Merge pull request #1153 from basecamp/GHSA-qjqp-xr96-cj99-1-3-backport

Backport CVE-2024-34341 fixes to v1.3
basecamp · May 15, 2024 · 10e8753 · 10e8753
2 parents c97f990 + 80a4d4f
commit 10e8753
Show file tree

Hide file tree

Showing 7 changed files with 87 additions and 78 deletions.
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -13,7 +13,7 @@ jobs:
  bundler-cache: true
  - uses: actions/setup-node@v2-beta
  with:
- node-version: 11
+ node-version: 16
  - uses: actions/cache@v2
  with:
  path: test/node_modules

diff --git a/.ruby-version b/.ruby-version
@@ -1 +1 @@
-2.3.4
+2.7.6
diff --git a/Gemfile.lock b/Gemfile.lock
@@ -1,61 +1,70 @@
 GEM
  remote: https://rubygems.org/
  specs:
- activesupport (5.0.0.1)
+ activesupport (7.1.3.2)
+ base64
+ bigdecimal
  concurrent-ruby (~> 1.0, >= 1.0.2)
- i18n (~> 0.7)
- minitest (~> 5.1)
- tzinfo (~> 1.1)
+ connection_pool (>= 2.2.5)
+ drb
+ i18n (>= 1.6, < 2)
+ minitest (>= 5.1)
+ mutex_m
+ tzinfo (~> 2.0)
  addressable (2.4.0)
- blade (0.7.0)
+ base64 (0.2.0)
+ bigdecimal (3.1.8)
+ blade (0.7.3)
  activesupport (>= 3.0.0)
- blade-qunit_adapter (~> 2.0.1)
+ blade-qunit_adapter (>= 2.0.1)
  coffee-script
  coffee-script-source
- curses (~> 1.0.0)
+ curses (>= 1.4.0)
  eventmachine
  faye
  sprockets (>= 3.0)
  thin (>= 1.6.0)
- thor (~> 0.19.1)
- useragent (~> 0.16.7)
+ thor (>= 0.19.1)
+ useragent (>= 0.16.7)
  blade-qunit_adapter (2.0.1)
  coffee-script (2.4.1)
  coffee-script-source
  execjs
  coffee-script-source (1.9.3)
  concurrent-ruby (1.0.2)
- cookiejar (0.3.3)
- curses (1.0.2)
- daemons (1.2.4)
+ connection_pool (2.4.1)
+ cookiejar (0.3.4)
+ curses (1.4.5)
+ daemons (1.4.1)
  descendants_tracker (0.0.4)
  thread_safe (~> 0.3, >= 0.3.1)
+ drb (2.2.1)
  eco (1.0.0)
  coffee-script
  eco-source
  execjs
  eco-source (1.1.0.rc.1)
- em-http-request (1.1.5)
+ em-http-request (1.1.7)
  addressable (>= 2.3.4)
  cookiejar (!= 0.3.1)
  em-socksify (>= 0.3)
  eventmachine (>= 1.0.3)
  http_parser.rb (>= 0.6.0)
- em-socksify (0.3.1)
+ em-socksify (0.3.2)
  eventmachine (>= 1.0.0.beta.4)
- eventmachine (1.2.1)
+ eventmachine (1.2.7)
  execjs (2.7.0)
  faraday (0.9.2)
  multipart-post (>= 1.2, < 3)
- faye (1.2.3)
+ faye (1.4.0)
  cookiejar (>= 0.3.0)
- em-http-request (>= 0.3.0)
+ em-http-request (>= 1.1.6)
  eventmachine (>= 0.12.0)
- faye-websocket (>= 0.9.1)
+ faye-websocket (>= 0.11.0)
  multi_json (>= 1.0.0)
  rack (>= 1.0.0)
  websocket-driver (>= 0.5.1)
- faye-websocket (0.10.5)
+ faye-websocket (0.11.3)
  eventmachine (>= 0.12.0)
  websocket-driver (>= 0.5.1)
  github_api (0.13.1)
@@ -66,14 +75,16 @@ GEM
  multi_json (>= 1.7.5, < 2.0)
  oauth2
  hashie (3.5.6)
- http_parser.rb (0.6.0)
- i18n (0.7.0)
- json (2.0.2)
+ http_parser.rb (0.8.0)
+ i18n (1.14.5)
+ concurrent-ruby (~> 1.0)
+ json (2.7.2)
  jwt (1.5.6)
- minitest (5.9.1)
+ minitest (5.22.3)
  multi_json (1.12.1)
  multi_xml (0.6.0)
  multipart-post (2.0.0)
+ mutex_m (0.2.0)
  oauth2 (1.4.0)
  faraday (>= 0.8, < 0.13)
  jwt (~> 1.0)
@@ -87,21 +98,21 @@ GEM
  rack (> 1, < 3)
  sprockets-export (1.0.0)
  sprockets-svgo (0.2.0)
- thin (1.7.0)
+ thin (1.8.2)
  daemons (~> 1.0, >= 1.0.9)
  eventmachine (~> 1.0, >= 1.0.4)
  rack (>= 1, < 3)
- thor (0.19.4)
+ thor (1.3.1)
  thread_safe (0.3.5)
- tzinfo (1.2.2)
- thread_safe (~> 0.1)
+ tzinfo (2.0.6)
+ concurrent-ruby (~> 1.0)
  uglifier (2.5.1)
  execjs (>= 0.3.0)
  json (>= 1.8.0)
- useragent (0.16.8)
- websocket-driver (0.6.4)
+ useragent (0.16.10)
+ websocket-driver (0.7.6)
  websocket-extensions (>= 0.1.0)
- websocket-extensions (0.1.2)
+ websocket-extensions (0.1.5)
 
