upstream/kallithea Commit - r7322:5746cc3b

lib: use bleach to sanitize HTML generated from markdown - fix XSS issue when repo front page shows README.md...

Mads Kiilerich -

r7322:5746cc3b stable

parent child

kallithea/lib/markup_renderer.py

0 +20 -7

             # -*- coding: utf-8 -*-
             # This program is free software: you can redistribute it and/or modify
             # it under the terms of the GNU General Public License as published by
             # the Free Software Foundation, either version 3 of the License, or
             # (at your option) any later version.
             #
             # This program is distributed in the hope that it will be useful,
             # but WITHOUT ANY WARRANTY; without even the implied warranty of
             # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
             # GNU General Public License for more details.
             #
             # You should have received a copy of the GNU General Public License
             # along with this program.  If not, see <http://www.gnu.org/licenses/>.
             """
             kallithea.lib.markup_renderer
             ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
             Renderer for markup languages with ability to parse using rst or markdown
             This file was forked by the Kallithea project in July 2014.
             Original author and date, and relevant copyright and licensing information is below:
             :created_on: Oct 27, 2011
             :author: marcink
             :copyright: (c) 2013 RhodeCode GmbH, and others.
             :license: GPLv3, see LICENSE.md for more details.
             """
             import re
             import logging
             import traceback
             import markdown as markdown_mod
+            import bleach
             from kallithea.lib.utils2 import safe_unicode, MENTIONS_REGEX
             log = logging.getLogger(__name__)
             url_re = re.compile(r'''(\bhttps?://(?:[\da-zA-Z0-9@:.-]+)'''
                                 r'''(?:[/a-zA-Z0-9_=@#~&+%.,:;?!*()-]*[/a-zA-Z0-9_=@#~])?)''')
             class MarkupRenderer(object):
                 RESTRUCTUREDTEXT_DISALLOWED_DIRECTIVES = ['include', 'meta', 'raw']
                 MARKDOWN_PAT = re.compile(r'md|mkdn?|mdown|markdown', re.IGNORECASE)
                 RST_PAT = re.compile(r're?st', re.IGNORECASE)
                 PLAIN_PAT = re.compile(r'readme', re.IGNORECASE)
                 def _detect_renderer(self, source, filename=None):
                     """
                     runs detection of what renderer should be used for generating html
                     from a markup language
                     filename can be also explicitly a renderer name
                     :param source:
                     :param filename:
                     """
                     if MarkupRenderer.MARKDOWN_PAT.findall(filename):
                         detected_renderer = 'markdown'
                     elif MarkupRenderer.RST_PAT.findall(filename):
                         detected_renderer = 'rst'
                     elif MarkupRenderer.PLAIN_PAT.findall(filename):
                         detected_renderer = 'rst'
                     else:
                         detected_renderer = 'plain'
                     return getattr(MarkupRenderer, detected_renderer)
                 @classmethod
                 def _flavored_markdown(cls, text):
                     """
                     Github style flavored markdown
                     :param text:
                     """
                     from hashlib import md5
                     # Extract pre blocks.
                     extractions = {}
                     def pre_extraction_callback(matchobj):
                         digest = md5(matchobj.group(0)).hexdigest()
                         extractions[digest] = matchobj.group(0)
                         return "{gfm-extraction-%s}" % digest
                     pattern = re.compile(r'<pre>.*?</pre>', re.MULTILINE | re.DOTALL)
                     text = re.sub(pattern, pre_extraction_callback, text)
                     # Prevent foo_bar_baz from ending up with an italic word in the middle.
                     def italic_callback(matchobj):
                         s = matchobj.group(0)
                         if list(s).count('_') >= 2:
                             return s.replace('_', '\_')
                         return s
                     text = re.sub(r'^(?! {4}|\t)\w+_\w+_\w[\w_]*', italic_callback, text)
                     # In very clear cases, let newlines become <br /> tags.
                     def newline_callback(matchobj):
                         if len(matchobj.group(1)) == 1:
                             return matchobj.group(0).rstrip() + '  \n'
                         else:
                             return matchobj.group(0)
                     pattern = re.compile(r'^[\w\<][^\n]*(\n+)', re.MULTILINE)
                     text = re.sub(pattern, newline_callback, text)
                     # Insert pre block extractions.
                     def pre_insert_callback(matchobj):
                         return '\n\n' + extractions[matchobj.group(1)]
                     text = re.sub(r'{gfm-extraction-([0-9a-f]{32})\}',
                                   pre_insert_callback, text)
                     return text
                 def render(self, source, filename=None):
                     """
                     Renders a given filename using detected renderer
                     it detects renderers based on file extension or mimetype.
                     At last it will just do a simple html replacing new lines with <br/>
                     :param file_name:
                     :param source:
                     """
                     renderer = self._detect_renderer(source, filename)
                     readme_data = renderer(source)
