qiita-markdown 0.28.0 → 0.33.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: db1f661355f65d7ca159db9a954a74002a39cb996e573aa483384edf7fb6f68c
-  data.tar.gz: b2e6bce2f3f66af7e5238515e4f082abeedf86b90b886aacaa8ce45b7655e942
+  metadata.gz: 17dc016afba392cc6e3ea77af4cdc445e32c6004a6c23a24b8dce1a4e0ec1811
+  data.tar.gz: 042e3a11a8cc6d266463ae7bb8d3e46c8c732efeb061086586c80a277898cf38
 SHA512:
-  metadata.gz: 9784da7558dbe61bcc6f4e3e923c3286f4954c9632b892997c3816b1e366844420cd8280ae432b8a6a85ec3dff543dd31aaf2690f6b2ed20ae862f9d756fb74c
-  data.tar.gz: d1c1920577d61ba16cec374c16feaa9804e862b61e2653dfe99470b9832c66dc3d6c4969a8559b718bc3e0adf85b5e55aeb35604b01909a3c93b558a816e11e3
+  metadata.gz: 0c59646956b877c13e7c6ef62bd366483b5a7da78f19bfe8aee2305ea568c6f59dfb2d916e68a822e3363ddabbf7577166e8e21a8da79152550b11c77a3dc8d6
+  data.tar.gz: b907d5a284c9c77e9f264298d38d6ec4a0861179dda36320f6fd40187b606662b1e07e61d9f3e5bd2070f203e3de5d60b53cdb05593ca64ceb875c6bbd811f31

data/CHANGELOG.md

@@ -1,5 +1,31 @@
 ## Unreleased
 
+## 0.33.0
+
+- Fix XSS possibility bug
+
+## 0.32.0
+
+- Fix XSS possibility bug
+- Fix iframe width to be fixed at 100%
+
+## 0.31.0
+
+- Use greenmat 3.5.1.1
+
+## 0.30.0
+
+- Use greenmat 3.5.1.0
+
+## 0.29.0
+
+- Accept new embeded script and iframes
+    - Gist
+    - Youtube
+    - SlideShare
+    - SpeekerDeck
+    - GoogleSlide
+
 ## 0.28.0
 
 - Accept new codepen script url (cpwebassets.codepen.io)

data/lib/qiita/markdown.rb

@@ -10,8 +10,14 @@ require "sanitize"
 require "qiita/markdown/embed/code_pen"
 require "qiita/markdown/embed/tweet"
 require "qiita/markdown/embed/asciinema"
+require "qiita/markdown/embed/gist"
+require "qiita/markdown/embed/youtube"
+require "qiita/markdown/embed/slide_share"
+require "qiita/markdown/embed/google_slide"
+require "qiita/markdown/embed/speeker_deck"
 require "qiita/markdown/transformers/filter_attributes"
 require "qiita/markdown/transformers/filter_script"
+require "qiita/markdown/transformers/filter_iframe"
 require "qiita/markdown/transformers/strip_invalid_node"
 require "qiita/markdown/filters/checkbox"
 require "qiita/markdown/filters/code_block"

data/lib/qiita/markdown/embed/gist.rb

@@ -0,0 +1,9 @@
+module Qiita
+  module Markdown
+    module Embed
+      module Gist
+        SCRIPT_HOST = "gist.github.com".freeze
+      end
+    end
+  end
+end

data/lib/qiita/markdown/embed/google_slide.rb

@@ -0,0 +1,9 @@
+module Qiita
+  module Markdown
+    module Embed
+      module GoogleSlide
+        SCRIPT_HOST = "docs.google.com".freeze
+      end
+    end
+  end
+end

data/lib/qiita/markdown/embed/slide_share.rb

@@ -0,0 +1,9 @@
+module Qiita
+  module Markdown
+    module Embed
+      module SlideShare
+        SCRIPT_HOST = "www.slideshare.net".freeze
+      end
+    end
+  end
+end

