qiita-markdown 0.30.0 → 0.35.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 42cc63e59c291528b6941557bab180be94412a558f0c24870542ea77527fad9f
-  data.tar.gz: b777d78995b04138e71ece8dec23ef25b186264592edadbf9269aa5a782931bc
+  metadata.gz: 23da6f6f9b37dafcbe18164c13d4531998cfca14e0891801b4e8a1fdab6d625c
+  data.tar.gz: 620e9a413d9d0649511a883d40c4a398260f739a2c01774645d1e717421d54f5
 SHA512:
-  metadata.gz: 9c3bd31ede849e9e75d07527de512df7dbe4f4ce3d72bc0e2de82820ce83324c5f4f9473672b3ee35e4e7f4136d613d033f225e95e30318e61deed43757b6aea
-  data.tar.gz: aed9e848764dad909246821c8e30074c7317496fcfe5dd89fb374d693e39c43da0a4c71e957d3f6764cb89199d27ac2e17c161abda8aeb0333568f96d2644475
+  metadata.gz: f2cfa06b888dd9e08a22a88b822a7a280afec1289c1f9f3833c64692e37edc3b637c26739ab1f607c2e4cab1da1559510bc7a63836e462dc3c4dcc81f4da8343
+  data.tar.gz: 125ff10aa432f848e8c790f497f2467f1f825431b1cdeed1a085f14da230fdc5800c752a64b86f90d5e4acf36fc4f4c8b9e2efd30f808cee6ac713b32ffc0b01

data/CHANGELOG.md

@@ -1,5 +1,26 @@
 ## Unreleased
 
+## 0.35.0
+
+- Allow Relative URL in iframe src attributes
+
+## 0.34.0
+
+- Delete gist embed rule to avoid XSS
+
+## 0.33.0
+
+- Fix XSS possibility bug
+
+## 0.32.0
+
+- Fix XSS possibility bug
+- Fix iframe width to be fixed at 100%
+
+## 0.31.0
+
+- Use greenmat 3.5.1.1
+
 ## 0.30.0
 
 - Use greenmat 3.5.1.0

data/lib/qiita/markdown.rb

@@ -10,7 +10,6 @@ require "sanitize"
 require "qiita/markdown/embed/code_pen"
 require "qiita/markdown/embed/tweet"
 require "qiita/markdown/embed/asciinema"
-require "qiita/markdown/embed/gist"
 require "qiita/markdown/embed/youtube"
 require "qiita/markdown/embed/slide_share"
 require "qiita/markdown/embed/google_slide"

data/lib/qiita/markdown/transformers/filter_iframe.rb

@@ -22,6 +22,7 @@ module Qiita
         def transform
           if name == "iframe"
             if URL_WHITE_LIST.include?(node["src"]) || HOST_WHITE_LIST.include?(host_of(node["src"]))
+              node["width"] = "100%"
               node.children.unlink
             else
               node.unlink
@@ -40,8 +41,11 @@ module Qiita
         end
 
         def host_of(url)
-          Addressable::URI.parse(url).host if url
-        rescue Addressable::URI::InvalidURIError
+          if url
+            scheme = URI.parse(url).scheme
+            Addressable::URI.parse(url).host if ["http", "https", nil].include? scheme
+          end
+        rescue Addressable::URI::InvalidURIError, URI::InvalidURIError
           nil
         end
       end

data/lib/qiita/markdown/transformers/filter_script.rb

@@ -10,7 +10,6 @@ module Qiita
 
         HOST_WHITE_LIST = [
           Embed::Asciinema::SCRIPT_HOST,
-          Embed::Gist::SCRIPT_HOST,
         ].flatten.freeze
 
         def self.call(*args)
@@ -43,8 +42,11 @@ module Qiita
         end
 
         def host_of(url)
-          Addressable::URI.parse(url).host if url
-        rescue Addressable::URI::InvalidURIError
+          if url
+            scheme = URI.parse(url).scheme
+            Addressable::URI.parse(url).host if ["http", "https"].include? scheme
+          end
+        rescue Addressable::URI::InvalidURIError, URI::InvalidURIError
           nil
         end
       end

