Sutty/trabajo-afectivo
5
0
Fork 0
Code Issues Pull requests Projects Releases Wiki Activity

Fixed #2416 - HTML sanitizer blocks email processing because of an endless loop.

Browse source
This commit is contained in:
Billy Zhou 2019-01-18 16:33:07 +01:00 committed by Thorsten Eckel
parent cfc1bdbb45
commit 1c55fc0a56
2 changed files with 211 additions and 178 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

14
lib/html_sanitizer.rb
View file

@ -1,5 +1,7 @@
class HtmlSanitizer
LINKABLE_URL_SCHEMES = URI.scheme_list.keys.map(&:downcase) - ['mailto'] + ['tel']
PROCESSING_TIMEOUT = 10
UNPROCESSABLE_HTML_MSG = 'This message cannot be displayed due to HTML processing issues. Download the raw message below and open it via an Email client if you still wish to view it.'.freeze
=begin
@ -9,7 +11,8 @@ satinize html string based on whiltelist
=end
def self.strict(string, external = false)
def self.strict(string, external = false, timeout: true)
Timeout.timeout(timeout ? PROCESSING_TIMEOUT : nil) do
@fqdn = Setting.get('fqdn')
# config
@ -202,6 +205,9 @@ satinize html string based on whiltelist
Loofah.fragment(string).scrub!(scrubber_link).to_s
end
rescue Timeout::Error => e
UNPROCESSABLE_HTML_MSG
end
=begin
@ -214,7 +220,8 @@ cleanup html string:
=end
def self.cleanup(string)
def self.cleanup(string, timeout: true)
Timeout.timeout(timeout ? PROCESSING_TIMEOUT : nil) do
string.gsub!(/<[A-z]:[A-z]>/, '')
string.gsub!(%r{</[A-z]:[A-z]>}, '')
string.delete!("\t")
@ -230,6 +237,9 @@ cleanup html string:
string = cleanup_structure(string)
string
end
rescue Timeout::Error => e
UNPROCESSABLE_HTML_MSG
end
def self.cleanup_replace_tags(string)
#return string

23
spec/lib/html_sanitizer_spec.rb
View file

@ -183,4 +183,27 @@ RSpec.describe HtmlSanitizer do
end
end
end
# Issue #2416 - html_sanitizer goes into loop for specific content
describe '.strict' do
context 'with strings that take a long time (>10s) to parse' do
before { allow(Timeout).to receive(:timeout).and_raise(Timeout::Error) }
it 'returns a timeout error message for the user' do
expect(HtmlSanitizer.strict(+'<img src="/some_one.png">', true))
.to match(HtmlSanitizer::UNPROCESSABLE_HTML_MSG)
end
end
end
describe '.cleanup' do
context 'with strings that take a long time (>10s) to parse' do
before { allow(Timeout).to receive(:timeout).and_raise(Timeout::Error) }
it 'returns a timeout error message for the user' do
expect(HtmlSanitizer.cleanup(+'<img src="/some_one.png">'))
.to match(HtmlSanitizer::UNPROCESSABLE_HTML_MSG)
end
end
end
end