data/lib/qiita/markdown/embed/speeker_deck.rb

@@ -0,0 +1,16 @@
+module Qiita
+  module Markdown
+    module Embed
+      module SpeekerDeck
+        SCRIPT_URLS = [
+          "//speakerdeck.com/assets/embed.js",
+        ].freeze
+        CLASS_NAME = %w[speakerdeck-embed].freeze
+        DATA_ATTRIBUTES = %w[
+          data-id data-ratio
+        ].freeze
+        ATTRIBUTES = %w[class] + DATA_ATTRIBUTES
+      end
+    end
+  end
+end

data/lib/qiita/markdown/embed/youtube.rb

@@ -0,0 +1,12 @@
+module Qiita
+  module Markdown
+    module Embed
+      module Youtube
+        SCRIPT_HOSTS = [
+          "www.youtube-nocookie.com",
+          "www.youtube.com",
+        ].freeze
+      end
+    end
+  end
+end

data/lib/qiita/markdown/filters/final_sanitizer.rb

@@ -47,7 +47,9 @@ module Qiita
               "async",
               "src",
               "type",
-            ],
+            ].concat(
+              Embed::SpeekerDeck::ATTRIBUTES,
+            ),
             "span" => [
               "style",
             ],
@@ -137,6 +139,7 @@ module Qiita
             "s",
             "samp",
             "script",
+            "iframe",
             "span",
             "strike",
             "strong",
@@ -186,14 +189,15 @@ module Qiita
           transformers: [
             Transformers::StripInvalidNode,
             Transformers::FilterScript,
+            Transformers::FilterIframe,
           ],
         }.freeze
 
         SCRIPTABLE_RULE = RULE.dup.tap do |rule|
           rule[:attributes] = RULE[:attributes].dup
           rule[:attributes][:all] = rule[:attributes][:all] + [:data]
-          rule[:elements] = RULE[:elements] + ["iframe", "video"]
-          rule[:transformers] = rule[:transformers] - [Transformers::FilterScript]
+          rule[:elements] = RULE[:elements] + ["video"]
+          rule[:transformers] = rule[:transformers] - [Transformers::FilterScript, Transformers::FilterIframe]
         end
 
         def call

data/lib/qiita/markdown/filters/user_input_sanitizer.rb

@@ -6,7 +6,7 @@ module Qiita
         RULE = {
           elements: %w[
             a b blockquote br code dd del details div dl dt em font h1 h2 h3 h4 h5 h6
-            hr i img ins kbd li ol p pre q rp rt ruby s samp script strike strong sub
+            hr i img ins kbd li ol p pre q rp rt ruby s samp script iframe strike strong sub
             summary sup table tbody td tfoot th thead tr ul var
           ],
           attributes: {
@@ -26,7 +26,18 @@ module Qiita
             "li"         => %w[id],
             "p"          => Embed::CodePen::ATTRIBUTES,
             "q"          => %w[cite],
-            "script"     => %w[async src id],
+            "script"     => %w[async src id].concat(Embed::SpeekerDeck::ATTRIBUTES),
+            "iframe"     => %w[
+              allowfullscreen
+              frameborder
+              height
+              marginheight
+              marginwidth
+              scrolling
+              src
+              style
+              width
+            ],
             "sup"        => %w[id],
             "td"         => %w[colspan rowspan style],
             "th"         => %w[colspan rowspan style],
@@ -42,6 +53,7 @@ module Qiita
           transformers: [
             Transformers::FilterAttributes,
             Transformers::FilterScript,
+            Transformers::FilterIframe,
           ],
         }.freeze
 

data/lib/qiita/markdown/transformers/filter_iframe.rb

@@ -0,0 +1,54 @@
+module Qiita
+  module Markdown
+    module Transformers
+      class FilterIframe
+        URL_WHITE_LIST = [
+        ].flatten.freeze
+
+        HOST_WHITE_LIST = [
+          Embed::Youtube::SCRIPT_HOSTS,
+          Embed::SlideShare::SCRIPT_HOST,
+          Embed::GoogleSlide::SCRIPT_HOST,
+        ].flatten.freeze
+
+        def self.call(*args)
+          new(*args).transform
+        end
+
+        def initialize(env)
+          @env = env
+        end
+
+        def transform
+          if name == "iframe"
+            if URL_WHITE_LIST.include?(node["src"]) || HOST_WHITE_LIST.include?(host_of(node["src"]))
+              node["width"] = "100%"
+              node.children.unlink
+            else
+              node.unlink
+            end
+          end
+        end
+
+        private
+
+        def name
+          @env[:node_name]
+        end
+
+        def node
+          @env[:node]
+        end
+
+        def host_of(url)
+          if url
+            scheme = URI.parse(url).scheme
+            Addressable::URI.parse(url).host if ["http", "https"].include? scheme
+          end
+        rescue Addressable::URI::InvalidURIError, URI::InvalidURIError
+          nil
+        end
+      end
+    end
+  end
+end