                     return readme_data
                 @classmethod
                 def plain(cls, source, universal_newline=True):
                     source = safe_unicode(source)
                     if universal_newline:
                         newline = '\n'
                         source = newline.join(source.splitlines())
                     def url_func(match_obj):
                         url_full = match_obj.groups()[0]
                         return '<a href="%(url)s">%(url)s</a>' % ({'url': url_full})
                     source = url_re.sub(url_func, source)
                     return '<br />' + source.replace("\n", '<br />')
                 @classmethod
                 def markdown(cls, source, safe=True, flavored=False):
                     """
-                    Convert Markdown (possibly GitHub Flavored) to HTML, possibly
+                    Convert Markdown (possibly GitHub Flavored) to XSS safe HTML, possibly
                     with "safe" fall-back to plaintext.
                     >>> MarkupRenderer.markdown('''<img id="a" style="margin-top:-1000px;color:red" src="http://example.com/test.jpg">''')
-                    u'<p><img id="a" style="margin-top:-1000px;color:red" src="http://example.com/test.jpg"></p>'
+                    u'<p><img id="a" src="http://example.com/test.jpg" style="color: red;"></p>'
                     >>> MarkupRenderer.markdown('''<img class="c d" src="file://localhost/test.jpg">''')
-                    u'<p><img class="c d" src="file://localhost/test.jpg"></p>'
+                    u'<p><img class="c d"></p>'
                     >>> MarkupRenderer.markdown('''<a href="foo">foo</a>''')
                     u'<p><a href="foo">foo</a></p>'
                     >>> MarkupRenderer.markdown('''<script>alert(1)</script>''')
-                    u'<script>alert(1)</script>'
+                    u'&lt;script&gt;alert(1)&lt;/script&gt;'
                     >>> MarkupRenderer.markdown('''<div onclick="alert(2)">yo</div>''')
-                    u'<div onclick="alert(2)">yo</div>'
+                    u'<div>yo</div>'
                     >>> MarkupRenderer.markdown('''<a href="javascript:alert(3)">yo</a>''')
-                    u'<p><a href="javascript:alert(3)">yo</a></p>'
+                    u'<p><a>yo</a></p>'
                     """
                     source = safe_unicode(source)
                     try:
                         if flavored:
                             source = cls._flavored_markdown(source)
                         markdown_html = markdown_mod.markdown(source, ['codehilite', 'extra'])
-                        return markdown_html
+                        # Allow most HTML, while preventing XSS issues:
+                        # no <script> tags, no onclick attributes, no javascript
+                        # "protocol", and also limit styling to prevent defacing.
+                        return bleach.clean(markdown_html,
+                            tags=['a', 'abbr', 'b', 'blockquote', 'br', 'code', 'dd',
+                                  'div', 'dl', 'dt', 'em', 'h1', 'h2', 'h3', 'h4', 'h5',
+                                  'h6', 'hr', 'i', 'img', 'li', 'ol', 'p', 'pre', 'span',
+                                  'strong', 'sub', 'sup', 'table', 'tbody', 'td', 'th',
+                                  'thead', 'tr', 'ul'],
+                            attributes=['class', 'id', 'style', 'label', 'title', 'alt', 'href', 'src'],
+                            styles=['color'],
+                            protocols=['http', 'https', 'mailto'],
+                            )
                     except Exception:
                         log.error(traceback.format_exc())
                         if safe:
                             log.debug('Falling back to render in plain mode')
                             return cls.plain(source)
                         else:
                             raise
                 @classmethod
                 def rst(cls, source, safe=True):
                     source = safe_unicode(source)
                     try:
                         from docutils.core import publish_parts
                         from docutils.parsers.rst import directives
                         docutils_settings = dict([(alias, None) for alias in
                                             cls.RESTRUCTUREDTEXT_DISALLOWED_DIRECTIVES])
                         docutils_settings.update({'input_encoding': 'unicode',
                                                   'report_level': 4})
                         for k, v in docutils_settings.iteritems():
                             directives.register_directive(k, v)
                         parts = publish_parts(source=source,
                                               writer_name="html4css1",
                                               settings_overrides=docutils_settings)
                         return parts['html_title'] + parts["fragment"]
                     except ImportError:
                         log.warning('Install docutils to use this function')
                         return cls.plain(source)
                     except Exception:
                         log.error(traceback.format_exc())
                         if safe:
                             log.debug('Falling back to render in plain mode')
                             return cls.plain(source)
                         else:
                             raise
                 @classmethod
                 def rst_with_mentions(cls, source):
                     mention_pat = re.compile(MENTIONS_REGEX)
                     def wrapp(match_obj):
                         uname = match_obj.groups()[0]
                         return '\ **@%(uname)s**\ ' % {'uname': uname}
                     mention_hl = mention_pat.sub(wrapp, source).strip()
                     return cls.rst(mention_hl)

