RubyGems - qiita-markdown - Versions diffs - 0.29.0 → 0.34.0 - Mend

qiita-markdown 0.29.0 → 0.34.0

Files changed (10) hide show

checksums.yaml +4 -4
data/CHANGELOG.md +21 -0
data/lib/qiita/markdown.rb +0 -1
data/lib/qiita/markdown/transformers/filter_iframe.rb +6 -2
data/lib/qiita/markdown/transformers/filter_script.rb +5 -3
data/lib/qiita/markdown/version.rb +1 -1
data/qiita-markdown.gemspec +1 -1
data/spec/qiita/markdown/processor_spec.rb +114 -32
metadata +4 -5
data/lib/qiita/markdown/embed/gist.rb +0 -9

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: ba9a61d760c878765f0d56a7b2be4b3d6d9f61eff2d104979ca5af3f0b481e60
-  data.tar.gz: 727b673a4c63a45b633f9b5f7331239cea6ff5cd36b7c3c4655089a096026697
+  metadata.gz: 930ee5ee8bc770b95b918f3cfed4fdac57f133e9e69d0b21fff77cd2506a8fdc
+  data.tar.gz: 87f95cb871e08f94e1e03dd11a14ddd974ee24726b78ae3496bd3629e3b76959
 SHA512:
-  metadata.gz: b3d2c8a721f25fa8010eaee9adcded2321e27eaf35c0092bd165e30d86163bfb872fb17962a5438a5233b0e861f7f1ccbcc3831bd0e924422ce8c46445882c35
-  data.tar.gz: 5c3fdd91f7656e222050921ec233c24f82c81498ac0e8e42b889e1852af34d9bee113bb5134df702536b50d30202532358204828c46a29d5c57b99a42167f2b7
+  metadata.gz: 0ac7943de01ab9b05c990f6ec8abe64d37c780b186da66b30017129f014d7944aa60e437a9466033b2c801dd701fdf6564d30451bc2ece1d6551011ff44d814b
+  data.tar.gz: cb8bd175dcd7aec1685209eca0c51c396a80d686737267155d1815d98546f65d7fa5927cf525cb109ed777a5a92835239f59d46e70f246e8ddb1bd9b8f7ebac5

data/CHANGELOG.md CHANGED Viewed

@@ -1,5 +1,26 @@
 ## Unreleased
+## 0.34.0
+- Delete gist embed rule to avoid XSS
+## 0.33.0
+- Fix XSS possibility bug
+## 0.32.0
+- Fix XSS possibility bug
+- Fix iframe width to be fixed at 100%
+## 0.31.0
+- Use greenmat 3.5.1.1
+## 0.30.0
+- Use greenmat 3.5.1.0
 ## 0.29.0
 - Accept new embeded script and iframes

data/lib/qiita/markdown.rb CHANGED Viewed

@@ -10,7 +10,6 @@ require "sanitize"
 require "qiita/markdown/embed/code_pen"
 require "qiita/markdown/embed/tweet"
 require "qiita/markdown/embed/asciinema"
-require "qiita/markdown/embed/gist"
 require "qiita/markdown/embed/youtube"
 require "qiita/markdown/embed/slide_share"
 require "qiita/markdown/embed/google_slide"

data/lib/qiita/markdown/transformers/filter_iframe.rb CHANGED Viewed

@@ -22,6 +22,7 @@ module Qiita
         def transform
           if name == "iframe"
             if URL_WHITE_LIST.include?(node["src"]) || HOST_WHITE_LIST.include?(host_of(node["src"]))
+              node["width"] = "100%"
               node.children.unlink
             else
               node.unlink
@@ -40,8 +41,11 @@ module Qiita
         end
         def host_of(url)
-          Addressable::URI.parse(url).host if url
-        rescue Addressable::URI::InvalidURIError
+          if url
+            scheme = URI.parse(url).scheme
+            Addressable::URI.parse(url).host if ["http", "https"].include? scheme
+          end
+        rescue Addressable::URI::InvalidURIError, URI::InvalidURIError
           nil
         end
       end

data/lib/qiita/markdown/transformers/filter_script.rb CHANGED Viewed

@@ -10,7 +10,6 @@ module Qiita
         HOST_WHITE_LIST = [
           Embed::Asciinema::SCRIPT_HOST,
-          Embed::Gist::SCRIPT_HOST,
         ].flatten.freeze
         def self.call(*args)
@@ -43,8 +42,11 @@ module Qiita
         end
         def host_of(url)
-          Addressable::URI.parse(url).host if url
-        rescue Addressable::URI::InvalidURIError
+          if url
+            scheme = URI.parse(url).scheme
+            Addressable::URI.parse(url).host if ["http", "https"].include? scheme
+          end
+        rescue Addressable::URI::InvalidURIError, URI::InvalidURIError
           nil
         end
       end

