From 5e6c3b9d0e9a06764079bc07c0419b1ebf9183eb Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E1=B4=9C=C9=B4=E1=B4=8B=C9=B4=E1=B4=A1=E1=B4=8F=C9=B4?= Date: Mon, 27 Jan 2020 00:18:46 +0800 Subject: [PATCH] api: sanitize raw markdown content (#5907) Fixed a security issue reported by bluebird. --- internal/markup/markdown.go | 3 +-- internal/markup/markup.go | 2 +- internal/route/api/v1/misc/markdown.go | 10 ++++++---- 3 files changed, 8 insertions(+), 7 deletions(-) diff --git a/internal/markup/markdown.go b/internal/markup/markdown.go index db581a71d..a53800280 100644 --- a/internal/markup/markdown.go +++ b/internal/markup/markdown.go @@ -157,8 +157,7 @@ func RawMarkdown(body []byte, urlPrefix string) []byte { extensions |= blackfriday.EXTENSION_HARD_LINE_BREAK } - body = blackfriday.Markdown(body, renderer, extensions) - return body + return blackfriday.Markdown(body, renderer, extensions) } // Markdown takes a string or []byte and renders to HTML in Markdown syntax with special links. diff --git a/internal/markup/markup.go b/internal/markup/markup.go index e09a0ba6b..1a22daae6 100644 --- a/internal/markup/markup.go +++ b/internal/markup/markup.go @@ -334,7 +334,7 @@ func Detect(filename string) Type { } } -// Render takes a string or []byte and renders to HTML in given type of syntax with special links. +// Render takes a string or []byte and renders to sanitized HTML in given type of syntax with special links. func Render(typ Type, input interface{}, urlPrefix string, metas map[string]string) []byte { var rawBytes []byte switch v := input.(type) { diff --git a/internal/route/api/v1/misc/markdown.go b/internal/route/api/v1/misc/markdown.go index 8731e32b0..cd0ba905e 100644 --- a/internal/route/api/v1/misc/markdown.go +++ b/internal/route/api/v1/misc/markdown.go @@ -20,16 +20,18 @@ func Markdown(c *context.APIContext, form api.MarkdownOption) { } if len(form.Text) == 0 { - c.Write([]byte("")) + _, _ = c.Write([]byte("")) return } + var md []byte switch form.Mode { case "gfm": - c.Write(markup.Markdown([]byte(form.Text), form.Context, nil)) + md = markup.Markdown([]byte(form.Text), form.Context, nil) default: - c.Write(markup.RawMarkdown([]byte(form.Text), "")) + md = markup.SanitizeBytes(markup.RawMarkdown([]byte(form.Text), "")) } + _, _ = c.Write(md) } func MarkdownRaw(c *context.APIContext) { @@ -38,5 +40,5 @@ func MarkdownRaw(c *context.APIContext) { c.Error(http.StatusUnprocessableEntity, "", err) return } - c.Write(markup.RawMarkdown(body, "")) + _, _ = c.Write(markup.SanitizeBytes(markup.RawMarkdown(body, ""))) }