diff --git a/Changelog.md b/Changelog.md index c0edec07b..d5d5dc388 100644 --- a/Changelog.md +++ b/Changelog.md @@ -16,6 +16,10 @@ * Add the ability to assign roles in the admin panel [#7868](https://github.com/diaspora/diaspora/pull/7868) * Improve memory usage with libjemalloc if available [#7919](https://github.com/diaspora/diaspora/pull/7919) +# 0.7.7.1 + +Fixes a potential cross-site scripting issue with maliciously crafted OpenGraph metadata on the mobile interface. + # 0.7.7.0 ## Refactor diff --git a/Gemfile.lock b/Gemfile.lock index 358e49513..147d7697f 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -472,7 +472,7 @@ GEM byebug (~> 10.0) pry (~> 0.10) public_suffix (3.0.3) - rack (2.0.5) + rack (2.0.6) rack-cors (1.0.2) rack-google-analytics (1.2.0) actionpack @@ -900,4 +900,4 @@ DEPENDENCIES will_paginate (= 3.1.6) BUNDLED WITH - 1.16.5 + 1.17.1 diff --git a/app/helpers/open_graph_helper.rb b/app/helpers/open_graph_helper.rb index ace0990c8..383a2c69c 100644 --- a/app/helpers/open_graph_helper.rb +++ b/app/helpers/open_graph_helper.rb @@ -1,16 +1,6 @@ # frozen_string_literal: true module OpenGraphHelper - def og_html(cache) - "" + - "
" + - " " + - " #{cache.title}" + - "

#{truncate(cache.description, length: 250, separator: ' ')}

" + - "
" + - "" - end - def link_to_oembed_image(cache, prefix = 'thumbnail_') link_to(oembed_image_tag(cache, prefix), cache.url, :target => '_blank') end diff --git a/app/views/status_messages/_status_message.mobile.haml b/app/views/status_messages/_status_message.mobile.haml index 1758a96cc..bf5fe21dd 100644 --- a/app/views/status_messages/_status_message.mobile.haml +++ b/app/views/status_messages/_status_message.mobile.haml @@ -20,4 +20,10 @@ != o_embed_html post.o_embed_cache - if post.open_graph_cache .opengraph - != og_html post.open_graph_cache + %a{href: post.open_graph_cache.url, target: "_blank"} + %div + = image_tag post.open_graph_cache.image + %strong + = post.open_graph_cache.title + %p + = truncate(post.open_graph_cache.description, length: 250, separator: " ") diff --git a/spec/helpers/open_graph_helper_spec.rb b/spec/helpers/open_graph_helper_spec.rb deleted file mode 100644 index c6b10188a..000000000 --- a/spec/helpers/open_graph_helper_spec.rb +++ /dev/null @@ -1,32 +0,0 @@ -# frozen_string_literal: true - -describe OpenGraphHelper, :type => :helper do - - describe 'og_html' do - scenarios = { - "article" => { - "url" => "http://opengraph-enabled-site.com/articles/1332-scientists-discover-new-planet", - "image" => "http://opengraph-enabled-site.com/images/1332-lead.jpg", - "title" => "Scientists discover new planet", - "description" => "A new planet was found yesterday" - }, - } - - scenarios.each do |type, data| - specify 'for type "'+type+'"' do - cache = OpenGraphCache.new(:url => data['url']) - cache.ob_type = type - cache.image = data['image'] - cache.title = data['title'] - cache.description = data['description'] - - formatted = og_html(cache) - - expect(formatted).to match(/#{data['url']}/) - expect(formatted).to match(/#{data['title']}/) - expect(formatted).to match(/#{data['image']}/) - expect(formatted).to match(/#{data['description']}/) - end - end - end -end diff --git a/spec/views/status_messages/_status_message.mobile.haml_spec.rb b/spec/views/status_messages/_status_message.mobile.haml_spec.rb new file mode 100644 index 000000000..5487d6a55 --- /dev/null +++ b/spec/views/status_messages/_status_message.mobile.haml_spec.rb @@ -0,0 +1,17 @@ +# frozen_string_literal: true + +describe "status_messages/_status_message.mobile.haml" do + it "escapes the OpenGraph metadata" do + open_graph_cache = OpenGraphCache.new( + url: "", + title: "", + image: "https://example.org/\">", + description: "" + ) + post = FactoryGirl.create(:status_message, public: true, open_graph_cache: open_graph_cache) + + render file: "status_messages/_status_message.mobile.haml", locals: {post: post, photos: post.photos} + + expect(rendered).to_not include("