RubyGems - qiita-markdown - Versions diffs - 0.29.0 → 0.34.0 - Mend

qiita-markdown 0.29.0 → 0.34.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (10) hide show

checksums.yaml +4 -4
data/CHANGELOG.md +21 -0
data/lib/qiita/markdown.rb +0 -1
data/lib/qiita/markdown/transformers/filter_iframe.rb +6 -2
data/lib/qiita/markdown/transformers/filter_script.rb +5 -3
data/lib/qiita/markdown/version.rb +1 -1
data/qiita-markdown.gemspec +1 -1
data/spec/qiita/markdown/processor_spec.rb +114 -32
metadata +4 -5
data/lib/qiita/markdown/embed/gist.rb +0 -9

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: ba9a61d760c878765f0d56a7b2be4b3d6d9f61eff2d104979ca5af3f0b481e60
-  data.tar.gz: 727b673a4c63a45b633f9b5f7331239cea6ff5cd36b7c3c4655089a096026697
+  metadata.gz: 930ee5ee8bc770b95b918f3cfed4fdac57f133e9e69d0b21fff77cd2506a8fdc
+  data.tar.gz: 87f95cb871e08f94e1e03dd11a14ddd974ee24726b78ae3496bd3629e3b76959
 SHA512:
-  metadata.gz: b3d2c8a721f25fa8010eaee9adcded2321e27eaf35c0092bd165e30d86163bfb872fb17962a5438a5233b0e861f7f1ccbcc3831bd0e924422ce8c46445882c35
-  data.tar.gz: 5c3fdd91f7656e222050921ec233c24f82c81498ac0e8e42b889e1852af34d9bee113bb5134df702536b50d30202532358204828c46a29d5c57b99a42167f2b7
+  metadata.gz: 0ac7943de01ab9b05c990f6ec8abe64d37c780b186da66b30017129f014d7944aa60e437a9466033b2c801dd701fdf6564d30451bc2ece1d6551011ff44d814b
+  data.tar.gz: cb8bd175dcd7aec1685209eca0c51c396a80d686737267155d1815d98546f65d7fa5927cf525cb109ed777a5a92835239f59d46e70f246e8ddb1bd9b8f7ebac5

data/CHANGELOG.md CHANGED Viewed

@@ -1,5 +1,26 @@
 ## Unreleased
+## 0.34.0
+- Delete gist embed rule to avoid XSS
+## 0.33.0
+- Fix XSS possibility bug
+## 0.32.0
+- Fix XSS possibility bug
+- Fix iframe width to be fixed at 100%
+## 0.31.0
+- Use greenmat 3.5.1.1
+## 0.30.0
+- Use greenmat 3.5.1.0
 ## 0.29.0
 - Accept new embeded script and iframes

data/lib/qiita/markdown.rb CHANGED Viewed

@@ -10,7 +10,6 @@ require "sanitize"
 require "qiita/markdown/embed/code_pen"
 require "qiita/markdown/embed/tweet"
 require "qiita/markdown/embed/asciinema"
-require "qiita/markdown/embed/gist"
 require "qiita/markdown/embed/youtube"
 require "qiita/markdown/embed/slide_share"
 require "qiita/markdown/embed/google_slide"

data/lib/qiita/markdown/transformers/filter_iframe.rb CHANGED Viewed

@@ -22,6 +22,7 @@ module Qiita
         def transform
           if name == "iframe"
             if URL_WHITE_LIST.include?(node["src"]) || HOST_WHITE_LIST.include?(host_of(node["src"]))
+              node["width"] = "100%"
               node.children.unlink
             else
               node.unlink
@@ -40,8 +41,11 @@ module Qiita
         end
         def host_of(url)
-          Addressable::URI.parse(url).host if url
-        rescue Addressable::URI::InvalidURIError
+          if url
+            scheme = URI.parse(url).scheme
+            Addressable::URI.parse(url).host if ["http", "https"].include? scheme
+          end
+        rescue Addressable::URI::InvalidURIError, URI::InvalidURIError
           nil
         end
       end

data/lib/qiita/markdown/transformers/filter_script.rb CHANGED Viewed

@@ -10,7 +10,6 @@ module Qiita
         HOST_WHITE_LIST = [
           Embed::Asciinema::SCRIPT_HOST,
-          Embed::Gist::SCRIPT_HOST,
         ].flatten.freeze
         def self.call(*args)
@@ -43,8 +42,11 @@ module Qiita
         end
         def host_of(url)
-          Addressable::URI.parse(url).host if url
-        rescue Addressable::URI::InvalidURIError
+          if url
+            scheme = URI.parse(url).scheme
+            Addressable::URI.parse(url).host if ["http", "https"].include? scheme
+          end
+        rescue Addressable::URI::InvalidURIError, URI::InvalidURIError
           nil
         end
       end