 PLATFORMS
  ruby
@@ -119,4 +130,4 @@ DEPENDENCIES
  uglifier
 
 BUNDLED WITH
- 1.16.1
+ 2.3.8
diff --git a/src/trix/models/html_parser.coffee b/src/trix/models/html_parser.coffee
@@ -238,7 +238,12 @@ class Trix.HTMLParser extends Trix.BasicObject
 
  parseTrixDataAttribute = (element, name) ->
  try
- JSON.parse(element.getAttribute("data-trix-#{name}"))
+ data = JSON.parse(element.getAttribute("data-trix-#{name}"))
+
+ if data.contentType == "text/html" and data.content
+ data.content = HTMLSanitizer.sanitize(data.content).getHTML()
+
+ data
  catch
  {}
 

diff --git a/src/trix/models/html_sanitizer.coffee b/src/trix/models/html_sanitizer.coffee
@@ -3,7 +3,7 @@
 class Trix.HTMLSanitizer extends Trix.BasicObject
  DEFAULT_ALLOWED_ATTRIBUTES = "style href src width height class".split(" ")
  DEFAULT_FORBIDDEN_PROTOCOLS = "javascript:".split(" ")
- DEFAULT_FORBIDDEN_ELEMENTS = "script iframe".split(" ")
+ DEFAULT_FORBIDDEN_ELEMENTS = "script iframe noscript".split(" ")
 
  @sanitize: (html, options) ->
  sanitizer = new this html, options

diff --git a/test/karma.conf.js b/test/karma.conf.js
@@ -32,72 +32,41 @@ if (process.env.CI) {
  sl_chrome_latest: {
  base: "SauceLabs",
  browserName: "chrome",
- platform: "Windows 10",
- version: "latest"
- },
- sl_firefox_latest: {
- base: "SauceLabs",
- browserName: "firefox",
- platform: "Windows 10",
  version: "latest"
  },
- sl_safari_previous: {
+ sl_chrome_latest_i8n: {
  base: "SauceLabs",
- browserName: "safari",
- platform: "macOS 10.13",
- version: "latest-1"
+ browserName: "chrome",
+ version: "latest",
+ chromeOptions: {
+ args: [ "--lang=tr" ]
+ }
  },
- sl_safari_latest: {
+ sl_safari_12_1: {
  base: "SauceLabs",
  browserName: "safari",
  platform: "macOS 10.13",
- version: "latest"
- },
- sl_edge_previous: {
- base: "SauceLabs",
- browserName: "microsoftedge",
- platform: "Windows 10",
- version: "17.17134"
+ version: "12.1"
  },
  sl_edge_latest: {
  base: "SauceLabs",
  browserName: "microsoftedge",
  platform: "Windows 10",
- version: "18.17763"
- },
- sl_ie_11: {
- base: "SauceLabs",
- browserName: "internet explorer",
- platform: "Windows 8.1",
- version: "11"
- },
- sl_ios_previous: {
- base: "SauceLabs",
- browserName: "safari",
- platform: "ios",
- device: "iPhone Simulator",
- version: "11.3"
- },
- sl_ios_latest: {
- base: "SauceLabs",
- browserName: "safari",
- platform: "ios",
- device: "iPhone Simulator",
- version: "12.0"
+ version: "latest"
  },
- sl_android_previous: {
+ sl_android_9: {
  base: "SauceLabs",
  browserName: "chrome",
  platform: "android",
  device: "Android GoogleAPI Emulator",
- version: "7.1"
+ version: "9.0"
  },
  sl_android_latest: {
  base: "SauceLabs",
  browserName: "chrome",
  platform: "android",
  device: "Android GoogleAPI Emulator",
- version: "8.1"
+ version: "12.0"
  }
  }
 

diff --git a/test/src/system/pasting_test.coffee b/test/src/system/pasting_test.coffee
@@ -53,6 +53,30 @@ testGroup "Pasting", template: "editor_empty", ->
  delete window.unsanitized
  done()
 
+ test "paste unsafe html with noscript", (done) ->
+ window.unsanitized = []
+ pasteData =
+ "text/plain": "x",
+ "text/html": "<div><noscript><div class=\"123</noscript>456<img src=1 onerror=window.unsanitized.push(1)//\"></div></noscript></div>"
+
+ pasteContent pasteData, () ->
+ after 20, () ->
+ assert.deepEqual(window.unsanitized, [])
+ delete window.unsanitized
+ done()
+
+ test "paste data-trix-attachment unsafe html", (done) ->
+ window.unsanitized = []
+ pasteData =
+ "text/plain": "x",
+ "text/html": "copy<div data-trix-attachment=\"{&quot;contentType&quot;:&quot;text/html&quot;,&quot;content&quot;:&quot;&lt;img src=1 onerror=window.unsanitized.push(1)&gt;HELLO123&quot;}\"></div>me"
+
+ pasteContent pasteData, ->
+ after 20, ->
+ assert.deepEqual window.unsanitized, []
+ delete window.unsanitized
+ done()
+
  test "prefers plain text when html lacks formatting", (expectDocument) ->
  pasteData =
  "text/html": "<meta charset='utf-8'>a\nb"