canvas_link_migrator 1.0.19 → 1.0.20

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 1295e9d9f0470130b2967896d1356ef0669d95082acf1f591347ee9896cae968
-  data.tar.gz: c28022e251c0755942ccdadb7462335ce3d97f29594d7ef7480c847a3c40bc2a
+  metadata.gz: ca1247f98a0eee8de26f1fa32da2ec683f374ea995a695bb4af201d87644795a
+  data.tar.gz: 122790ae2f969eee61c75118096d2e9b736fc328e9a27846f8b5b2e82ec7830b
 SHA512:
-  metadata.gz: da9757bd142342be4507fac11f7ad2c67f3b138f89a1db2e276ef5f80f363438b35512aef904ea0d6bfd9238c0d58ef90b5a21aaea0c8ededfe60456969e5bdc
-  data.tar.gz: cb128cfa720324395074336a325587d33940d6c664bf52df33988553347a8b4907ce1434e964194902920f7564276b1b9a0d88ed38c7d403a4c419869cdbc006
+  metadata.gz: 37e6e2273e60f1e4428793295e8610e21c138ae16527d54d3a8885c9b5ed88e3660e521e63386ea15f7b7fdab8201f29b0732360e26dce640020c40ec9e88985
+  data.tar.gz: 1d7e969234f632637138adcffa681a30a2a0d5fb3391ef080010c2252fbcd2520ed9e726ab4267793d8c1402baa45b5b910a16cce74e421be740899daccc4b7c

data/lib/canvas_link_migrator/link_replacer.rb

@@ -19,16 +19,38 @@
 
 module CanvasLinkMigrator
   class LinkReplacer
+    HTML_ESCAPES = { '"' => "&quot;", "<" => "&lt;", ">" => "&gt;" }.freeze
+    HTML_ESCAPE_RE = Regexp.union(HTML_ESCAPES.keys).freeze
+
+    def self.escape_url_for_html(value)
+      value.to_s.gsub(HTML_ESCAPE_RE, HTML_ESCAPES)
+    end
+
     # returns false if no substitutions were made
     def self.sub_placeholders!(html, links)
       subbed = false
-      links.each do |link|
+      media_links, other_links = links.partition { |l| l[:link_type] == :media_object }
+
+      if media_links.any?
+        by_placeholder = media_links.to_h { |l| [l[:placeholder], l] }
+        if html.gsub!(Regexp.union(by_placeholder.keys)) { |m|
+          link = by_placeholder[m]
+          link[:replaced] = true
+          link[:new_value] || link[:old_value]
+        }
+          subbed = true
+        end
+      end
+
+      other_links.each do |link|
         new_value = link[:new_value] || link[:old_value]
-        if html.gsub!(link[:placeholder], new_value)
+        new_value = escape_url_for_html(new_value)
+        if html.gsub!(link[:placeholder]) { new_value }
           link[:replaced] = true
           subbed = true
         end
       end
+
       subbed
     end
 

data/lib/canvas_link_migrator/link_resolver.rb

@@ -222,7 +222,7 @@ module CanvasLinkMigrator
             case k
             when /canvas_qs_(.*)/
               qs << "#{Rack::Utils.escape($1)}=#{Rack::Utils.escape(v)}"
-            when /canvas_(.*)/
+            when /\Acanvas_(\w*)\z/
               new_action += "/#{$1}"
             end
           end

data/lib/canvas_link_migrator/version.rb

@@ -1,3 +1,3 @@
 module CanvasLinkMigrator
-  VERSION = "1.0.19"
+  VERSION = "1.0.20"
 end

data/spec/canvas_link_migrator/imported_html_converter_spec.rb

@@ -140,6 +140,35 @@ describe CanvasLinkMigrator::ImportedHtmlConverter do
         test_string = %(<img src="%24IMS_CC_FILEBASE%24/test.png?notarelevantparam" alt="nope" />)
         expect(@converter.convert_exported_html(test_string)).to eq([%(<img src="#{@path}files/5/preview?verifier=u5" alt="nope">), nil])
       end
+
+      describe "path-segment injection via canvas_* parameter names" do
+        it "does not allow `..` path traversal via canvas_* keys" do
+          test_string = %(<img src="%24IMS_CC_FILEBASE%24/test.png?canvas_..%2F..%2Faccounts%2F1%2Fadmin=x" alt="nope" />)
+          html, _ = @converter.convert_exported_html(test_string)
+          src = Nokogiri::HTML5.fragment(html).at_css("img")["src"]
+          expect(src).not_to include(".."),
+            "path traversal: src contains `..` segments -- output was: #{src.inspect}"
+        end
+
+        it "does not allow a single `..` segment via canvas_* keys" do
+          test_string = %(<a href="%24IMS_CC_FILEBASE%24/test.png?canvas_..=x">x</a>)
+          html, _ = @converter.convert_exported_html(test_string)
+          href = Nokogiri::HTML5.fragment(html).at_css("a")["href"]
+          expect(href).not_to match(%r{/\.\.(?:/|\?|#|\z)}),
+            "path traversal: href ends in a `..` segment -- output was: #{href.inspect}"
+        end
+
+        it "does not allow `#` fragment injection that hides the verifier" do
+          test_string = %(<a href="%24IMS_CC_FILEBASE%24/test.png?canvas_a%23evil=x">x</a>)
+          html, _ = @converter.convert_exported_html(test_string)
+          href = Nokogiri::HTML5.fragment(html).at_css("a")["href"]
+          parsed = URI.parse(href)
+          expect(parsed.fragment).to be_nil,
+            "fragment injection: produced fragment #{parsed.fragment.inspect} -- output was: #{href.inspect}"
+          expect(parsed.query.to_s).to include("verifier="),
+            "verifier was pushed into the fragment by `#` injection -- output was: #{href.inspect}"
+        end
+      end
     end
 