data/lib/qiita/markdown/version.rb

@@ -1,5 +1,5 @@
 module Qiita
   module Markdown
-    VERSION = "0.30.0"
+    VERSION = "0.35.0"
   end
 end

data/qiita-markdown.gemspec

@@ -23,7 +23,7 @@ Gem::Specification.new do |spec|
   spec.add_dependency "html-pipeline", "~> 2.0"
   spec.add_dependency "mem"
   spec.add_dependency "pygments.rb", "~> 1.0"
-  spec.add_dependency "greenmat", "3.5.1.0"
+  spec.add_dependency "greenmat", "3.5.1.1"
   spec.add_dependency "sanitize"
   spec.add_dependency "addressable"
   spec.add_development_dependency "activesupport", "4.2.6"

data/spec/qiita/markdown/processor_spec.rb

@@ -1050,6 +1050,31 @@ describe Qiita::Markdown::Processor do
           end
         end
       end
+
+      context "with details tag" do
+        let(:markdown) do
+          <<-MARKDOWN.strip_heredoc
+            <details><summary>Folding sample</summary><div>
+
+            ```rb
+            puts "Hello, World"
+            ```
+            </div></details>
+          MARKDOWN
+        end
+
+        it "returns HTML output parsed as markdown" do
+          expect(subject).to eq <<-HTML.strip_heredoc
+            <p><details><summary>Folding sample</summary><div>
+
+            <div class="code-frame" data-lang="rb"><div class="highlight"><pre><span></span><span class="nb">puts</span> <span class="s2">"Hello, World"</span>
+            </pre></div></div>
+
+            <p></p>
+            </div></details></p>
+          HTML
+        end
+      end
     end
 
     shared_examples_for "script element" do |allowed:|
@@ -1119,12 +1144,13 @@ describe Qiita::Markdown::Processor do
     end
 
     shared_examples_for "iframe element" do |allowed:|
-      context "with iframe" do
+      shared_examples "iframe element example" do
         let(:markdown) do
           <<-MARKDOWN.strip_heredoc
-            <iframe width="1" height="2" src="//example.com" frameborder="0" allowfullscreen></iframe>
+            <iframe width="1" height="2" src="#{url}" frameborder="0" allowfullscreen></iframe>
           MARKDOWN
         end
+        let(:url) { "#{scheme}//example.com" }
 
         if allowed
           it "allows iframe with some attributes" do
@@ -1136,6 +1162,20 @@ describe Qiita::Markdown::Processor do
           end
         end
       end
+
+      context "with iframe" do
+        context "with scheme" do
+          let(:scheme) { "https:" }
+
+          include_examples "iframe element example"
+        end
+
+        context "without scheme" do
+          let(:scheme) { "" }
+
+          include_examples "iframe element example"
+        end
+      end
     end
 
     shared_examples_for "input element" do |allowed:|
@@ -1426,81 +1466,137 @@ describe Qiita::Markdown::Processor do
         end
       end
 
-      context "with HTML embed code for Gist" do
-        let(:markdown) do
-          <<-MARKDOWN.strip_heredoc
-            <script id="example" src="https://gist.github.com/a/example.js"></script>
-          MARKDOWN
-        end
+      context "with HTML embed code for Youtube" do
+        shared_examples "embed code youtube example" do
+          let(:markdown) do
+            <<-MARKDOWN.strip_heredoc
+              <iframe width="100" height="100" src="#{url}"></iframe>
+            MARKDOWN
+          end
+          let(:url) { "#{scheme}//www.youtube.com/embed/example" }
 
