diff --git a/app/helpers/application_helper.rb b/app/helpers/application_helper.rb index 8bb33b872..98b8b49c8 100644 --- a/app/helpers/application_helper.rb +++ b/app/helpers/application_helper.rb @@ -48,6 +48,24 @@ def page_lang(lang) lang.empty? ? 'ja' : lang end + def sanitize_content(content) + sanitize(content, + tags: ActionView::Base.sanitized_allowed_tags + ['center'], + attributes: ActionView::Base.sanitized_allowed_attributes + ['id'] + ) + end + + def safe_dojo_url(dojo) + return '#' if dojo.url.blank? + + begin + uri = URI.parse(dojo.url) + uri.scheme&.match?(/\Ahttps?\z/) ? dojo.url : '#' + rescue URI::InvalidURIError + '#' + end + end + # 'inline_' プレフィックスがついたflashメッセージをビュー内で表示するヘルパー # inline_alert → alert, inline_warning → warning のように変換してBootstrapのCSSクラスを適用 def render_inline_flash_messages diff --git a/app/models/dojo.rb b/app/models/dojo.rb index 2e7a853ac..25399bf1b 100644 --- a/app/models/dojo.rb +++ b/app/models/dojo.rb @@ -89,7 +89,7 @@ def active? def active_at?(date) created_at <= date && (inactivated_at.nil? || inactivated_at > date) end - + # 再活性化メソッド def reactivate! if inactivated_at.present? diff --git a/app/views/docs/show.html.erb b/app/views/docs/show.html.erb index f3f01be1b..076dc8f8a 100644 --- a/app/views/docs/show.html.erb +++ b/app/views/docs/show.html.erb @@ -9,7 +9,7 @@
- <%= raw @content %> + <%= sanitize_content(@content) %>
<% if request.path.start_with? '/docs' %> @@ -22,5 +22,3 @@ <%= render 'shared/social_buttons' %>
- - diff --git a/app/views/podcasts/show.html.erb b/app/views/podcasts/show.html.erb index 172df8bba..2a8ec4a22 100644 --- a/app/views/podcasts/show.html.erb +++ b/app/views/podcasts/show.html.erb @@ -36,7 +36,7 @@ - <%= raw Rinku.auto_link(@content) %> + <%= sanitize_content(Rinku.auto_link(@content)) %> diff --git a/app/views/shared/_dojo.html.erb b/app/views/shared/_dojo.html.erb index 227f87723..cc4b8f8fe 100644 --- a/app/views/shared/_dojo.html.erb +++ b/app/views/shared/_dojo.html.erb @@ -1,9 +1,9 @@ -
  • +
  • - <%= link_to lazy_image_tag(dojo.logo, alt: "CoderDojo #{dojo.name}", class: 'dojo-picture'), dojo.url, - target: "_blank", rel: "external noopener" %> + <%= link_to lazy_image_tag(dojo.logo, alt: html_escape("CoderDojo #{dojo.name}"), class: 'dojo-picture'), safe_dojo_url(dojo), + target: "_blank" %> - <%= link_to "#{dojo.name} (#{dojo.prefecture.name})", dojo.url, target: "_blank", rel: "external noopener" %> + <%= link_to html_escape("#{dojo.name} (#{dojo.prefecture.name})"), safe_dojo_url(dojo), target: "_blank" %> <% if not dojo.counter == 1 %> <% dojo.tags.first(5).each do |tag| %> -
  • <%= tag %>
    • +
  • <%= html_escape(tag) %>
    • <% end %> <% if dojo.tags.length > 5 %> @@ -26,12 +26,12 @@
    ' - title="<%= dojo.tags[5..].join(', ') %>">...
