qiita-markdown 0.31.0 → 0.32.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 6dc488d1b11fcc036257f3af15d078c4c708fa5f53a0532fc441827e0a48ab8b
-  data.tar.gz: 540af5a59e96989cc6c5b4fc890803b91011ab9acb7b16f81e32c405406cebf8
+  metadata.gz: 1e3469d19ed195eb7a7ccdeeedaa1503154a262893c882768834c8636fad0ae7
+  data.tar.gz: 3b9fec449730dcf1f19ec3d84247a7b1d89e1f785e9b52eace389cedfb9045c3
 SHA512:
-  metadata.gz: add793f489cec5f024e8781afce29073996de60de601d7d4d2da941e06a6679f39b73a9aad317303b51fd78a3607c538a444c340e8314339cf89b9281e9f3cee
-  data.tar.gz: c56d7ff646cd8fb9c16d936199367d6a73c1be1c0e4a22734c8567aed6ab0b2789493537f05e7076dc7c5a6e1def4ce0d9d4bd4e41e1226d75b56756dfe8a968
+  metadata.gz: cab8938cb167a8c41d6b68478f562f87e5c06a6f412c4f4e0b12c9450cb7506c380eb9ab7ef3ae73eca991d50bbb1da8d5d3e5da4a0e7fdece14ebea15053e1f
+  data.tar.gz: 5e74b4610be3b012d1cd381ecc5e3efc41f581da095ae3a6d5836dc3b62297c7d7deac6d0e93d1c32d84385baea699bfff6f804e1f5924539b3468703d01cd94

data/CHANGELOG.md

@@ -1,5 +1,10 @@
 ## Unreleased
 
+## 0.32.0
+
+- Fixed XSS possibility bug
+- Fix iframe width to be fixed at 100%
+
 ## 0.31.0
 
 - Use greenmat 3.5.1.1

data/lib/qiita/markdown/transformers/filter_iframe.rb

@@ -22,6 +22,7 @@ module Qiita
         def transform
           if name == "iframe"
             if URL_WHITE_LIST.include?(node["src"]) || HOST_WHITE_LIST.include?(host_of(node["src"]))
+              node["width"] = "100%"
               node.children.unlink
             else
               node.unlink
@@ -40,7 +41,10 @@ module Qiita
         end
 
         def host_of(url)
-          Addressable::URI.parse(url).host if url
+          if url
+            port = URI.parse(url).port
+            Addressable::URI.parse(url).host if [443, 80].include? port
+          end
         rescue Addressable::URI::InvalidURIError
           nil
         end

data/lib/qiita/markdown/transformers/filter_script.rb

@@ -43,7 +43,10 @@ module Qiita
         end
 
         def host_of(url)
-          Addressable::URI.parse(url).host if url
+          if url
+            port = URI.parse(url).port
+            Addressable::URI.parse(url).host if [443, 80].include? port
+          end
         rescue Addressable::URI::InvalidURIError
           nil
         end

data/lib/qiita/markdown/version.rb

@@ -1,5 +1,5 @@
 module Qiita
   module Markdown
-    VERSION = "0.31.0"
+    VERSION = "0.32.0"
   end
 end

data/spec/qiita/markdown/processor_spec.rb

@@ -1480,10 +1480,18 @@ describe Qiita::Markdown::Processor do
           MARKDOWN
         end
 
-        it "does not sanitize embed code" do
-          should eq <<-HTML.strip_heredoc
-            <iframe width="100" height="100" src="https://www.youtube.com/embed/example"></iframe>
-          HTML
+        if allowed
+          it "does not sanitize embed code" do
+            should eq <<-HTML.strip_heredoc
+              <iframe width="100" height="100" src="https://www.youtube.com/embed/example"></iframe>
+            HTML
+          end
+        else
+          it "forces width attribute on iframe" do
+            should eq <<-HTML.strip_heredoc
+              <iframe width="100%" height="100" src="https://www.youtube.com/embed/example"></iframe>
+            HTML
+          end
         end
 
         context "when url is privacy enhanced mode" do
@@ -1493,10 +1501,18 @@ describe Qiita::Markdown::Processor do
             MARKDOWN
           end
 