-        if allowed
-          it "does not sanitize embed code" do
-            should eq <<-HTML.strip_heredoc
-              <script id="example" src="https://gist.github.com/a/example.js"></script>
-            HTML
+          if allowed
+            it "does not sanitize embed code" do
+              should eq <<-HTML.strip_heredoc
+                <iframe width="100" height="100" src="#{url}"></iframe>
+              HTML
+            end
+          else
+            it "forces width attribute on iframe" do
+              should eq <<-HTML.strip_heredoc
+                <iframe width="100%" height="100" src="#{url}"></iframe>
+              HTML
+            end
           end
-        else
-          it "forces async attribute on script" do
-            should eq <<-HTML.strip_heredoc
-              <script id="example" src="https://gist.github.com/a/example.js" async="async"></script>
-            HTML
+
+          context "when url is privacy enhanced mode" do
+            let(:markdown) do
+              <<-MARKDOWN.strip_heredoc
+                <iframe width="100" height="100" src="#{url}"></iframe>
+              MARKDOWN
+            end
+            let(:url) { "#{scheme}//www.youtube-nocookie.com/embed/example" }
+
+            if allowed
+              it "does not sanitize embed code" do
+                should eq <<-HTML.strip_heredoc
+                  <iframe width="100" height="100" src="#{url}"></iframe>
+                HTML
+              end
+            else
+              it "forces width attribute on iframe" do
+                should eq <<-HTML.strip_heredoc
+                  <iframe width="100%" height="100" src="#{url}"></iframe>
+                HTML
+              end
+            end
           end
         end
-      end
 
-      context "with HTML embed code for Youtube" do
-        let(:markdown) do
-          <<-MARKDOWN.strip_heredoc
-            <iframe width="100" height="100" src="https://www.youtube.com/embed/example"></iframe>
-          MARKDOWN
+        context "with scheme" do
+          let(:scheme) { "https:" }
+
+          include_examples "embed code youtube example"
         end
 
-        it "does not sanitize embed code" do
-          should eq <<-HTML.strip_heredoc
-            <iframe width="100" height="100" src="https://www.youtube.com/embed/example"></iframe>
-          HTML
+        context "without scheme" do
+          let(:scheme) { "" }
+
+          include_examples "embed code youtube example"
         end
+      end
 
-        context "when url is privacy enhanced mode" do
+      context "with HTML embed code for SlideShare" do
+        shared_examples "embed code slideshare example" do
           let(:markdown) do
             <<-MARKDOWN.strip_heredoc
-              <iframe width="100" height="100" src="https://www.youtube-nocookie.com/embed/example"></iframe>
+              <iframe width="100" height="100" src="#{url}"></iframe>
             MARKDOWN
           end
+          let(:url) { "#{scheme}//www.slideshare.net/embed/example" }
 
-          it "does not sanitize embed code" do
-            should eq <<-HTML.strip_heredoc
-              <iframe width="100" height="100" src="https://www.youtube-nocookie.com/embed/example"></iframe>
-            HTML
+          if allowed
+            it "does not sanitize embed code" do
+              should eq <<-HTML.strip_heredoc
+                <iframe width="100" height="100" src="#{url}"></iframe>
+              HTML
+            end
+          else
+            it "forces width attribute on iframe" do
+              should eq <<-HTML.strip_heredoc
+                <iframe width="100%" height="100" src="#{url}"></iframe>
+              HTML
+            end
           end
         end
-      end
 
-      context "with HTML embed code for SlideShare" do
-        let(:markdown) do
-          <<-MARKDOWN.strip_heredoc
-            <iframe width="100" height="100" src="https://www.slideshare.net/embed/example"></iframe>
-          MARKDOWN
+        context "with scheme" do
+          let(:scheme) { "https:" }
+
+          include_examples "embed code slideshare example"
         end
 
-        it "does not sanitize embed code" do
-          should eq <<-HTML.strip_heredoc
-            <iframe width="100" height="100" src="https://www.slideshare.net/embed/example"></iframe>
-          HTML
+        context "without scheme" do
+          let(:scheme) { "" }
+
+          include_examples "embed code slideshare example"
         end
       end
 
