Basic xss prevention

author Unknwon <joe2010xtmf@163.com>

Sat, 4 Oct 2014 21:15:22 +0000 (17:15 -0400)

committer Unknwon <joe2010xtmf@163.com>

Sat, 4 Oct 2014 21:15:22 +0000 (17:15 -0400)
author Unknwon <joe2010xtmf@163.com>
Sat, 4 Oct 2014 21:15:22 +0000 (17:15 -0400)
committer Unknwon <joe2010xtmf@163.com>
Sat, 4 Oct 2014 21:15:22 +0000 (17:15 -0400)
diff --git a/.gopmfile b/.gopmfile

index 3ba514afc81f4ce29797c90e18ef5ffdf701b208..7b1bf3091edb0917ceb7f26b94e27c51fb6933ad 100644 (file)
--- a/.gopmfile
+++ b/.gopmfile
@@ -24,6 +24,7 @@ github.com/macaron-contrib/session =
  github.com/macaron-contrib/toolbox = commit:57127bcc89
  github.com/mattn/go-sqlite3 = commit:a80c27ba33
  github.com/nfnt/resize = commit:581d15cb53
+github.com/russross/blackfriday = 
  github.com/saintfish/chardet = commit:3af4cd4741
  
  [res]
diff --git a/gogs.go b/gogs.go

index 289ad19123494130940ab452c00687b248594137..12f142aba0e8a6bd84a2139e37bceadc3651aa8d 100644 (file)
--- a/gogs.go
+++ b/gogs.go
@@ -17,7 +17,7 @@ import (
         "github.com/gogits/gogs/modules/setting"
  )
  
-const APP_VER = "0.5.4.1003 Beta"
+const APP_VER = "0.5.4.1004 Beta"
  
  func init() {
         runtime.GOMAXPROCS(runtime.NumCPU())
diff --git a/models/repo.go b/models/repo.go

index a79c2491cede4a7d261db77df986daa8da5d4b54..8e29b3357d8222f8acfb244c58b2f03cec51feb4 100644 (file)
--- a/models/repo.go
+++ b/models/repo.go
@@ -23,6 +23,7 @@ import (
         "github.com/Unknwon/cae/zip"
         "github.com/Unknwon/com"
  
+       "github.com/gogits/gogs/modules/base"
         "github.com/gogits/gogs/modules/git"
         "github.com/gogits/gogs/modules/log"
         "github.com/gogits/gogs/modules/process"
@@ -48,7 +49,7 @@ var (
  )
  
  var (
-       DescriptionPattern = regexp.MustCompile(`https?://\S+`)
+       DescPattern = regexp.MustCompile(`https?://\S+`)
  )
  
  func LoadRepoConfig() {
@@ -181,7 +182,7 @@ func (repo *Repository) DescriptionHtml() template.HTML {
                 ss := html.EscapeString(s)
                 return fmt.Sprintf(`<a href="%s" target="_blank">%s</a>`, ss, ss)
         }
-       return template.HTML(DescriptionPattern.ReplaceAllStringFunc(repo.Description, sanitize))
+       return template.HTML(DescPattern.ReplaceAllStringFunc(base.XSSString(repo.Description), sanitize))
  }
  
  // IsRepositoryExist returns true if the repository with given name under user has already existed.
diff --git a/modules/base/markdown.go b/modules/base/markdown.go

index a3db15df1a69f58cb00073fee0a6c14729565e00..cb083200998e6c7205c6d106f25eaaad3a484df9 100644 (file)
--- a/modules/base/markdown.go
+++ b/modules/base/markdown.go
@@ -13,7 +13,8 @@ import (
         "regexp"
         "strings"
  
-       "github.com/gogits/gfm"
+       "github.com/russross/blackfriday"
+
         "github.com/gogits/gogs/modules/setting"
  )
  
@@ -74,7 +75,7 @@ func IsReadmeFile(name string) bool {
  }
  
  type CustomRender struct {
-       gfm.Renderer
+       blackfriday.Renderer
         urlPrefix string
  }
  
@@ -154,39 +155,40 @@ func RenderSpecialLink(rawBytes []byte, urlPrefix string) []byte {
  
  func RenderRawMarkdown(body []byte, urlPrefix string) []byte {
         htmlFlags := 0
-       // htmlFlags |= gfm.HTML_USE_XHTML
-       // htmlFlags |= gfm.HTML_USE_SMARTYPANTS
-       // htmlFlags |= gfm.HTML_SMARTYPANTS_FRACTIONS
-       // htmlFlags |= gfm.HTML_SMARTYPANTS_LATEX_DASHES
-       // htmlFlags |= gfm.HTML_SKIP_HTML
-       htmlFlags |= gfm.HTML_SKIP_STYLE
-       htmlFlags |= gfm.HTML_SKIP_SCRIPT
-       htmlFlags |= gfm.HTML_GITHUB_BLOCKCODE
-       htmlFlags |= gfm.HTML_OMIT_CONTENTS
-       // htmlFlags |= gfm.HTML_COMPLETE_PAGE
+       // htmlFlags |= blackfriday.HTML_USE_XHTML
+       // htmlFlags |= blackfriday.HTML_USE_SMARTYPANTS
+       // htmlFlags |= blackfriday.HTML_SMARTYPANTS_FRACTIONS
+       // htmlFlags |= blackfriday.HTML_SMARTYPANTS_LATEX_DASHES
+       // htmlFlags |= blackfriday.HTML_SKIP_HTML
+       htmlFlags |= blackfriday.HTML_SKIP_STYLE
+       // htmlFlags |= blackfriday.HTML_SKIP_SCRIPT
+       // htmlFlags |= blackfriday.HTML_GITHUB_BLOCKCODE
+       htmlFlags |= blackfriday.HTML_OMIT_CONTENTS
+       // htmlFlags |= blackfriday.HTML_COMPLETE_PAGE
         renderer := &CustomRender{
-               Renderer:  gfm.HtmlRenderer(htmlFlags, "", ""),
+               Renderer:  blackfriday.HtmlRenderer(htmlFlags, "", ""),
                 urlPrefix: urlPrefix,
         }
  