-          it "does not sanitize embed code" do
-            should eq <<-HTML.strip_heredoc
-              <iframe width="100" height="100" src="https://www.youtube-nocookie.com/embed/example"></iframe>
-            HTML
+          if allowed
+            it "does not sanitize embed code" do
+              should eq <<-HTML.strip_heredoc
+                <iframe width="100" height="100" src="https://www.youtube-nocookie.com/embed/example"></iframe>
+              HTML
+            end
+          else
+            it "forces width attribute on iframe" do
+              should eq <<-HTML.strip_heredoc
+                <iframe width="100%" height="100" src="https://www.youtube-nocookie.com/embed/example"></iframe>
+              HTML
+            end
           end
         end
       end
@@ -1508,10 +1524,18 @@ describe Qiita::Markdown::Processor do
           MARKDOWN
         end
 
-        it "does not sanitize embed code" do
-          should eq <<-HTML.strip_heredoc
-            <iframe width="100" height="100" src="https://www.slideshare.net/embed/example"></iframe>
-          HTML
+        if allowed
+          it "does not sanitize embed code" do
+            should eq <<-HTML.strip_heredoc
+              <iframe width="100" height="100" src="https://www.slideshare.net/embed/example"></iframe>
+            HTML
+          end
+        else
+          it "forces width attribute on iframe" do
+            should eq <<-HTML.strip_heredoc
+              <iframe width="100%" height="100" src="https://www.slideshare.net/embed/example"></iframe>
+            HTML
+          end
         end
       end
 
@@ -1522,10 +1546,18 @@ describe Qiita::Markdown::Processor do
           MARKDOWN
         end
 
-        it "does not sanitize embed code" do
-          should eq <<-HTML.strip_heredoc
-            <iframe src="https://docs.google.com/presentation/d/example/embed" frameborder="0" width="482" height="300" allowfullscreen="true"></iframe>
-          HTML
+        if allowed
+          it "does not sanitize embed code" do
+            should eq <<-HTML.strip_heredoc
+              <iframe src="https://docs.google.com/presentation/d/example/embed" frameborder="0" width="482" height="300" allowfullscreen="true"></iframe>
+            HTML
+          end
+        else
+          it "forces width attribute on iframe" do
+            should eq <<-HTML.strip_heredoc
+              <iframe src="https://docs.google.com/presentation/d/example/embed" frameborder="0" width="100%" height="300" allowfullscreen="true"></iframe>
+            HTML
+          end
         end
       end
 
@@ -1566,6 +1598,34 @@ describe Qiita::Markdown::Processor do
           HTML
         end
       end
+
+      context "with embed script code with xss" do
+        let(:markdown) do
+          <<-MARKDOWN.strip_heredoc
+            <script async class="speakerdeck-embed" data-id="example" data-ratio="1.33333333333333" src="javascript://speakerdeck.com/assets/embed.js"></script>
+          MARKDOWN
+
+          it "forces width attribute on iframe" do
+            should eq <<-HTML.strip_heredoc
+              \n
+            HTML
+          end
+        end
+      end
+
+      context "with embed iframe code with xss" do
+        let(:markdown) do
+          <<-MARKDOWN.strip_heredoc
+            <iframe src="javascript://docs.google.com/presentation/d/example/embed" frameborder="0" width="482" height="300" allowfullscreen="true" mozallowfullscreen="true" webkitallowfullscreen="true"></iframe>
+          MARKDOWN
+
+          it "forces width attribute on iframe" do
+            should eq <<-HTML.strip_heredoc
+              \n
+            HTML
+          end
+        end
+      end
     end
 
     context "without script and strict context" do

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: qiita-markdown
 version: !ruby/object:Gem::Version
-  version: 0.31.0
+  version: 0.32.0
 platform: ruby
 authors:
 - Ryo Nakamura
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2021-03-03 00:00:00.000000000 Z
+date: 2021-03-15 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: gemoji