data/lib/qiita/markdown/transformers/filter_script.rb

@@ -5,10 +5,12 @@ module Qiita
         URL_WHITE_LIST = [
           Embed::CodePen::SCRIPT_URLS,
           Embed::Tweet::SCRIPT_URL,
+          Embed::SpeekerDeck::SCRIPT_URLS,
         ].flatten.freeze
 
         HOST_WHITE_LIST = [
           Embed::Asciinema::SCRIPT_HOST,
+          Embed::Gist::SCRIPT_HOST,
         ].flatten.freeze
 
         def self.call(*args)
@@ -41,8 +43,11 @@ module Qiita
         end
 
         def host_of(url)
-          Addressable::URI.parse(url).host if url
-        rescue Addressable::URI::InvalidURIError
+          if url
+            scheme = URI.parse(url).scheme
+            Addressable::URI.parse(url).host if ["http", "https"].include? scheme
+          end
+        rescue Addressable::URI::InvalidURIError, URI::InvalidURIError
           nil
         end
       end

data/lib/qiita/markdown/version.rb

@@ -1,5 +1,5 @@
 module Qiita
   module Markdown
-    VERSION = "0.28.0"
+    VERSION = "0.33.0"
   end
 end

data/qiita-markdown.gemspec

@@ -23,7 +23,7 @@ Gem::Specification.new do |spec|
   spec.add_dependency "html-pipeline", "~> 2.0"
   spec.add_dependency "mem"
   spec.add_dependency "pygments.rb", "~> 1.0"
-  spec.add_dependency "greenmat", "3.2.2.4"
+  spec.add_dependency "greenmat", "3.5.1.1"
   spec.add_dependency "sanitize"
   spec.add_dependency "addressable"
   spec.add_development_dependency "activesupport", "4.2.6"

data/spec/qiita/markdown/processor_spec.rb

@@ -740,7 +740,7 @@ describe Qiita::Markdown::Processor do
 
         it "generates footnotes elements" do
           should eq <<-HTML.strip_heredoc
-            <p><sup id="fnref1"><a href="#fn1" rel="footnote" title="test">1</a></sup></p>
+            <p><sup id="fnref1"><a href="#fn1" title="test">1</a></sup></p>
 
             <div class="footnotes">
             <hr>
@@ -756,6 +756,25 @@ describe Qiita::Markdown::Processor do
         end
       end
 
+      context "with footenotes syntax with code block" do
+        let(:markdown) do
+          <<-MARKDOWN.strip_heredoc
+            ```
+            [^1]
+            [^1]: test
+            ```
+          MARKDOWN
+        end
+
+        it "generates only code blocks without footnotes" do
+          should eq <<-HTML.strip_heredoc
+            <div class="code-frame" data-lang="text"><div class="highlight"><pre><span></span>[^1]
+            [^1]: test
+            </pre></div></div>
+          HTML
+        end
+      end
+
       context "with manually written link inside of <sup> tag" do
         let(:markdown) do
           <<-MARKDOWN.strip_heredoc
@@ -1031,6 +1050,31 @@ describe Qiita::Markdown::Processor do
           end
         end
       end
+
+      context "with details tag" do
+        let(:markdown) do
+          <<-MARKDOWN.strip_heredoc
+            <details><summary>Folding sample</summary><div>
+
+            ```rb
+            puts "Hello, World"
+            ```
+            </div></details>
+          MARKDOWN
+        end
+
+        it "returns HTML output parsed as markdown" do
+          expect(subject).to eq <<-HTML.strip_heredoc
+            <p><details><summary>Folding sample</summary><div>
+
+            <div class="code-frame" data-lang="rb"><div class="highlight"><pre><span></span><span class="nb">puts</span> <span class="s2">"Hello, World"</span>
+            </pre></div></div>
+
+            <p></p>
+            </div></details></p>
+          HTML
+        end
+      end
     end
 
     shared_examples_for "script element" do |allowed:|
@@ -1407,6 +1451,138 @@ describe Qiita::Markdown::Processor do
         end
       end
 
