From c27d8c5c22ed63e44d356dbc42e6613fe1f3cdc9 Mon Sep 17 00:00:00 2001 From: Yarden Shoham Date: Fri, 19 May 2023 09:33:33 +0000 Subject: [PATCH 1/4] Add setting to allow all URL schemes and enable it by default Signed-off-by: Yarden Shoham --- custom/conf/app.example.ini | 2 ++ .../doc/administration/config-cheat-sheet.en-us.md | 1 + go.mod | 5 ++--- go.sum | 8 ++++---- modules/markup/sanitizer.go | 9 ++++++++- modules/setting/markup.go | 2 ++ 6 files changed, 19 insertions(+), 8 deletions(-) diff --git a/custom/conf/app.example.ini b/custom/conf/app.example.ini index 9046f5473447f..a130203a76cd8 100644 --- a/custom/conf/app.example.ini +++ b/custom/conf/app.example.ini @@ -1328,6 +1328,8 @@ ROUTER = console ;; for example git,magnet,ftp (more at https://en.wikipedia.org/wiki/List_of_URI_schemes) ;; URLs starting with http and https are always displayed, whatever is put in this entry. ;CUSTOM_URL_SCHEMES = +;; Boolean indicating if all URL schemes should render as links +;ALLOW_ALL_URL_SCHEMES = true ;; ;; List of file extensions that should be rendered/edited as Markdown ;; Separate the extensions with a comma. To render files without any extension as markdown, just put a comma diff --git a/docs/content/doc/administration/config-cheat-sheet.en-us.md b/docs/content/doc/administration/config-cheat-sheet.en-us.md index 5bf5d6fbf9d62..ca4612902450b 100644 --- a/docs/content/doc/administration/config-cheat-sheet.en-us.md +++ b/docs/content/doc/administration/config-cheat-sheet.en-us.md @@ -277,6 +277,7 @@ The following configuration set `Content-Type: application/vnd.android.package-a - `CUSTOM_URL_SCHEMES`: Use a comma separated list (ftp,git,svn) to indicate additional URL hyperlinks to be rendered in Markdown. URLs beginning in http and https are always displayed +- `ALLOW_ALL_URL_SCHEMES`: **true**: Boolean indicating if all URL schemes should render as links - `FILE_EXTENSIONS`: **.md,.markdown,.mdown,.mkd,.livemd**: List of file extensions that should be rendered/edited as Markdown. Separate the extensions with a comma. To render files without any extension as markdown, just put a comma. - `ENABLE_MATH`: **true**: Enables detection of `\(...\)`, `\[...\]`, `$...$` and `$$...$$` blocks as math blocks. diff --git a/go.mod b/go.mod index 24765df181344..93b8052daf86f 100644 --- a/go.mod +++ b/go.mod @@ -76,7 +76,7 @@ require ( github.com/mattn/go-sqlite3 v1.14.16 github.com/meilisearch/meilisearch-go v0.24.0 github.com/mholt/archiver/v3 v3.5.1 - github.com/microcosm-cc/bluemonday v1.0.23 + github.com/microcosm-cc/bluemonday v1.0.24 github.com/minio/minio-go/v7 v7.0.52 github.com/minio/sha256-simd v1.0.0 github.com/msteinert/pam v1.1.0 @@ -109,7 +109,7 @@ require ( github.com/yuin/goldmark-meta v1.1.0 golang.org/x/crypto v0.8.0 golang.org/x/image v0.7.0 - golang.org/x/net v0.9.0 + golang.org/x/net v0.10.0 golang.org/x/oauth2 v0.7.0 golang.org/x/sys v0.8.0 golang.org/x/text v0.9.0 @@ -288,7 +288,6 @@ require ( go.uber.org/zap v1.24.0 // indirect golang.org/x/mod v0.10.0 // indirect golang.org/x/sync v0.2.0 // indirect - golang.org/x/term v0.8.0 // indirect golang.org/x/time v0.3.0 // indirect google.golang.org/appengine v1.6.7 // indirect google.golang.org/genproto v0.0.0-20230306155012-7f2fa6fef1f4 // indirect diff --git a/go.sum b/go.sum index 62c01c690af47..8e5b728aac9de 100644 --- a/go.sum +++ b/go.sum @@ -876,8 +876,8 @@ github.com/mholt/acmez v1.1.0 h1:IQ9CGHKOHokorxnffsqDvmmE30mDenO1lptYZ1AYkHY= github.com/mholt/acmez v1.1.0/go.mod h1:zwo5+fbLLTowAX8o8ETfQzbDtwGEXnPhkmGdKIP+bgs= github.com/mholt/archiver/v3 v3.5.1 h1:rDjOBX9JSF5BvoJGvjqK479aL70qh9DIpZCl+k7Clwo= github.com/mholt/archiver/v3 v3.5.1/go.mod h1:e3dqJ7H78uzsRSEACH1joayhuSyhnonssnDhppzS1L4= -github.com/microcosm-cc/bluemonday v1.0.23 h1:SMZe2IGa0NuHvnVNAZ+6B38gsTbi5e4sViiWJyDDqFY= -github.com/microcosm-cc/bluemonday v1.0.23/go.mod h1:mN70sk7UkkF8TUr2IGBpNN0jAgStuPzlK76QuruE/z4= +github.com/microcosm-cc/bluemonday v1.0.24 h1:NGQoPtwGVcbGkKfvyYk1yRqknzBuoMiUrO6R7uFTPlw= +github.com/microcosm-cc/bluemonday v1.0.24/go.mod h1:ArQySAMps0790cHSkdPEJ7bGkF2VePWH773hsJNSHf8= github.com/miekg/dns v1.0.14/go.mod h1:W1PPwlIAgtquWBMBEV9nkV9Cazfe8ScdGz/Lj7v3Nrg= github.com/miekg/dns v1.1.54 h1:5jon9mWcb0sFJGpnI99tOMhCPyJ+RPVz5b63MQG0VWI= github.com/miekg/dns v1.1.54/go.mod h1:uInx36IzPl7FYnDcMeVWxj9byh7DutNykX4G9Sj60FY= @@ -1418,8 +1418,9 @@ golang.org/x/net v0.2.0/go.mod h1:KqCZLdyyvdV855qA2rE3GC2aiw5xGR5TEjj8smXukLY= golang.org/x/net v0.6.0/go.mod h1:2Tu9+aMcznHK/AK1HMvgo6xiTLG5rD5rZLDS+rp2Bjs= golang.org/x/net v0.7.0/go.mod h1:2Tu9+aMcznHK/AK1HMvgo6xiTLG5rD5rZLDS+rp2Bjs= golang.org/x/net v0.8.0/go.mod h1:QVkue5JL9kW//ek3r6jTKnTFis1tRmNAW2P1shuFdJc= -golang.org/x/net v0.9.0 h1:aWJ/m6xSmxWBx+V0XRHTlrYrPG56jKsLdTFmsSsCzOM= golang.org/x/net v0.9.0/go.mod h1:d48xBJpPfHeWQsugry2m+kC02ZBRGRgulfHnEXEuWns= +golang.org/x/net v0.10.0 h1:X2//UzNDwYmtCLn7To6G58Wr6f5ahEAQgKNzv9Y951M= +golang.org/x/net v0.10.0/go.mod h1:0qNGK6F8kojg2nk9dLZ2mShWaEBan6FAoqfSigmmuDg= golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U= golang.org/x/oauth2 v0.0.0-20190226205417-e64efc72b421/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw= golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw= @@ -1543,7 +1544,6 @@ golang.org/x/term v0.5.0/go.mod h1:jMB1sMXY+tzblOD4FWmEbocvup2/aLOaQEp7JmGp78k= golang.org/x/term v0.6.0/go.mod h1:m6U89DPEgQRMq3DNkDClhWw02AUbt2daBVO4cn4Hv9U= golang.org/x/term v0.7.0/go.mod h1:P32HKFT3hSsZrRxla30E9HqToFYAQPCMs/zFMBUFqPY= golang.org/x/term v0.8.0 h1:n5xxQn2i3PC0yLAbjTpNT85q/Kgzcr2gIoX9OrJUols= -golang.org/x/term v0.8.0/go.mod h1:xPskH00ivmX89bAKVGSKKtLOWNx2+17Eiy94tnKShWo= golang.org/x/text v0.0.0-20170915032832-14c0d48ead0c/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= golang.org/x/text v0.3.1-0.20180807135948-17ff2d5776d2/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= diff --git a/modules/markup/sanitizer.go b/modules/markup/sanitizer.go index 600ccbf3c6126..713826cd4885f 100644 --- a/modules/markup/sanitizer.go +++ b/modules/markup/sanitizer.go @@ -22,7 +22,10 @@ type Sanitizer struct { init sync.Once } -var sanitizer = &Sanitizer{} +var ( + sanitizer = &Sanitizer{} + allowAllRegex = regexp.MustCompile(".+") +) // NewSanitizer initializes sanitizer with allowed attributes based on settings. // Multiple calls to this function will only create one instance of Sanitizer during @@ -76,6 +79,10 @@ func createDefaultPolicy() *bluemonday.Policy { policy.AllowURLSchemes(setting.Markdown.CustomURLSchemes...) } + if setting.Markdown.AllowAllURLSchemes { + policy.AllowURLSchemesMatching(allowAllRegex) + } + // Allow classes for anchors policy.AllowAttrs("class").Matching(regexp.MustCompile(`ref-issue( ref-external-issue)?