From 60620f9edbcfd9bae16420b4aacfd13367904660 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alberto=20Fern=C3=A1ndez-Capel?= Date: Tue, 14 May 2024 15:51:12 +0100 Subject: [PATCH 1/2] Update dependencies and Ruby version --- .github/workflows/ci.yml | 2 +- .ruby-version | 2 +- Gemfile.lock | 73 +++++++++++++++++++++++----------------- test/karma.conf.js | 55 +++++++----------------------- 4 files changed, 56 insertions(+), 76 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index b0ff7cf5b..f3f07b957 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -13,7 +13,7 @@ jobs: bundler-cache: true - uses: actions/setup-node@v2-beta with: - node-version: 11 + node-version: 16 - uses: actions/cache@v2 with: path: test/node_modules diff --git a/.ruby-version b/.ruby-version index 3f684d2d9..49cdd668e 100644 --- a/.ruby-version +++ b/.ruby-version @@ -1 +1 @@ -2.3.4 +2.7.6 diff --git a/Gemfile.lock b/Gemfile.lock index 7012504e3..47e550ba7 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -1,61 +1,70 @@ GEM remote: https://rubygems.org/ specs: - activesupport (5.0.0.1) + activesupport (7.1.3.2) + base64 + bigdecimal concurrent-ruby (~> 1.0, >= 1.0.2) - i18n (~> 0.7) - minitest (~> 5.1) - tzinfo (~> 1.1) + connection_pool (>= 2.2.5) + drb + i18n (>= 1.6, < 2) + minitest (>= 5.1) + mutex_m + tzinfo (~> 2.0) addressable (2.4.0) - blade (0.7.0) + base64 (0.2.0) + bigdecimal (3.1.8) + blade (0.7.3) activesupport (>= 3.0.0) - blade-qunit_adapter (~> 2.0.1) + blade-qunit_adapter (>= 2.0.1) coffee-script coffee-script-source - curses (~> 1.0.0) + curses (>= 1.4.0) eventmachine faye sprockets (>= 3.0) thin (>= 1.6.0) - thor (~> 0.19.1) - useragent (~> 0.16.7) + thor (>= 0.19.1) + useragent (>= 0.16.7) blade-qunit_adapter (2.0.1) coffee-script (2.4.1) coffee-script-source execjs coffee-script-source (1.9.3) concurrent-ruby (1.0.2) - cookiejar (0.3.3) - curses (1.0.2) - daemons (1.2.4) + connection_pool (2.4.1) + cookiejar (0.3.4) + curses (1.4.5) + daemons (1.4.1) descendants_tracker (0.0.4) thread_safe (~> 0.3, >= 0.3.1) + drb (2.2.1) eco (1.0.0) coffee-script eco-source execjs eco-source (1.1.0.rc.1) - em-http-request (1.1.5) + em-http-request (1.1.7) addressable (>= 2.3.4) cookiejar (!= 0.3.1) em-socksify (>= 0.3) eventmachine (>= 1.0.3) http_parser.rb (>= 0.6.0) - em-socksify (0.3.1) + em-socksify (0.3.2) eventmachine (>= 1.0.0.beta.4) - eventmachine (1.2.1) + eventmachine (1.2.7) execjs (2.7.0) faraday (0.9.2) multipart-post (>= 1.2, < 3) - faye (1.2.3) + faye (1.4.0) cookiejar (>= 0.3.0) - em-http-request (>= 0.3.0) + em-http-request (>= 1.1.6) eventmachine (>= 0.12.0) - faye-websocket (>= 0.9.1) + faye-websocket (>= 0.11.0) multi_json (>= 1.0.0) rack (>= 1.0.0) websocket-driver (>= 0.5.1) - faye-websocket (0.10.5) + faye-websocket (0.11.3) eventmachine (>= 0.12.0) websocket-driver (>= 0.5.1) github_api (0.13.1) @@ -66,14 +75,16 @@ GEM multi_json (>= 1.7.5, < 2.0) oauth2 hashie (3.5.6) - http_parser.rb (0.6.0) - i18n (0.7.0) - json (2.0.2) + http_parser.rb (0.8.0) + i18n (1.14.5) + concurrent-ruby (~> 1.0) + json (2.7.2) jwt (1.5.6) - minitest (5.9.1) + minitest (5.22.3) multi_json (1.12.1) multi_xml (0.6.0) multipart-post (2.0.0) + mutex_m (0.2.0) oauth2 (1.4.0) faraday (>= 0.8, < 0.13) jwt (~> 1.0) @@ -87,21 +98,21 @@ GEM rack (> 1, < 3) sprockets-export (1.0.0) sprockets-svgo (0.2.0) - thin (1.7.0) + thin (1.8.2) daemons (~> 1.0, >= 1.0.9) eventmachine (~> 1.0, >= 1.0.4) rack (>= 1, < 3) - thor (0.19.4) + thor (1.3.1) thread_safe (0.3.5) - tzinfo (1.2.2) - thread_safe (~> 0.1) + tzinfo (2.0.6) + concurrent-ruby (~> 1.0) uglifier (2.5.1) execjs (>= 0.3.0) json (>= 1.8.0) - useragent (0.16.8) - websocket-driver (0.6.4) + useragent (0.16.10) + websocket-driver (0.7.6) websocket-extensions (>= 0.1.0) - websocket-extensions (0.1.2) + websocket-extensions (0.1.5) PLATFORMS ruby @@ -119,4 +130,4 @@ DEPENDENCIES uglifier BUNDLED WITH - 1.16.1 + 2.3.8 diff --git a/test/karma.conf.js b/test/karma.conf.js index 89201947a..9e2afa660 100644 --- a/test/karma.conf.js +++ b/test/karma.conf.js @@ -32,72 +32,41 @@ if (process.env.CI) { sl_chrome_latest: { base: "SauceLabs", browserName: "chrome", - platform: "Windows 10", - version: "latest" - }, - sl_firefox_latest: { - base: "SauceLabs", - browserName: "firefox", - platform: "Windows 10", version: "latest" }, - sl_safari_previous: { + sl_chrome_latest_i8n: { base: "SauceLabs", - browserName: "safari", - platform: "macOS 10.13", - version: "latest-1" + browserName: "chrome", + version: "latest", + chromeOptions: { + args: [ "--lang=tr" ] + } }, - sl_safari_latest: { + sl_safari_12_1: { base: "SauceLabs", browserName: "safari", platform: "macOS 10.13", - version: "latest" - }, - sl_edge_previous: { - base: "SauceLabs", - browserName: "microsoftedge", - platform: "Windows 10", - version: "17.17134" + version: "12.1" }, sl_edge_latest: { base: "SauceLabs", browserName: "microsoftedge", platform: "Windows 10", - version: "18.17763" - }, - sl_ie_11: { - base: "SauceLabs", - browserName: "internet explorer", - platform: "Windows 8.1", - version: "11" - }, - sl_ios_previous: { - base: "SauceLabs", - browserName: "safari", - platform: "ios", - device: "iPhone Simulator", - version: "11.3" - }, - sl_ios_latest: { - base: "SauceLabs", - browserName: "safari", - platform: "ios", - device: "iPhone Simulator", - version: "12.0" + version: "latest" }, - sl_android_previous: { + sl_android_9: { base: "SauceLabs", browserName: "chrome", platform: "android", device: "Android GoogleAPI Emulator", - version: "7.1" + version: "9.0" }, sl_android_latest: { base: "SauceLabs", browserName: "chrome", platform: "android", device: "Android GoogleAPI Emulator", - version: "8.1" + version: "12.0" } } From 80a4d4f5ffb392264cd8cc8feba0ab242cb0b08b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alberto=20Fern=C3=A1ndez-Capel?= Date: Tue, 14 May 2024 16:05:12 +0100 Subject: [PATCH 2/2] Backport fix for CVE-2024-34341 to v1.3 --- src/trix/models/html_parser.coffee | 7 ++++++- src/trix/models/html_sanitizer.coffee | 2 +- test/src/system/pasting_test.coffee | 24 ++++++++++++++++++++++++ 3 files changed, 31 insertions(+), 2 deletions(-) diff --git a/src/trix/models/html_parser.coffee b/src/trix/models/html_parser.coffee index 57b45db1d..793ba55a8 100644 --- a/src/trix/models/html_parser.coffee +++ b/src/trix/models/html_parser.coffee @@ -238,7 +238,12 @@ class Trix.HTMLParser extends Trix.BasicObject parseTrixDataAttribute = (element, name) -> try - JSON.parse(element.getAttribute("data-trix-#{name}")) + data = JSON.parse(element.getAttribute("data-trix-#{name}")) + + if data.contentType == "text/html" and data.content + data.content = HTMLSanitizer.sanitize(data.content).getHTML() + + data catch {} diff --git a/src/trix/models/html_sanitizer.coffee b/src/trix/models/html_sanitizer.coffee index 87008ebad..d3fabb08e 100644 --- a/src/trix/models/html_sanitizer.coffee +++ b/src/trix/models/html_sanitizer.coffee @@ -3,7 +3,7 @@ class Trix.HTMLSanitizer extends Trix.BasicObject DEFAULT_ALLOWED_ATTRIBUTES = "style href src width height class".split(" ") DEFAULT_FORBIDDEN_PROTOCOLS = "javascript:".split(" ") - DEFAULT_FORBIDDEN_ELEMENTS = "script iframe".split(" ") + DEFAULT_FORBIDDEN_ELEMENTS = "script iframe noscript".split(" ") @sanitize: (html, options) -> sanitizer = new this html, options diff --git a/test/src/system/pasting_test.coffee b/test/src/system/pasting_test.coffee index b08f5d94a..b42260322 100644 --- a/test/src/system/pasting_test.coffee +++ b/test/src/system/pasting_test.coffee @@ -53,6 +53,30 @@ testGroup "Pasting", template: "editor_empty", -> delete window.unsanitized done() + test "paste unsafe html with noscript", (done) -> + window.unsanitized = [] + pasteData = + "text/plain": "x", + "text/html": "
" + + pasteContent pasteData, () -> + after 20, () -> + assert.deepEqual(window.unsanitized, []) + delete window.unsanitized + done() + + test "paste data-trix-attachment unsafe html", (done) -> + window.unsanitized = [] + pasteData = + "text/plain": "x", + "text/html": "copy
me" + + pasteContent pasteData, -> + after 20, -> + assert.deepEqual window.unsanitized, [] + delete window.unsanitized + done() + test "prefers plain text when html lacks formatting", (expectDocument) -> pasteData = "text/html": "a\nb"