setup.py

0 +1 0

             #!/usr/bin/env python2
             # -*- coding: utf-8 -*-
             import os
             import sys
             import platform
             if sys.version_info < (2, 6):
                 raise Exception('Kallithea requires python 2.6 or 2.7')
             here = os.path.abspath(os.path.dirname(__file__))
             def _get_meta_var(name, data, callback_handler=None):
                 import re
                 matches = re.compile(r'(?:%s)\s*=\s*(.*)' % name).search(data)
                 if matches:
                     if not callable(callback_handler):
                         callback_handler = lambda v: v
                     return callback_handler(eval(matches.groups()[0]))
             _meta = open(os.path.join(here, 'kallithea', '__init__.py'), 'rb')
             _metadata = _meta.read()
             _meta.close()
             callback = lambda V: ('.'.join(map(str, V[:3])) + '.'.join(V[3:]))
             __version__ = _get_meta_var('VERSION', _metadata, callback)
             __license__ = _get_meta_var('__license__', _metadata)
             __author__ = _get_meta_var('__author__', _metadata)
             __url__ = _get_meta_var('__url__', _metadata)
             # defines current platform
             __platform__ = platform.system()
             is_windows = __platform__ in ['Windows']
             requirements = [
                 "setuptools<34", # setuptools==34 has an undeclared requirement of pyparsing >=2.1, but celery<2.3 requires pyparsing<2
                 "waitress==0.8.8",
                 "webob>=1.0.8,<=1.1.1",
                 "webtest==1.4.3",
                 "Pylons>=1.0.0,<=1.0.3",
                 "Beaker==1.6.4",
                 "WebHelpers==1.3",
                 "formencode>=1.2.4,<=1.2.6",
                 "SQLAlchemy==0.7.10",
                 "Mako>=0.9.0,<=1.0.0",
                 "pygments>=1.5",
                 "whoosh>=2.4.0,<=2.5.7",
                 "celery>=2.2.5,<2.3",
                 "babel>=0.9.6,<=1.3",
                 "python-dateutil>=1.5.0,<2.0.0",
                 "markdown==2.2.1",
                 "docutils>=0.8.1,<=0.11",
                 "mock",
                 "URLObject==2.3.4",
                 "Routes==1.13",
                 "dulwich>=0.9.9,<=0.9.9",
                 "mercurial>=2.9,<4.3",
+                "bleach >= 3.0, < 3.1",
             ]
             if sys.version_info < (2, 7):
                 requirements.append("importlib==1.0.1")
                 requirements.append("unittest2")
                 requirements.append("argparse")
             if not is_windows:
                 requirements.append("py-bcrypt>=0.3.0,<=0.4")
             dependency_links = [
             ]
             classifiers = [
                 'Development Status :: 4 - Beta',
                 'Environment :: Web Environment',
                 'Framework :: Pylons',
                 'Intended Audience :: Developers',
                 'License :: OSI Approved :: GNU General Public License (GPL)',
                 'Operating System :: OS Independent',
                 'Programming Language :: Python',
                 'Programming Language :: Python :: 2.6',
                 'Programming Language :: Python :: 2.7',
                 'Topic :: Software Development :: Version Control',
             ]
             # additional files from project that goes somewhere in the filesystem
             # relative to sys.prefix
             data_files = []
             # additional files that goes into package itself
             package_data = {'kallithea': ['i18n/*/LC_MESSAGES/*.mo', ], }
             description = ('Kallithea is a fast and powerful management tool '
                            'for Mercurial and Git with a built in push/pull server, '
                            'full text search and code-review.')
             keywords = ' '.join([
                 'kallithea', 'mercurial', 'git', 'code review',
                 'repo groups', 'ldap', 'repository management', 'hgweb replacement',
                 'hgwebdir', 'gitweb replacement', 'serving hgweb',
             ])
             # long description
             README_FILE = 'README.rst'
             CHANGELOG_FILE = 'docs/changelog.rst'
             try:
                 long_description = open(README_FILE).read() + '\n\n' + \