`)).OnElements("a") diff --git a/modules/setting/markup.go b/modules/setting/markup.go index 6c2246342be8e..cbb7c2eef671a 100644 --- a/modules/setting/markup.go +++ b/modules/setting/markup.go @@ -28,6 +28,7 @@ var Markdown = struct { EnableHardLineBreakInComments bool EnableHardLineBreakInDocuments bool CustomURLSchemes []string `ini:"CUSTOM_URL_SCHEMES"` + AllowAllURLSchemes bool `ini:"ALLOW_ALL_URL_SCHEMES"` FileExtensions []string EnableMath bool }{ @@ -59,6 +60,7 @@ type MarkupSanitizerRule struct { } func loadMarkupFrom(rootCfg ConfigProvider) { + rootCfg.Section("markdown").Key("ALLOW_ALL_URL_SCHEMES").MustBool(true) mustMapSetting(rootCfg, "markdown", &Markdown) MermaidMaxSourceCharacters = rootCfg.Section("markup").Key("MERMAID_MAX_SOURCE_CHARACTERS").MustInt(5000) From b0fc9659a638333bc6a1deb8bb74693a0f1c8e0f Mon Sep 17 00:00:00 2001 From: Yarden Shoham Date: Fri, 19 May 2023 10:35:18 +0000 Subject: [PATCH 2/4] Add tests Signed-off-by: Yarden Shoham --- modules/markup/sanitizer_test.go | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/modules/markup/sanitizer_test.go b/modules/markup/sanitizer_test.go index c792ec2dc629d..218663f277b86 100644 --- a/modules/markup/sanitizer_test.go +++ b/modules/markup/sanitizer_test.go @@ -52,6 +52,10 @@ func Test_Sanitizer(t *testing.T) { `Hello World`, `Hello World`, `

Hello World

`, `

Hello World

`, `Hello World`, `Hello World`, + + // URLs + `[my custom URL scheme](cbthunderlink://somebase64string)`, `[my custom URL scheme](cbthunderlink://somebase64string)`, + `[my custom URL scheme](matrix:roomid/psumPMeAfzgAeQpXMG:feneas.org?action=join&via=feneas.org&via=sorunome.de&via=the-apothecary.club&via=pirateriot.net&via=matrix.org)`, `[my custom URL scheme](matrix:roomid/psumPMeAfzgAeQpXMG:feneas.org?action=join&via=feneas.org&via=sorunome.de&via=the-apothecary.club&via=pirateriot.net&via=matrix.org)`, } for i := 0; i < len(testCases); i += 2 { From a22816788bf246db261a4cb50f4bec34c59f0b06 Mon Sep 17 00:00:00 2001 From: Yarden Shoham Date: Fri, 19 May 2023 10:58:49 +0000 Subject: [PATCH 3/4] Less strict test --- modules/markup/sanitizer_test.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/markup/sanitizer_test.go b/modules/markup/sanitizer_test.go index 218663f277b86..0c22ce3ba0e78 100644 --- a/modules/markup/sanitizer_test.go +++ b/modules/markup/sanitizer_test.go @@ -55,7 +55,7 @@ func Test_Sanitizer(t *testing.T) { // URLs `[my custom URL scheme](cbthunderlink://somebase64string)`, `[my custom URL scheme](cbthunderlink://somebase64string)`, - `[my custom URL scheme](matrix:roomid/psumPMeAfzgAeQpXMG:feneas.org?action=join&via=feneas.org&via=sorunome.de&via=the-apothecary.club&via=pirateriot.net&via=matrix.org)`, `[my custom URL scheme](matrix:roomid/psumPMeAfzgAeQpXMG:feneas.org?action=join&via=feneas.org&via=sorunome.de&via=the-apothecary.club&via=pirateriot.net&via=matrix.org)`, + `[my custom URL scheme](matrix:roomid/psumPMeAfzgAeQpXMG:feneas.org?action=join)`, `[my custom URL scheme](matrix:roomid/psumPMeAfzgAeQpXMG:feneas.org?action=join)`, } for i := 0; i < len(testCases); i += 2 { From 8b446cc01cb76b83c3b521acbcc0af6150a2dd1b Mon Sep 17 00:00:00 2001 From: Yarden Shoham Date: Fri, 19 May 2023 11:30:46 +0000 Subject: [PATCH 4/4] Use `CUSTOM_URL_SCHEMES` --- custom/conf/app.example.ini | 3 +-- docs/content/doc/administration/config-cheat-sheet.en-us.md | 3 +-- modules/markup/sanitizer.go | 4 +--- modules/setting/markup.go | 2 -- 4 files changed, 3 insertions(+), 9 deletions(-) diff --git a/custom/conf/app.example.ini b/custom/conf/app.example.ini index a130203a76cd8..91d829c0ca955 100644 --- a/custom/conf/app.example.ini +++ b/custom/conf/app.example.ini @@ -1327,9 +1327,8 @@ ROUTER = console ;; Comma separated list of custom URL-Schemes that are allowed as links when rendering Markdown ;; for example git,magnet,ftp (more at https://en.wikipedia.org/wiki/List_of_URI_schemes) ;; URLs starting with http and https are always displayed, whatever is put in this entry. +;; If this entry is empty, all URL schemes are allowed. ;CUSTOM_URL_SCHEMES = -;; Boolean indicating if all URL schemes should render as links -;ALLOW_ALL_URL_SCHEMES = true ;; ;; List of file extensions that should be rendered/edited as Markdown ;; Separate the extensions with a comma. To render files without any extension as markdown, just put a comma diff --git a/docs/content/doc/administration/config-cheat-sheet.en-us.md b/docs/content/doc/administration/config-cheat-sheet.en-us.md index ca4612902450b..fdd1235f89793 100644 --- a/docs/content/doc/administration/config-cheat-sheet.en-us.md +++ b/docs/content/doc/administration/config-cheat-sheet.en-us.md @@ -276,8 +276,7 @@ The following configuration set `Content-Type: application/vnd.android.package-a trailing whitespace to paragraphs is not necessary to force a line break. - `CUSTOM_URL_SCHEMES`: Use a comma separated list (ftp,git,svn) to indicate additional URL hyperlinks to be rendered in Markdown. URLs beginning in http and https are - always displayed -- `ALLOW_ALL_URL_SCHEMES`: **true**: Boolean indicating if all URL schemes should render as links + always displayed. If this entry is empty, all URL schemes are allowed - `FILE_EXTENSIONS`: **.md,.markdown,.mdown,.mkd,.livemd**: List of file extensions that should be rendered/edited as Markdown. Separate the extensions with a comma. To render files without any extension as markdown, just put a comma. - `ENABLE_MATH`: **true**: Enables detection of `\(...\)`, `\[...\]`, `$...$` and `$$...$$` blocks as math blocks. diff --git a/modules/markup/sanitizer.go b/modules/markup/sanitizer.go index 713826cd4885f..a0c9ee171f699 100644 --- a/modules/markup/sanitizer.go +++ b/modules/markup/sanitizer.go @@ -77,9 +77,7 @@ func createDefaultPolicy() *bluemonday.Policy { // Custom URL-Schemes if len(setting.Markdown.CustomURLSchemes) > 0 { policy.AllowURLSchemes(setting.Markdown.CustomURLSchemes...) - } - - if setting.Markdown.AllowAllURLSchemes { + } else { policy.AllowURLSchemesMatching(allowAllRegex) } diff --git a/modules/setting/markup.go b/modules/setting/markup.go index cbb7c2eef671a..6c2246342be8e 100644 --- a/modules/setting/markup.go +++ b/modules/setting/markup.go @@ -28,7 +28,6 @@ var Markdown = struct { EnableHardLineBreakInComments bool EnableHardLineBreakInDocuments bool CustomURLSchemes []string `ini:"CUSTOM_URL_SCHEMES"` - AllowAllURLSchemes bool `ini:"ALLOW_ALL_URL_SCHEMES"` FileExtensions []string EnableMath bool }{ @@ -60,7 +59,6 @@ type MarkupSanitizerRule struct { } func loadMarkupFrom(rootCfg ConfigProvider) { - rootCfg.Section("markdown").Key("ALLOW_ALL_URL_SCHEMES").MustBool(true) mustMapSetting(rootCfg, "markdown", &Markdown) MermaidMaxSourceCharacters = rootCfg.Section("markup").Key("MERMAID_MAX_SOURCE_CHARACTERS").MustInt(5000)