Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Backport CVE-2024-34341 fixes to v1.3 #1153

Merged
merged 2 commits into from
May 15, 2024
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion .github/workflows/ci.yml
Original file line number Diff line number Diff line change
Expand Up @@ -13,7 +13,7 @@ jobs:
bundler-cache: true
- uses: actions/setup-node@v2-beta
with:
node-version: 11
node-version: 16
- uses: actions/cache@v2
with:
path: test/node_modules
Expand Down
2 changes: 1 addition & 1 deletion .ruby-version
Original file line number Diff line number Diff line change
@@ -1 +1 @@
2.3.4
2.7.6
73 changes: 42 additions & 31 deletions Gemfile.lock
Original file line number Diff line number Diff line change
@@ -1,61 +1,70 @@
GEM
remote: https://rubygems.org/
specs:
activesupport (5.0.0.1)
activesupport (7.1.3.2)
base64
bigdecimal
concurrent-ruby (~> 1.0, >= 1.0.2)
i18n (~> 0.7)
minitest (~> 5.1)
tzinfo (~> 1.1)
connection_pool (>= 2.2.5)
drb
i18n (>= 1.6, < 2)
minitest (>= 5.1)
mutex_m
tzinfo (~> 2.0)
addressable (2.4.0)
blade (0.7.0)
base64 (0.2.0)
bigdecimal (3.1.8)
blade (0.7.3)
activesupport (>= 3.0.0)
blade-qunit_adapter (~> 2.0.1)
blade-qunit_adapter (>= 2.0.1)
coffee-script
coffee-script-source
curses (~> 1.0.0)
curses (>= 1.4.0)
eventmachine
faye
sprockets (>= 3.0)
thin (>= 1.6.0)
thor (~> 0.19.1)
useragent (~> 0.16.7)
thor (>= 0.19.1)
useragent (>= 0.16.7)
blade-qunit_adapter (2.0.1)
coffee-script (2.4.1)
coffee-script-source
execjs
coffee-script-source (1.9.3)
concurrent-ruby (1.0.2)
cookiejar (0.3.3)
curses (1.0.2)
daemons (1.2.4)
connection_pool (2.4.1)
cookiejar (0.3.4)
curses (1.4.5)
daemons (1.4.1)
descendants_tracker (0.0.4)
thread_safe (~> 0.3, >= 0.3.1)
drb (2.2.1)
eco (1.0.0)
coffee-script
eco-source
execjs
eco-source (1.1.0.rc.1)
em-http-request (1.1.5)
em-http-request (1.1.7)
addressable (>= 2.3.4)
cookiejar (!= 0.3.1)
em-socksify (>= 0.3)
eventmachine (>= 1.0.3)
http_parser.rb (>= 0.6.0)
em-socksify (0.3.1)
em-socksify (0.3.2)
eventmachine (>= 1.0.0.beta.4)
eventmachine (1.2.1)
eventmachine (1.2.7)
execjs (2.7.0)
faraday (0.9.2)
multipart-post (>= 1.2, < 3)
faye (1.2.3)
faye (1.4.0)
cookiejar (>= 0.3.0)
em-http-request (>= 0.3.0)
em-http-request (>= 1.1.6)
eventmachine (>= 0.12.0)
faye-websocket (>= 0.9.1)
faye-websocket (>= 0.11.0)
multi_json (>= 1.0.0)
rack (>= 1.0.0)
websocket-driver (>= 0.5.1)
faye-websocket (0.10.5)
faye-websocket (0.11.3)
eventmachine (>= 0.12.0)
websocket-driver (>= 0.5.1)
github_api (0.13.1)
Expand All @@ -66,14 +75,16 @@ GEM
multi_json (>= 1.7.5, < 2.0)
oauth2
hashie (3.5.6)
http_parser.rb (0.6.0)
i18n (0.7.0)
json (2.0.2)
http_parser.rb (0.8.0)
i18n (1.14.5)
concurrent-ruby (~> 1.0)
json (2.7.2)
jwt (1.5.6)
minitest (5.9.1)
minitest (5.22.3)
multi_json (1.12.1)
multi_xml (0.6.0)
multipart-post (2.0.0)
mutex_m (0.2.0)
oauth2 (1.4.0)
faraday (>= 0.8, < 0.13)
jwt (~> 1.0)
Expand All @@ -87,21 +98,21 @@ GEM
rack (> 1, < 3)
sprockets-export (1.0.0)
sprockets-svgo (0.2.0)
thin (1.7.0)
thin (1.8.2)
daemons (~> 1.0, >= 1.0.9)
eventmachine (~> 1.0, >= 1.0.4)
rack (>= 1, < 3)
thor (0.19.4)
thor (1.3.1)
thread_safe (0.3.5)
tzinfo (1.2.2)
thread_safe (~> 0.1)
tzinfo (2.0.6)
concurrent-ruby (~> 1.0)
uglifier (2.5.1)
execjs (>= 0.3.0)
json (>= 1.8.0)
useragent (0.16.8)
websocket-driver (0.6.4)
useragent (0.16.10)
websocket-driver (0.7.6)
websocket-extensions (>= 0.1.0)
websocket-extensions (0.1.2)
websocket-extensions (0.1.5)