data/lib/qiita/markdown/version.rb CHANGED Viewed

@@ -1,5 +1,5 @@
 module Qiita
   module Markdown
-    VERSION = "0.29.0"
+    VERSION = "0.34.0"
   end
 end

data/qiita-markdown.gemspec CHANGED Viewed

@@ -23,7 +23,7 @@ Gem::Specification.new do |spec|
   spec.add_dependency "html-pipeline", "~> 2.0"
   spec.add_dependency "mem"
   spec.add_dependency "pygments.rb", "~> 1.0"
-  spec.add_dependency "greenmat", "3.2.2.4"
+  spec.add_dependency "greenmat", "3.5.1.1"
   spec.add_dependency "sanitize"
   spec.add_dependency "addressable"
   spec.add_development_dependency "activesupport", "4.2.6"

data/spec/qiita/markdown/processor_spec.rb CHANGED Viewed

@@ -740,7 +740,7 @@ describe Qiita::Markdown::Processor do
         it "generates footnotes elements" do
           should eq <<-HTML.strip_heredoc
-            <p><sup id="fnref1"><a href="#fn1" rel="footnote" title="test">1</a></sup></p>
+            <p><sup id="fnref1"><a href="#fn1" title="test">1</a></sup></p>
             <div class="footnotes">
             <hr>
@@ -756,6 +756,25 @@ describe Qiita::Markdown::Processor do
         end
       end
+      context "with footenotes syntax with code block" do
+        let(:markdown) do
+          <<-MARKDOWN.strip_heredoc
+            ```
+            [^1]
+            [^1]: test
+            ```
+          MARKDOWN
+        end
+        it "generates only code blocks without footnotes" do
+          should eq <<-HTML.strip_heredoc
+            <div class="code-frame" data-lang="text"><div class="highlight"><pre><span></span>[^1]
+            [^1]: test
+            </pre></div></div>
+          HTML
+        end
+      end
       context "with manually written link inside of <sup> tag" do
         let(:markdown) do
           <<-MARKDOWN.strip_heredoc
@@ -1031,6 +1050,31 @@ describe Qiita::Markdown::Processor do
           end
         end
       end
+      context "with details tag" do
+        let(:markdown) do
+          <<-MARKDOWN.strip_heredoc
+            <details><summary>Folding sample</summary><div>
+            ```rb
+            puts "Hello, World"
+            ```
+            </div></details>
+          MARKDOWN
+        end
+        it "returns HTML output parsed as markdown" do
+          expect(subject).to eq <<-HTML.strip_heredoc
+            <p><details><summary>Folding sample</summary><div>
+            <div class="code-frame" data-lang="rb"><div class="highlight"><pre><span></span><span class="nb">puts</span> <span class="s2">"Hello, World"</span>
+            </pre></div></div>
+            <p></p>
+            </div></details></p>
+          HTML
+        end
+      end
     end
     shared_examples_for "script element" do |allowed:|
@@ -1407,40 +1451,26 @@ describe Qiita::Markdown::Processor do
         end
       end
-      context "with HTML embed code for Gist" do
+      context "with HTML embed code for Youtube" do
         let(:markdown) do
           <<-MARKDOWN.strip_heredoc
-            <script id="example" src="https://gist.github.com/a/example.js"></script>
+            <iframe width="100" height="100" src="https://www.youtube.com/embed/example"></iframe>
           MARKDOWN
         end
         if allowed
           it "does not sanitize embed code" do
             should eq <<-HTML.strip_heredoc
-              <script id="example" src="https://gist.github.com/a/example.js"></script>
+              <iframe width="100" height="100" src="https://www.youtube.com/embed/example"></iframe>
             HTML
           end
         else
-          it "forces async attribute on script" do
+          it "forces width attribute on iframe" do
             should eq <<-HTML.strip_heredoc
-              <script id="example" src="https://gist.github.com/a/example.js" async="async"></script>
+              <iframe width="100%" height="100" src="https://www.youtube.com/embed/example"></iframe>
             HTML
           end
         end
-      end
-      context "with HTML embed code for Youtube" do
-        let(:markdown) do
-          <<-MARKDOWN.strip_heredoc
-            <iframe width="100" height="100" src="https://www.youtube.com/embed/example"></iframe>
-          MARKDOWN
-        end
-        it "does not sanitize embed code" do
-          should eq <<-HTML.strip_heredoc
-            <iframe width="100" height="100" src="https://www.youtube.com/embed/example"></iframe>
-          HTML
-        end
         context "when url is privacy enhanced mode" do
           let(:markdown) do
@@ -1449,10 +1479,18 @@ describe Qiita::Markdown::Processor do
             MARKDOWN
           end
-          it "does not sanitize embed code" do
-            should eq <<-HTML.strip_heredoc
-              <iframe width="100" height="100" src="https://www.youtube-nocookie.com/embed/example"></iframe>
-            HTML
+          if allowed
+            it "does not sanitize embed code" do
+              should eq <<-HTML.strip_heredoc
+                <iframe width="100" height="100" src="https://www.youtube-nocookie.com/embed/example"></iframe>
+              HTML
+            end
+          else
+            it "forces width attribute on iframe" do
+              should eq <<-HTML.strip_heredoc
+                <iframe width="100%" height="100" src="https://www.youtube-nocookie.com/embed/example"></iframe>
+              HTML
+            end
           end
         end
       end
@@ -1464,10 +1502,18 @@ describe Qiita::Markdown::Processor do
           MARKDOWN
         end
-        it "does not sanitize embed code" do
-          should eq <<-HTML.strip_heredoc
-            <iframe width="100" height="100" src="https://www.slideshare.net/embed/example"></iframe>
-          HTML
+        if allowed
+          it "does not sanitize embed code" do
+            should eq <<-HTML.strip_heredoc
+              <iframe width="100" height="100" src="https://www.slideshare.net/embed/example"></iframe>
+            HTML
+          end
+        else
+          it "forces width attribute on iframe" do
+            should eq <<-HTML.strip_heredoc
+              <iframe width="100%" height="100" src="https://www.slideshare.net/embed/example"></iframe>
+            HTML
+          end
         end
       end
@@ -1478,10 +1524,18 @@ describe Qiita::Markdown::Processor do
           MARKDOWN
         end
-        it "does not sanitize embed code" do
-          should eq <<-HTML.strip_heredoc
-            <iframe src="https://docs.google.com/presentation/d/example/embed" frameborder="0" width="482" height="300" allowfullscreen="true"></iframe>
-          HTML
+        if allowed
+          it "does not sanitize embed code" do
+            should eq <<-HTML.strip_heredoc
+              <iframe src="https://docs.google.com/presentation/d/example/embed" frameborder="0" width="482" height="300" allowfullscreen="true"></iframe>
+            HTML
+          end
+        else
+          it "forces width attribute on iframe" do
+            should eq <<-HTML.strip_heredoc
+              <iframe src="https://docs.google.com/presentation/d/example/embed" frameborder="0" width="100%" height="300" allowfullscreen="true"></iframe>
+            HTML
+          end
         end
       end
@@ -1522,6 +1576,34 @@ describe Qiita::Markdown::Processor do
           HTML
         end
       end
+      context "with embed script code with xss" do
+        let(:markdown) do
+          <<-MARKDOWN.strip_heredoc
+            <script async class="speakerdeck-embed" data-id="example" data-ratio="1.33333333333333" src="javascript://speakerdeck.com/assets/embed.js"></script>
+          MARKDOWN
+          it "forces width attribute on iframe" do
+            should eq <<-HTML.strip_heredoc
+              \n
+            HTML
+          end
+        end
+      end
+      context "with embed iframe code with xss" do
+        let(:markdown) do
+          <<-MARKDOWN.strip_heredoc
+            <iframe src="javascript://docs.google.com:80/%0d%0aalert(document.domain)" frameborder="0" width="482" height="300" allowfullscreen="true" mozallowfullscreen="true" webkitallowfullscreen="true"></iframe>
+          MARKDOWN
+          it "forces width attribute on iframe" do
+            should eq <<-HTML.strip_heredoc
+              \n
+            HTML
+          end
+        end
+      end
     end
     context "without script and strict context" do