         // set up the parser
         extensions := 0
-       extensions |= gfm.EXTENSION_NO_INTRA_EMPHASIS
-       extensions |= gfm.EXTENSION_TABLES
-       extensions |= gfm.EXTENSION_FENCED_CODE
-       extensions |= gfm.EXTENSION_AUTOLINK
-       extensions |= gfm.EXTENSION_STRIKETHROUGH
-       extensions |= gfm.EXTENSION_HARD_LINE_BREAK
-       extensions |= gfm.EXTENSION_SPACE_HEADERS
-       extensions |= gfm.EXTENSION_NO_EMPTY_LINE_BEFORE_BLOCK
-
-       body = gfm.Markdown(body, renderer, extensions)
+       extensions |= blackfriday.EXTENSION_NO_INTRA_EMPHASIS
+       extensions |= blackfriday.EXTENSION_TABLES
+       extensions |= blackfriday.EXTENSION_FENCED_CODE
+       extensions |= blackfriday.EXTENSION_AUTOLINK
+       extensions |= blackfriday.EXTENSION_STRIKETHROUGH
+       extensions |= blackfriday.EXTENSION_HARD_LINE_BREAK
+       extensions |= blackfriday.EXTENSION_SPACE_HEADERS
+       extensions |= blackfriday.EXTENSION_NO_EMPTY_LINE_BEFORE_BLOCK
+
+       body = blackfriday.Markdown(body, renderer, extensions)
         return body
  }
  
  func RenderMarkdown(rawBytes []byte, urlPrefix string) []byte {
         body := RenderSpecialLink(rawBytes, urlPrefix)
         body = RenderRawMarkdown(body, urlPrefix)
+       body = XSS(body)
         return body
  }
  
diff --git a/modules/base/tool.go b/modules/base/tool.go

index b4083d090fc32ee838f3ff6d6e73937910970ba0..38fd1e21e7cedc10e7d17a0680f2a400b0b8764b 100644 (file)
--- a/modules/base/tool.go
+++ b/modules/base/tool.go
@@ -14,6 +14,7 @@ import (
         "hash"
         "html/template"
         "math"
+       "regexp"
         "strings"
         "time"
  
@@ -446,3 +447,29 @@ func DateFormat(t time.Time, format string) string {
         format = replacer.Replace(format)
         return t.Format(format)
  }
+
+type xssFilter struct {
+       reg  *regexp.Regexp
+       repl []byte
+}
+
+var (
+       whiteSpace = []byte(" ")
+       xssFilters = []xssFilter{
+               {regexp.MustCompile(`\ [ONon]\w*=["]*`), whiteSpace},
+               {regexp.MustCompile(`<[SCRIPTscript]{6}`), whiteSpace},
+               {regexp.MustCompile(`=[` + "`" + `'"]*[JAVASCRIPTjavascript \t\0&#x0D;]*:`), whiteSpace},
+       }
+)
+
+// XSS goes through all the XSS filters to make user input content as safe as possible.
+func XSS(in []byte) []byte {
+       for _, filter := range xssFilters {
+               in = filter.reg.ReplaceAll(in, filter.repl)
+       }
+       return in
+}
+
+func XSSString(in string) string {
+       return string(XSS([]byte(in)))
+}
diff --git a/templates/.VERSION b/templates/.VERSION

index 24a40ce35805668022bc3d2365592aad64647bd3..776ae02a15269ace9afd18e5d178cc65550b0aaf 100644 (file)
--- a/templates/.VERSION
+++ b/templates/.VERSION
@@ -1 +1 @@
-0.5.4.1003 Beta
-\ No newline at end of file
+0.5.4.1004 Beta
+\ No newline at end of file
author	Unknwon <joe2010xtmf@163.com>
	Sat, 4 Oct 2014 21:15:22 +0000 (17:15 -0400)
committer	Unknwon <joe2010xtmf@163.com>
	Sat, 4 Oct 2014 21:15:22 +0000 (17:15 -0400)
.gopmfile		patch \| blob \| history
gogs.go		patch \| blob \| history
models/repo.go		patch \| blob \| history
modules/base/markdown.go		patch \| blob \| history
modules/base/tool.go		patch \| blob \| history
templates/.VERSION		patch \| blob \| history