       context "with HTML embed code for GoogleSlide" do
-        let(:markdown) do
-          <<-MARKDOWN.strip_heredoc
-            <iframe src="https://docs.google.com/presentation/d/example/embed" frameborder="0" width="482" height="300" allowfullscreen="true" mozallowfullscreen="true" webkitallowfullscreen="true"></iframe>
-          MARKDOWN
+        shared_examples "embed code googleslide example" do
+          let(:markdown) do
+            <<-MARKDOWN.strip_heredoc
+            <iframe src="#{url}" frameborder="0" width="482" height="300" allowfullscreen="true" mozallowfullscreen="true" webkitallowfullscreen="true"></iframe>
+            MARKDOWN
+          end
+          let(:url) { "#{scheme}//docs.google.com/presentation/d/example/embed" }
+
+          if allowed
+            it "does not sanitize embed code" do
+              should eq <<-HTML.strip_heredoc
+              <iframe src="#{url}" frameborder="0" width="482" height="300" allowfullscreen="true"></iframe>
+              HTML
+            end
+          else
+            it "forces width attribute on iframe" do
+              should eq <<-HTML.strip_heredoc
+              <iframe src="#{url}" frameborder="0" width="100%" height="300" allowfullscreen="true"></iframe>
+              HTML
+            end
+          end
         end
 
-        it "does not sanitize embed code" do
-          should eq <<-HTML.strip_heredoc
-            <iframe src="https://docs.google.com/presentation/d/example/embed" frameborder="0" width="482" height="300" allowfullscreen="true"></iframe>
-          HTML
+        context "with scheme" do
+          let(:scheme) { "https:" }
+
+          include_examples "embed code googleslide example"
+        end
+
+        context "without scheme" do
+          let(:scheme) { "" }
+
+          include_examples "embed code googleslide example"
         end
       end
 
@@ -1541,6 +1637,44 @@ describe Qiita::Markdown::Processor do
           HTML
         end
       end
+
+      context "with embed script code with xss" do
+        let(:markdown) do
+          <<-MARKDOWN.strip_heredoc
+            <script async class="speakerdeck-embed" data-id="example" data-ratio="1.33333333333333" src="javascript://speakerdeck.com/assets/embed.js"></script>
+          MARKDOWN
+        end
+
+        if allowed
+          it "does not sanitize embed code" do
+            should eq markdown
+          end
+        else
+          it "forces width attribute on iframe" do
+            should eq "\n"
+          end
+        end
+      end
+
+      context "with embed iframe code with xss" do
+        let(:markdown) do
+          <<-MARKDOWN.strip_heredoc
+            <iframe src="javascript://docs.google.com:80/%0d%0aalert(document.domain)" frameborder="0" width="482" height="300" allowfullscreen="true" mozallowfullscreen="true" webkitallowfullscreen="true"></iframe>
+          MARKDOWN
+        end
+
+        if allowed
+          it "does not sanitize embed code" do
+            should eq <<-HTML.strip_heredoc
+              <iframe src="javascript://docs.google.com:80/%0d%0aalert(document.domain)" frameborder="0" width="482" height="300" allowfullscreen="true"></iframe>
+            HTML
+          end
+        else
+          it "forces width attribute on iframe" do
+            should eq "\n"
+          end
+        end
+      end
     end
 
     context "without script and strict context" do

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: qiita-markdown
 version: !ruby/object:Gem::Version
-  version: 0.30.0
+  version: 0.35.0
 platform: ruby
 authors:
 - Ryo Nakamura
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2021-02-18 00:00:00.000000000 Z
+date: 2021-04-05 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: gemoji
@@ -86,14 +86,14 @@ dependencies:
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 3.5.1.0
+        version: 3.5.1.1
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 3.5.1.0
+        version: 3.5.1.1
 - !ruby/object:Gem::Dependency
   name: sanitize
   requirement: !ruby/object:Gem::Requirement
@@ -258,7 +258,6 @@ files:
 - lib/qiita/markdown/base_processor.rb
 - lib/qiita/markdown/embed/asciinema.rb
 - lib/qiita/markdown/embed/code_pen.rb
-- lib/qiita/markdown/embed/gist.rb
 - lib/qiita/markdown/embed/google_slide.rb
 - lib/qiita/markdown/embed/slide_share.rb
 - lib/qiita/markdown/embed/speeker_deck.rb

data/lib/qiita/markdown/embed/gist.rb

@@ -1,9 +0,0 @@
-module Qiita
-  module Markdown
-    module Embed
-      module Gist
-        SCRIPT_HOST = "gist.github.com".freeze
-      end
-    end
-  end
-end