metadata CHANGED Viewed

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: qiita-markdown
 version: !ruby/object:Gem::Version
-  version: 0.29.0
+  version: 0.34.0
 platform: ruby
 authors:
 - Ryo Nakamura
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2021-02-10 00:00:00.000000000 Z
+date: 2021-03-19 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: gemoji
@@ -86,14 +86,14 @@ dependencies:
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 3.2.2.4
+        version: 3.5.1.1
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 3.2.2.4
+        version: 3.5.1.1
 - !ruby/object:Gem::Dependency
   name: sanitize
   requirement: !ruby/object:Gem::Requirement
@@ -258,7 +258,6 @@ files:
 - lib/qiita/markdown/base_processor.rb
 - lib/qiita/markdown/embed/asciinema.rb
 - lib/qiita/markdown/embed/code_pen.rb
-- lib/qiita/markdown/embed/gist.rb
 - lib/qiita/markdown/embed/google_slide.rb
 - lib/qiita/markdown/embed/slide_share.rb
 - lib/qiita/markdown/embed/speeker_deck.rb

data/lib/qiita/markdown/embed/gist.rb DELETED Viewed

@@ -1,9 +0,0 @@
-module Qiita
-  module Markdown
-    module Embed
-      module Gist
-        SCRIPT_HOST = "gist.github.com".freeze
-      end
-    end
-  end
-end