                     open(CHANGELOG_FILE).read()
             except IOError as err:
                 sys.stderr.write(
                     "[WARNING] Cannot find file specified as long_description (%s)\n or "
                     "changelog (%s) skipping that file" % (README_FILE, CHANGELOG_FILE)
                 )
                 long_description = description
             try:
                 from setuptools import setup, find_packages
             except ImportError:
                 from ez_setup import use_setuptools
                 use_setuptools()
                 from setuptools import setup, find_packages
             # monkey patch setuptools to use distutils owner/group functionality
             from setuptools.command import sdist
             sdist_org = sdist.sdist
             class sdist_new(sdist_org):
                 def initialize_options(self):
                     sdist_org.initialize_options(self)
                     self.owner = self.group = 'root'
             sdist.sdist = sdist_new
             # packages
             packages = find_packages(exclude=['ez_setup'])
             setup(
                 name='Kallithea',
                 version=__version__,
                 description=description,
                 long_description=long_description,
                 keywords=keywords,
                 license=__license__,
                 author=__author__,
                 author_email='kallithea@sfconservancy.org',
                 dependency_links=dependency_links,
                 url=__url__,
                 install_requires=requirements,
                 classifiers=classifiers,
                 setup_requires=["PasteScript>=1.6.3"],
                 data_files=data_files,
                 packages=packages,
                 include_package_data=True,
                 test_suite='nose.collector',
                 package_data=package_data,
                 message_extractors={'kallithea': [
                         ('**.py', 'python', None),
                         ('templates/**.mako', 'mako', {'input_encoding': 'utf-8'}),
                         ('templates/**.html', 'mako', {'input_encoding': 'utf-8'}),
                         ('public/**', 'ignore', None)]},
                 zip_safe=False,
                 paster_plugins=['PasteScript', 'Pylons'],
                 entry_points="""
                 [console_scripts]
                 kallithea-api =    kallithea.bin.kallithea_api:main
                 kallithea-gist =   kallithea.bin.kallithea_gist:main
                 kallithea-config = kallithea.bin.kallithea_config:main
                 [paste.app_factory]
                 main = kallithea.config.middleware:make_app
                 [paste.app_install]
                 main = pylons.util:PylonsInstaller
                 [paste.global_paster_command]
                 setup-db=kallithea.lib.paster_commands.setup_db:Command
                 cleanup-repos=kallithea.lib.paster_commands.cleanup:Command
                 update-repoinfo=kallithea.lib.paster_commands.update_repoinfo:Command
                 make-rcext=kallithea.lib.paster_commands.make_rcextensions:Command
                 repo-scan=kallithea.lib.paster_commands.repo_scan:Command
                 cache-keys=kallithea.lib.paster_commands.cache_keys:Command
                 ishell=kallithea.lib.paster_commands.ishell:Command
                 make-index=kallithea.lib.paster_commands.make_index:Command
                 upgrade-db=kallithea.lib.dbmigrate:UpgradeDb
                 celeryd=kallithea.lib.celerypylons.commands:CeleryDaemonCommand
                 install-iis=kallithea.lib.paster_commands.install_iis:Command
                 [nose.plugins]
                 pylons = pylons.test:PylonsPlugin
                 """,
             )

General Comments 0

Write
Preview

You need to be logged in to leave comments. Login now

No TODOs yet

	Site-wide shortcuts
/	Use quick search box
g h	Goto home page
g g	Goto my private gists page
g G	Goto my public gists page
g 0-9	Goto bookmarked items from 0-9
n r	New repository page
n g	New gist page

	Repositories
g s	Goto summary page
g c	Goto changelog page
g f	Goto files page
g F	Goto files page with file search activated
g p	Goto pull requests page
g o	Goto repository settings
g O	Goto repository access permissions settings
t s	Toggle sidebar on some pages