data/lib/qiita/markdown/version.rb CHANGED Viewed

@@ -1,5 +1,5 @@
 module Qiita
   module Markdown
-    VERSION = "0.29.0"
+    VERSION = "0.34.0"
   end
 end

data/qiita-markdown.gemspec CHANGED Viewed

@@ -23,7 +23,7 @@ Gem::Specification.new do |spec|
   spec.add_dependency "html-pipeline", "~> 2.0"
   spec.add_dependency "mem"
   spec.add_dependency "pygments.rb", "~> 1.0"
-  spec.add_dependency "greenmat", "3.2.2.4"
+  spec.add_dependency "greenmat", "3.5.1.1"
   spec.add_dependency "sanitize"
   spec.add_dependency "addressable"
   spec.add_development_dependency "activesupport", "4.2.6"

data/spec/qiita/markdown/processor_spec.rb CHANGED Viewed

@@ -740,7 +740,7 @@ describe Qiita::Markdown::Processor do
         it "generates footnotes elements" do
           should eq <<-HTML.strip_heredoc
-            <p><sup id="fnref1"><a href="#fn1" rel="footnote" title="test">1</a></sup></p>
+            <p><sup id="fnref1"><a href="#fn1" title="test">1</a></sup></p>
             <div class="footnotes">
             <hr>
@@ -756,6 +756,25 @@ describe Qiita::Markdown::Processor do
         end
       end
+      context "with footenotes syntax with code block" do
+        let(:markdown) do
+          <<-MARKDOWN.strip_heredoc
+            ```
+            [^1]
+            [^1]: test
+            ```
+          MARKDOWN
+        end
+        it "generates only code blocks without footnotes" do
+          should eq <<-HTML.strip_heredoc
+            <div class="code-frame" data-lang="text"><div class="highlight"><pre><span></span>[^1]
+            [^1]: test
+            </pre></div></div>
+          HTML
+        end
+      end
       context "with manually written link inside of <sup> tag" do
         let(:markdown) do
           <<-MARKDOWN.strip_heredoc
@@ -1031,6 +1050,31 @@ describe Qiita::Markdown::Processor do
           end
         end
       end
+      context "with details tag" do
+        let(:markdown) do
+          <<-MARKDOWN.strip_heredoc
+            <details><summary>Folding sample</summary><div>
+            ```rb
+            puts "Hello, World"
+            ```
+            </div></details>
+          MARKDOWN
+        end
+        it "returns HTML output parsed as markdown" do
+          expect(subject).to eq <<-HTML.strip_heredoc
+            <p><details><summary>Folding sample</summary><div>
+            <div class="code-frame" data-lang="rb"><div class="highlight"><pre><span></span><span class="nb">puts</span> <span class="s2">"Hello, World"</span>
+            </pre></div></div>
+            <p></p>
+            </div></details></p>
+          HTML
+        end
+      end
     end
     shared_examples_for "script element" do |allowed:|
@@ -1407,40 +1451,26 @@ describe Qiita::Markdown::Processor do
         end
       end
-      context "with HTML embed code for Gist" do
+      context "with HTML embed code for Youtube" do
         let(:markdown) do
           <<-MARKDOWN.strip_heredoc
-            <script id="example" src="https://gist.github.com/a/example.js"></script>
+            <iframe width="100" height="100" src="https://www.youtube.com/embed/example"></iframe>
           MARKDOWN
         end
         if allowed
           it "does not sanitize embed code" do
             should eq <<-HTML.strip_heredoc
-              <script id="example" src="https://gist.github.com/a/example.js"></script>
+              <iframe width="100" height="100" src="https://www.youtube.com/embed/example"></iframe>
             HTML
           end
         else
-          it "forces async attribute on script" do
+          it "forces width attribute on iframe" do
             should eq <<-HTML.strip_heredoc
-              <script id="example" src="https://gist.github.com/a/example.js" async="async"></script>
+              <iframe width="100%" height="100" src="https://www.youtube.com/embed/example"></iframe>
             HTML
           end
         end
-      end
-      context "with HTML embed code for Youtube" do
-        let(:markdown) do
-          <<-MARKDOWN.strip_heredoc
-            <iframe width="100" height="100" src="https://www.youtube.com/embed/example"></iframe>
-          MARKDOWN
-        end
-        it "does not sanitize embed code" do
-          should eq <<-HTML.strip_heredoc
-            <iframe width="100" height="100" src="https://www.youtube.com/embed/example"></iframe>
-          HTML
-        end
         context "when url is privacy enhanced mode" do
           let(:markdown) do
@@ -1449,10 +1479,18 @@ describe Qiita::Markdown::Processor do
             MARKDOWN
           end
-          it "does not sanitize embed code" do
-            should eq <<-HTML.strip_heredoc
-              <iframe width="100" height="100" src="https://www.youtube-nocookie.com/embed/example"></iframe>
-            HTML
+          if allowed
+            it "does not sanitize embed code" do
+              should eq <<-HTML.strip_heredoc
+                <iframe width="100" height="100" src="https://www.youtube-nocookie.com/embed/example"></iframe>
+              HTML
+            end
+          else
+            it "forces width attribute on iframe" do
+              should eq <<-HTML.strip_heredoc
+                <iframe width="100%" height="100" src="https://www.youtube-nocookie.com/embed/example"></iframe>
+              HTML
+            end
           end
         end
       end
@@ -1464,10 +1502,18 @@ describe Qiita::Markdown::Processor do
           MARKDOWN
         end
-        it "does not sanitize embed code" do
-          should eq <<-HTML.strip_heredoc
-            <iframe width="100" height="100" src="https://www.slideshare.net/embed/example"></iframe>
-          HTML
+        if allowed
+          it "does not sanitize embed code" do
+            should eq <<-HTML.strip_heredoc
+              <iframe width="100" height="100" src="https://www.slideshare.net/embed/example"></iframe>
+            HTML
+          end
+        else
+          it "forces width attribute on iframe" do
+            should eq <<-HTML.strip_heredoc
+              <iframe width="100%" height="100" src="https://www.slideshare.net/embed/example"></iframe>
+            HTML
+          end
         end
       end
@@ -1478,10 +1524,18 @@ describe Qiita::Markdown::Processor do
           MARKDOWN
         end
-        it "does not sanitize embed code" do
-          should eq <<-HTML.strip_heredoc
-            <iframe src="https://docs.google.com/presentation/d/example/embed" frameborder="0" width="482" height="300" allowfullscreen="true"></iframe>
-          HTML
+        if allowed
+          it "does not sanitize embed code" do
+            should eq <<-HTML.strip_heredoc
+              <iframe src="https://docs.google.com/presentation/d/example/embed" frameborder="0" width="482" height="300" allowfullscreen="true"></iframe>
+            HTML
+          end
+        else
+          it "forces width attribute on iframe" do
+            should eq <<-HTML.strip_heredoc
+              <iframe src="https://docs.google.com/presentation/d/example/embed" frameborder="0" width="100%" height="300" allowfullscreen="true"></iframe>
+            HTML
+          end
         end
       end
@@ -1522,6 +1576,34 @@ describe Qiita::Markdown::Processor do
           HTML
         end
       end
+      context "with embed script code with xss" do
+        let(:markdown) do
+          <<-MARKDOWN.strip_heredoc
+            <script async class="speakerdeck-embed" data-id="example" data-ratio="1.33333333333333" src="javascript://speakerdeck.com/assets/embed.js"></script>
+          MARKDOWN
+          it "forces width attribute on iframe" do
+            should eq <<-HTML.strip_heredoc
+              \n
+            HTML
+          end
+        end
+      end
+      context "with embed iframe code with xss" do
+        let(:markdown) do
+          <<-MARKDOWN.strip_heredoc
+            <iframe src="javascript://docs.google.com:80/%0d%0aalert(document.domain)" frameborder="0" width="482" height="300" allowfullscreen="true" mozallowfullscreen="true" webkitallowfullscreen="true"></iframe>
+          MARKDOWN
+          it "forces width attribute on iframe" do
+            should eq <<-HTML.strip_heredoc
+              \n
+            HTML
+          end
+        end
+      end
     end
     context "without script and strict context" do