+      context "with HTML embed code for Gist" do
+        let(:markdown) do
+          <<-MARKDOWN.strip_heredoc
+            <script id="example" src="https://gist.github.com/a/example.js"></script>
+          MARKDOWN
+        end
+
+        if allowed
+          it "does not sanitize embed code" do
+            should eq <<-HTML.strip_heredoc
+              <script id="example" src="https://gist.github.com/a/example.js"></script>
+            HTML
+          end
+        else
+          it "forces async attribute on script" do
+            should eq <<-HTML.strip_heredoc
+              <script id="example" src="https://gist.github.com/a/example.js" async="async"></script>
+            HTML
+          end
+        end
+      end
+
+      context "with HTML embed code for Youtube" do
+        let(:markdown) do
+          <<-MARKDOWN.strip_heredoc
+            <iframe width="100" height="100" src="https://www.youtube.com/embed/example"></iframe>
+          MARKDOWN
+        end
+
+        if allowed
+          it "does not sanitize embed code" do
+            should eq <<-HTML.strip_heredoc
+              <iframe width="100" height="100" src="https://www.youtube.com/embed/example"></iframe>
+            HTML
+          end
+        else
+          it "forces width attribute on iframe" do
+            should eq <<-HTML.strip_heredoc
+              <iframe width="100%" height="100" src="https://www.youtube.com/embed/example"></iframe>
+            HTML
+          end
+        end
+
+        context "when url is privacy enhanced mode" do
+          let(:markdown) do
+            <<-MARKDOWN.strip_heredoc
+              <iframe width="100" height="100" src="https://www.youtube-nocookie.com/embed/example"></iframe>
+            MARKDOWN
+          end
+
+          if allowed
+            it "does not sanitize embed code" do
+              should eq <<-HTML.strip_heredoc
+                <iframe width="100" height="100" src="https://www.youtube-nocookie.com/embed/example"></iframe>
+              HTML
+            end
+          else
+            it "forces width attribute on iframe" do
+              should eq <<-HTML.strip_heredoc
+                <iframe width="100%" height="100" src="https://www.youtube-nocookie.com/embed/example"></iframe>
+              HTML
+            end
+          end
+        end
+      end
+
+      context "with HTML embed code for SlideShare" do
+        let(:markdown) do
+          <<-MARKDOWN.strip_heredoc
+            <iframe width="100" height="100" src="https://www.slideshare.net/embed/example"></iframe>
+          MARKDOWN
+        end
+
+        if allowed
+          it "does not sanitize embed code" do
+            should eq <<-HTML.strip_heredoc
+              <iframe width="100" height="100" src="https://www.slideshare.net/embed/example"></iframe>
+            HTML
+          end
+        else
+          it "forces width attribute on iframe" do
+            should eq <<-HTML.strip_heredoc
+              <iframe width="100%" height="100" src="https://www.slideshare.net/embed/example"></iframe>
+            HTML
+          end
+        end
+      end
+
+      context "with HTML embed code for GoogleSlide" do
+        let(:markdown) do
+          <<-MARKDOWN.strip_heredoc
+            <iframe src="https://docs.google.com/presentation/d/example/embed" frameborder="0" width="482" height="300" allowfullscreen="true" mozallowfullscreen="true" webkitallowfullscreen="true"></iframe>
+          MARKDOWN
+        end
+
+        if allowed
+          it "does not sanitize embed code" do
+            should eq <<-HTML.strip_heredoc
+              <iframe src="https://docs.google.com/presentation/d/example/embed" frameborder="0" width="482" height="300" allowfullscreen="true"></iframe>
+            HTML
+          end
+        else
+          it "forces width attribute on iframe" do
+            should eq <<-HTML.strip_heredoc
+              <iframe src="https://docs.google.com/presentation/d/example/embed" frameborder="0" width="100%" height="300" allowfullscreen="true"></iframe>
+            HTML
+          end
+        end
+      end
+
+      context "with HTML embed code for SpeekerDeck" do
+        let(:markdown) do
+          <<-MARKDOWN.strip_heredoc
+            <script async class="speakerdeck-embed" data-id="example" data-ratio="1.33333333333333" src="//speakerdeck.com/assets/embed.js"></script>
+          MARKDOWN
+        end
+
+        if allowed
+          it "does not sanitize embed code" do
+            should eq <<-HTML.strip_heredoc
+              <script async class="speakerdeck-embed" data-id="example" data-ratio="1.33333333333333" src="//speakerdeck.com/assets/embed.js"></script>
+            HTML
+          end
+        else
+          it "forces async attribute on script" do
+            should eq <<-HTML.strip_heredoc
+              <script async class="speakerdeck-embed" data-id="example" data-ratio="1.33333333333333" src="//speakerdeck.com/assets/embed.js"></script>
+            HTML
+          end
+        end
+      end
+
       context "with embed code for Tweet" do
         let(:markdown) do
           <<-MARKDOWN.strip_heredoc
@@ -1422,6 +1598,34 @@ describe Qiita::Markdown::Processor do
           HTML
         end
       end
+
+      context "with embed script code with xss" do
+        let(:markdown) do
+          <<-MARKDOWN.strip_heredoc
+            <script async class="speakerdeck-embed" data-id="example" data-ratio="1.33333333333333" src="javascript://speakerdeck.com/assets/embed.js"></script>
+          MARKDOWN
+
+          it "forces width attribute on iframe" do
+            should eq <<-HTML.strip_heredoc
+              \n
+            HTML
+          end
+        end
+      end
+
+      context "with embed iframe code with xss" do
+        let(:markdown) do
+          <<-MARKDOWN.strip_heredoc
+            <iframe src="javascript://docs.google.com:80/%0d%0aalert(document.domain)" frameborder="0" width="482" height="300" allowfullscreen="true" mozallowfullscreen="true" webkitallowfullscreen="true"></iframe>
+          MARKDOWN
+
+          it "forces width attribute on iframe" do
+            should eq <<-HTML.strip_heredoc
+              \n
+            HTML
+          end
+        end
+      end
     end
 
