diff --git a/changelogs/unreleased/security-DOS_issue_comments_banzai.yml b/changelogs/unreleased/security-DOS_issue_comments_banzai.yml new file mode 100644 index 0000000000000000000000000000000000000000..2405b1a4f5fa0135a00290278f5b4bf0e1c17cfe --- /dev/null +++ b/changelogs/unreleased/security-DOS_issue_comments_banzai.yml @@ -0,0 +1,5 @@ +--- +title: Fix Denial of Service for comments when rendering issues/MR comments +merge_request: +author: +type: security diff --git a/lib/banzai/filter/relative_link_filter.rb b/lib/banzai/filter/relative_link_filter.rb index 199b3533cf408c7eff128b4fe639e7de4b8ea1e9..cdf97e75491cf94175224622578c85938369ba08 100644 --- a/lib/banzai/filter/relative_link_filter.rb +++ b/lib/banzai/filter/relative_link_filter.rb @@ -100,7 +100,7 @@ module Banzai end def relative_file_path(uri) - path = Addressable::URI.unescape(uri.path) + path = Addressable::URI.unescape(uri.path).delete("\0") request_path = Addressable::URI.unescape(context[:requested_path]) nested_path = build_relative_path(path, request_path) file_exists?(nested_path) ? nested_path : path diff --git a/spec/lib/banzai/filter/relative_link_filter_spec.rb b/spec/lib/banzai/filter/relative_link_filter_spec.rb index dad0a5535c04aa2e458b0f50de3caaa87406827d..a6e8a2fc8fcb2a10fcc6c8528b0c986fd67cbdfe 100644 --- a/spec/lib/banzai/filter/relative_link_filter_spec.rb +++ b/spec/lib/banzai/filter/relative_link_filter_spec.rb @@ -83,6 +83,11 @@ describe Banzai::Filter::RelativeLinkFilter do expect { filter(act) }.not_to raise_error end + it 'does not explode with an escaped null byte' do + act = link("/%00") + expect { filter(act) }.not_to raise_error + end + it 'does not raise an exception with a space in the path' do act = link("/uploads/d18213acd3732630991986120e167e3d/Landscape_8.jpg \nBut here's some more unexpected text :smile:)") expect { filter(act) }.not_to raise_error