metadata CHANGED Viewed

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: qiita-markdown
 version: !ruby/object:Gem::Version
-  version: 0.29.0
+  version: 0.34.0
 platform: ruby
 authors:
 - Ryo Nakamura
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2021-02-10 00:00:00.000000000 Z
+date: 2021-03-19 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: gemoji
@@ -86,14 +86,14 @@ dependencies:
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 3.2.2.4
+        version: 3.5.1.1
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 3.2.2.4
+        version: 3.5.1.1
 - !ruby/object:Gem::Dependency
   name: sanitize
   requirement: !ruby/object:Gem::Requirement
@@ -258,7 +258,6 @@ files:
 - lib/qiita/markdown/base_processor.rb
 - lib/qiita/markdown/embed/asciinema.rb
 - lib/qiita/markdown/embed/code_pen.rb
-- lib/qiita/markdown/embed/gist.rb
 - lib/qiita/markdown/embed/google_slide.rb
 - lib/qiita/markdown/embed/slide_share.rb
 - lib/qiita/markdown/embed/speeker_deck.rb

data/lib/qiita/markdown/embed/gist.rb DELETED Viewed

@@ -1,9 +0,0 @@
-module Qiita
-  module Markdown
-    module Embed
-      module Gist
-        SCRIPT_HOST = "gist.github.com".freeze
-      end
-    end
-  end
-end