
+  end
 end
--- a/spec/lib/pretty_text_spec.rb
+++ b/spec/lib/pretty_text_spec.rb
@ -2529,17 +2529,17 @@ HTML
  end

  it "can properly allowlist iframes" do
-    SiteSetting.allowed_iframes = "https://bob.com/a|http://silly.com?EMBED="
+    SiteSetting.allowed_iframes = "https://bob.com/a|http://silly.com/?EMBED="
    raw = <<~HTML
      <iframe src='https://www.google.com/maps/Embed?testing'></iframe>
      <iframe src='https://bob.com/a?testing'></iframe>
-      <iframe src='HTTP://SILLY.COM?EMBED=111'></iframe>
+      <iframe src='HTTP://SILLY.COM/?EMBED=111'></iframe>
    HTML

    # we require explicit HTTPS here
    html = <<~HTML
      <iframe src="https://bob.com/a?testing"></iframe>
-      <iframe src="HTTP://SILLY.COM?EMBED=111"></iframe>
+      <iframe src="HTTP://SILLY.COM/?EMBED=111"></iframe>
    HTML

    cooked = PrettyText.cook(raw).strip