     context "without script and strict context" do

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: qiita-markdown
 version: !ruby/object:Gem::Version
-  version: 0.28.0
+  version: 0.33.0
 platform: ruby
 authors:
 - Ryo Nakamura
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2021-01-21 00:00:00.000000000 Z
+date: 2021-03-18 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: gemoji
@@ -86,14 +86,14 @@ dependencies:
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 3.2.2.4
+        version: 3.5.1.1
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 3.2.2.4
+        version: 3.5.1.1
 - !ruby/object:Gem::Dependency
   name: sanitize
   requirement: !ruby/object:Gem::Requirement
@@ -258,7 +258,12 @@ files:
 - lib/qiita/markdown/base_processor.rb
 - lib/qiita/markdown/embed/asciinema.rb
 - lib/qiita/markdown/embed/code_pen.rb
+- lib/qiita/markdown/embed/gist.rb
+- lib/qiita/markdown/embed/google_slide.rb
+- lib/qiita/markdown/embed/slide_share.rb
+- lib/qiita/markdown/embed/speeker_deck.rb
 - lib/qiita/markdown/embed/tweet.rb
+- lib/qiita/markdown/embed/youtube.rb
 - lib/qiita/markdown/filters/checkbox.rb
 - lib/qiita/markdown/filters/code_block.rb
 - lib/qiita/markdown/filters/emoji.rb
@@ -281,6 +286,7 @@ files:
 - lib/qiita/markdown/processor.rb
 - lib/qiita/markdown/summary_processor.rb
 - lib/qiita/markdown/transformers/filter_attributes.rb
+- lib/qiita/markdown/transformers/filter_iframe.rb
 - lib/qiita/markdown/transformers/filter_script.rb
 - lib/qiita/markdown/transformers/strip_invalid_node.rb
 - lib/qiita/markdown/version.rb