    • + title="<%= html_escape(dojo.tags[5..].join(', ')) %>">... <% end %>

    - <%= dojo.description %> + <%= html_escape(dojo.description) %> <% if dojo.is_private %> <%= link_to 'Private', doc_path('private-dojo'), class: 'dojo-private' %> <% end %> diff --git a/config/brakeman.ignore b/config/brakeman.ignore deleted file mode 100644 index 186b08239..000000000 --- a/config/brakeman.ignore +++ /dev/null @@ -1,181 +0,0 @@ -{ - "ignored_warnings": [ - { - "warning_type": "Cross-Site Scripting", - "warning_code": 4, - "fingerprint": "8ba988098c444755698e4e65d38a94f4095948c1a9bc6220c7e2a4636c3c04d7", - "check_name": "LinkToHref", - "message": "Potentially unsafe model attribute in `link_to` href", - "file": "app/views/shared/_dojo.html.erb", - "line": 6, - "link": "https://brakemanscanner.org/docs/warning_types/link_to_href", - "code": "link_to(\"#{Dojo.new.name} (#{Dojo.new.prefecture.name})\", Dojo.new.url, :target => \"_blank\", :rel => \"external noopener\")", - "render_path": [ - { - "type": "controller", - "class": "HomeController", - "method": "show", - "line": 7, - "file": "app/controllers/home_controller.rb", - "rendered": { - "name": "home/show", - "file": "app/views/home/show.html.erb" - } - }, - { - "type": "template", - "name": "home/show", - "line": 161, - "file": "app/views/home/show.html.erb", - "rendered": { - "name": "shared/_dojos", - "file": "app/views/shared/_dojos.html.erb" - } - }, - { - "type": "template", - "name": "shared/_dojos", - "line": 2, - "file": "app/views/shared/_dojos.html.erb", - "rendered": { - "name": "shared/_dojo", - "file": "app/views/shared/_dojo.html.erb" - } - } - ], - "location": { - "type": "template", - "template": "shared/_dojo" - }, - "user_input": "Dojo.new.url", - "confidence": "Weak", - "cwe_id": [ - 79 - ], - "note": "" - }, - { - "warning_type": "Cross-Site Scripting", - "warning_code": 2, - "fingerprint": "b22a549fb14a7e6b3a9c34991ffcacd354dc768d74d50a8f6901e23c3ea19538", - "check_name": "CrossSiteScripting", - "message": "Unescaped model attribute", - "file": "app/views/podcasts/show.html.erb", - "line": 39, - "link": "https://brakemanscanner.org/docs/warning_types/cross_site_scripting", - "code": "Rinku.auto_link(Kramdown::Document.new(self.convert_shownote(Podcast.find_by(:id => params[:id]).content), :input => \"GFM\").to_html)", - "render_path": [ - { - "type": "controller", - "class": "PodcastsController", - "method": "show", - "line": 31, - "file": "app/controllers/podcasts_controller.rb", - "rendered": { - "name": "podcasts/show", - "file": "app/views/podcasts/show.html.erb" - } - } - ], - "location": { - "type": "template", - "template": "podcasts/show" - }, - "user_input": "Podcast.find_by(:id => params[:id]).content", - "confidence": "Weak", - "cwe_id": [ - 79 - ], - "note": "" - }, - { - "warning_type": "Cross-Site Scripting", - "warning_code": 4, - "fingerprint": "b29f98f4da690ffb7c663390c21db3a71174dae17d06234deab9d6655af6babe", - "check_name": "LinkToHref", - "message": "Potentially unsafe model attribute in `link_to` href", - "file": "app/views/shared/_dojo.html.erb", - "line": 3, - "link": "https://brakemanscanner.org/docs/warning_types/link_to_href", - "code": "link_to(lazy_image_tag(Dojo.new.logo, :alt => (\"CoderDojo #{Dojo.new.name}\"), :class => \"dojo-picture\"), Dojo.new.url, :target => \"_blank\", :rel => \"external noopener\")", - "render_path": [ - { - "type": "controller", - "class": "HomeController", - "method": "show", - "line": 7, - "file": "app/controllers/home_controller.rb", - "rendered": { - "name": "home/show", - "file": "app/views/home/show.html.erb" - } - }, - { - "type": "template", - "name": "home/show", - "line": 161, - "file": "app/views/home/show.html.erb", - "rendered": { - "name": "shared/_dojos", - "file": "app/views/shared/_dojos.html.erb" - } - }, - { - "type": "template", - "name": "shared/_dojos", - "line": 2, - "file": "app/views/shared/_dojos.html.erb", - "rendered": { - "name": "shared/_dojo", - "file": "app/views/shared/_dojo.html.erb" - } - } - ], - "location": { - "type": "template", - "template": "shared/_dojo" - }, - "user_input": "Dojo.new.url", - "confidence": "Weak", - "cwe_id": [ - 79 - ], - "note": "" - }, - { - "warning_type": "Cross-Site Scripting", - "warning_code": 2, - "fingerprint": "e4187193a881ef4e98b77f205c86fcafbef3d65d9269bba30e8612f6a59273ed", - "check_name": "CrossSiteScripting", - "message": "Unescaped model attribute", - "file": "app/views/docs/show.html.erb", - "line": 12, - "link": "https://brakemanscanner.org/docs/warning_types/cross_site_scripting", - "code": "Kramdown::Document.new(Document.new(params[:id]).content, :input => \"GFM\").to_html", - "render_path": [ - { - "type": "controller", - "class": "DocsController", - "method": "show", - "line": 42, - "file": "app/controllers/docs_controller.rb", - "rendered": { - "name": "docs/show", - "file": "app/views/docs/show.html.erb" - } - } - ], - "location": { - "type": "template", - "template": "docs/show" - }, - "user_input": "Document.new(params[:id]).content", - "confidence": "Weak", - "cwe_id": [ - 79 - ], - "note": "" - } - ], - "brakeman_version": "7.1.0" -} diff --git a/spec/requests/docs_spec.rb b/spec/requests/docs_spec.rb index ab689cb29..a17e748ca 100644 --- a/spec/requests/docs_spec.rb +++ b/spec/requests/docs_spec.rb @@ -14,6 +14,7 @@ get doc_path(param) doc = Document.new(param) expected = Kramdown::Document.new(doc.content, input: 'GFM').to_html + expected = ApplicationController.helpers.sanitize_content(expected) expect(response.body).to include(expected.strip) end @@ -23,4 +24,4 @@ expect(response.status).to eq 302 end end -end \ No newline at end of file +end