     it "converts picture source srcsets" do
@@ -190,6 +219,113 @@ describe CanvasLinkMigrator::ImportedHtmlConverter do
       expect(@converter.convert_exported_html(test_string)).to eq([%(<a href="/courses/123">Mine</a><br><a href="/courses/456">Vain</a><br><a href="http://other-canvas.example.com/">Other Instance</a>), nil])
     end
 
+    describe "percent-encoded HTML in unresolved file references (CSAN-045)" do
+      it "does not allow attribute breakout via $IMS-CC-FILEBASE$ references" do
+        test_string = %(<img src="$IMS-CC-FILEBASE$/foo%22%09onerror=%22alert(1).jpg">)
+        html, _bad_links = @converter.convert_exported_html(test_string)
+
+        img = Nokogiri::HTML5.fragment(html).at_css("img")
+        expect(img).not_to be_nil
+        expect(img["onerror"]).to be_nil,
+          "attribute breakout: produced live onerror -- output was: #{html.inspect}"
+        expect(img.attributes.keys).to contain_exactly("src"),
+          "expected only `src`, got #{img.attributes.keys.inspect} -- output was: #{html.inspect}"
+      end
+
+      it "does not allow attribute breakout via plain relative URLs" do
+        test_string = %(<a href="relative/foo%22%09onmouseover=%22alert(1).html">x</a>)
+        html, _bad_links = @converter.convert_exported_html(test_string)
+
+        anchor = Nokogiri::HTML5.fragment(html).at_css("a")
+        expect(anchor).not_to be_nil
+        expect(anchor["onmouseover"]).to be_nil,
+          "attribute breakout: produced live onmouseover -- output was: #{html.inspect}"
+        expect(anchor.attributes.keys).to contain_exactly("href"),
+          "expected only `href`, got #{anchor.attributes.keys.inspect} -- output was: #{html.inspect}"
+      end
+
+      it "does not allow attribute breakout via $CANVAS_COURSE_REFERENCE$/file_ref/ rest" do
+        test_string = %(<a href="$CANVAS_COURSE_REFERENCE$/file_ref/E/preview&quot; onmouseover=&quot;alert(1)">x</a>)
+        html, _bad_links = @converter.convert_exported_html(test_string)
+
+        anchor = Nokogiri::HTML5.fragment(html).at_css("a")
+        expect(anchor).not_to be_nil
+        expect(anchor["onmouseover"]).to be_nil,
+          "attribute breakout via file_ref rest -- output was: #{html.inspect}"
+        expect(anchor.attributes.keys).to contain_exactly("href"),
+          "expected only `href`, got #{anchor.attributes.keys.inspect} -- output was: #{html.inspect}"
+      end
+
+      it "does not allow attribute breakout via $CANVAS_COURSE_REFERENCE$/modules/items/ query" do
+        test_string = %(<a href="$CANVAS_COURSE_REFERENCE$/modules/items/C?foo=bar&quot; onmouseover=&quot;alert(1)">x</a>)
+        html, _bad_links = @converter.convert_exported_html(test_string)
+
+        anchor = Nokogiri::HTML5.fragment(html).at_css("a")
+        expect(anchor).not_to be_nil
+        expect(anchor["onmouseover"]).to be_nil,
+          "attribute breakout via module_item query -- output was: #{html.inspect}"
+        expect(anchor.attributes.keys).to contain_exactly("href"),
+          "expected only `href`, got #{anchor.attributes.keys.inspect} -- output was: #{html.inspect}"
+      end
+
+      it "does not allow attribute breakout via wiki_page_migration_id fallback" do
+        test_string = %(<a href="wiki_page_migration_id=nope&quot; onmouseover=&quot;alert(1)">x</a>)
+        html, _bad_links = @converter.convert_exported_html(test_string)
+
+        anchor = Nokogiri::HTML5.fragment(html).at_css("a")
+        expect(anchor).not_to be_nil
+        expect(anchor["onmouseover"]).to be_nil,
+          "attribute breakout via wiki_page fallback -- output was: #{html.inspect}"
+        expect(anchor.attributes.keys).to contain_exactly("href"),
+          "expected only `href`, got #{anchor.attributes.keys.inspect} -- output was: #{html.inspect}"
+      end
+
+      it "does not allow text-node injection when placeholder lives in inner_html" do
+        payload = "relative/foo%3Cimg%09src=x%09onerror=alert(1)%3E.html"
+        test_string = %(<a href="#{payload}">#{payload}</a>)
+        html, _bad_links = @converter.convert_exported_html(test_string)
+
+        anchor = Nokogiri::HTML5.fragment(html).at_css("a")
+        expect(anchor).not_to be_nil
+        expect(anchor.css("img")).to be_empty,
+          "text-node injection: produced live <img> child -- output was: #{html.inspect}"
+      end
+
+      it "does not allow attribute injection via gsub! pre-match back-reference" do
+        test_string = %q(<img src="wiki_page_migration_id=NONEXIST\`onerror=alert(1) ">)
+        html, _bad_links = @converter.convert_exported_html(test_string)
+
+        img = Nokogiri::HTML5.fragment(html).at_css("img")
+        expect(img).not_to be_nil
+        expect(img["onerror"]).to be_nil,
+          "attribute injection via gsub backref: produced live onerror -- output was: #{html.inspect}"
+        expect(img.attributes.keys).to contain_exactly("src"),
+          "expected only `src`, got #{img.attributes.keys.inspect} -- output was: #{html.inspect}"
+      end
+
+      it "does not allow media_object cross-substitution into attribute context" do
+        attacker_video = %q(<video data-media-id="m-stuff" data-media-type="video"><source src="$IMS-CC-FILEBASE$/test.png" data-media-id="m-stuff" data-media-type="video"></video>)
+        preview = Nokogiri::HTML5.fragment(attacker_video, max_tree_depth: 10_000)
+        preview.search("source[data-media-type],source[data-media-id]").each do |source|
+          next unless %w[audio video].include?(source.parent.name)
+          media_node = source.parent
+          media_node.name = "iframe"
+          media_node["src"] = source["src"]
+          source.remove
+        end
+        predicted_placeholder = "LINK.PLACEHOLDER_#{Digest::MD5.hexdigest(preview.at_css("iframe").to_xml)}"
+
+        attack_html = %Q(<a href="evil/#{predicted_placeholder}">link</a>#{attacker_video})
+        html, _ = @converter.convert_exported_html(attack_html)
+
+        anchor = Nokogiri::HTML5.fragment(html).at_css("a")
+        expect(anchor).not_to be_nil
+        expect(anchor.attributes.keys).to contain_exactly("href"),
+          "media_object cross-substitution injected attributes onto anchor: " \
+          "#{anchor.attributes.keys.inspect} -- output was: #{html.inspect}"
+      end
+    end
+
     it "prepends course files for unrecognized relative urls" do
       test_string = %(<a href="/relative/path/to/file">Linkage</a>)
       html, bad_links = @converter.convert_exported_html(test_string)

