• Kerri Miller's avatar
    Reject slug+uri concat if slug is deemed unsafe · aef4b0a5
    Kerri Miller authored
    First reported:
      https://gitlab.com/gitlab-org/gitlab-ce/issues/60143
    
    When the page slug is "javascript:" and we attempt to link to a relative
    path (using `.` or `..`) the code will concatenate the slug and the uri.
    This MR adds a guard to that concat step that will return `nil` if the
    incoming slug matches against any of the "unsafe" slug regexes;
    currently this is only for the slug "javascript:" but can be extended if
    needed. Manually tested against a non-exhaustive list from OWASP of
    common javascript XSS exploits that have to to with mangling the
    "javascript:" method, and all are caught by this change or by existing
    code that ingests the user-specified slug.
    aef4b0a5