PLATFORMS
ruby
Expand All @@ -119,4 +130,4 @@ DEPENDENCIES
uglifier

BUNDLED WITH
1.16.1
2.3.8
7 changes: 6 additions & 1 deletion src/trix/models/html_parser.coffee
Original file line number Diff line number Diff line change
Expand Up @@ -238,7 +238,12 @@ class Trix.HTMLParser extends Trix.BasicObject

parseTrixDataAttribute = (element, name) ->
try
JSON.parse(element.getAttribute("data-trix-#{name}"))
data = JSON.parse(element.getAttribute("data-trix-#{name}"))

if data.contentType == "text/html" and data.content
data.content = HTMLSanitizer.sanitize(data.content).getHTML()

data
catch
{}

Expand Down
2 changes: 1 addition & 1 deletion src/trix/models/html_sanitizer.coffee
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,7 @@
class Trix.HTMLSanitizer extends Trix.BasicObject
DEFAULT_ALLOWED_ATTRIBUTES = "style href src width height class".split(" ")
DEFAULT_FORBIDDEN_PROTOCOLS = "javascript:".split(" ")
DEFAULT_FORBIDDEN_ELEMENTS = "script iframe".split(" ")
DEFAULT_FORBIDDEN_ELEMENTS = "script iframe noscript".split(" ")

@sanitize: (html, options) ->
sanitizer = new this html, options
Expand Down
55 changes: 12 additions & 43 deletions test/karma.conf.js
Original file line number Diff line number Diff line change
Expand Up @@ -32,72 +32,41 @@ if (process.env.CI) {
sl_chrome_latest: {
base: "SauceLabs",
browserName: "chrome",
platform: "Windows 10",
version: "latest"
},
sl_firefox_latest: {
base: "SauceLabs",
browserName: "firefox",
platform: "Windows 10",
version: "latest"
},
sl_safari_previous: {
sl_chrome_latest_i8n: {
base: "SauceLabs",
browserName: "safari",
platform: "macOS 10.13",
version: "latest-1"
browserName: "chrome",
version: "latest",
chromeOptions: {
args: [ "--lang=tr" ]
}
},
sl_safari_latest: {
sl_safari_12_1: {
base: "SauceLabs",
browserName: "safari",
platform: "macOS 10.13",
version: "latest"
},
sl_edge_previous: {
base: "SauceLabs",
browserName: "microsoftedge",
platform: "Windows 10",
version: "17.17134"
version: "12.1"
},
sl_edge_latest: {
base: "SauceLabs",
browserName: "microsoftedge",
platform: "Windows 10",
version: "18.17763"
},
sl_ie_11: {
base: "SauceLabs",
browserName: "internet explorer",
platform: "Windows 8.1",
version: "11"
},
sl_ios_previous: {
base: "SauceLabs",
browserName: "safari",
platform: "ios",
device: "iPhone Simulator",
version: "11.3"
},
sl_ios_latest: {
base: "SauceLabs",
browserName: "safari",
platform: "ios",
device: "iPhone Simulator",
version: "12.0"
version: "latest"
},
sl_android_previous: {
sl_android_9: {
base: "SauceLabs",
browserName: "chrome",
platform: "android",
device: "Android GoogleAPI Emulator",
version: "7.1"
version: "9.0"
},
sl_android_latest: {
base: "SauceLabs",
browserName: "chrome",
platform: "android",
device: "Android GoogleAPI Emulator",
version: "8.1"
version: "12.0"
}
}

Expand Down
24 changes: 24 additions & 0 deletions test/src/system/pasting_test.coffee
Original file line number Diff line number Diff line change
Expand Up @@ -53,6 +53,30 @@ testGroup "Pasting", template: "editor_empty", ->
delete window.unsanitized
done()

test "paste unsafe html with noscript", (done) ->
window.unsanitized = []
pasteData =
"text/plain": "x",
"text/html": "<div><noscript><div class=\"123</noscript>456<img src=1 onerror=window.unsanitized.push(1)//\"></div></noscript></div>"

pasteContent pasteData, () ->
after 20, () ->
assert.deepEqual(window.unsanitized, [])
delete window.unsanitized
done()

test "paste data-trix-attachment unsafe html", (done) ->
window.unsanitized = []
pasteData =
"text/plain": "x",
"text/html": "copy<div data-trix-attachment=\"{&quot;contentType&quot;:&quot;text/html&quot;,&quot;content&quot;:&quot;&lt;img src=1 onerror=window.unsanitized.push(1)&gt;HELLO123&quot;}\"></div>me"

pasteContent pasteData, ->
after 20, ->
assert.deepEqual window.unsanitized, []
delete window.unsanitized
done()

test "prefers plain text when html lacks formatting", (expectDocument) ->
pasteData =
"text/html": "<meta charset='utf-8'>a\nb"
Expand Down
Loading