metadata

@@ -1,17 +1,17 @@
 --- !ruby/object:Gem::Specification
 name: canvas_link_migrator
 version: !ruby/object:Gem::Version
-  version: 1.0.19
+  version: 1.0.20
 platform: ruby
 authors:
 - Mysti Lilla
 - James Logan
 - Sarah Gerard
 - Math Costa
-autorequire: 
+autorequire:
 bindir: bin
 cert_chain: []
-date: 2026-03-24 00:00:00.000000000 Z
+date: 2026-05-15 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: activesupport
@@ -139,7 +139,7 @@ dependencies:
     - - ">="
       - !ruby/object:Gem::Version
         version: '0'
-description: 
+description:
 email:
 - mysti@instructure.com
 - james.logan@instructure.com
@@ -164,11 +164,11 @@ files:
 - spec/fixtures/canvas_resource_map_pages.json
 - spec/spec_helper.rb
 - test.sh
-homepage: 
+homepage:
 licenses: []
 metadata:
   source_code_uri: https://github.com/instructure/canvas_link_migrator
-post_install_message: 
+post_install_message:
 rdoc_options: []
 require_paths:
 - lib
@@ -176,15 +176,15 @@ required_ruby_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="
     - !ruby/object:Gem::Version
-      version: '2.7'
+      version: '3.1'
 required_rubygems_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.1.6
-signing_key: 
+rubygems_version: 3.3.27
+signing_key:
 specification_version: 4
 summary: Instructure gem for migrating Canvas style rich content
 test_files: []