gitea/modules/markup/sanitizer.go

// Copyright 2017 The Gitea Authors. All rights reserved.
// Copyright 2017 The Gogs Authors. All rights reserved.
// SPDX-License-Identifier: MIT

package markup

import (
	"regexp"
	"sync"

	"github.com/microcosm-cc/bluemonday"
)

// Sanitizer is a protection wrapper of *bluemonday.Policy which does not allow
// any modification to the underlying policies once it's been created.
type Sanitizer struct {
	defaultPolicy     *bluemonday.Policy
	descriptionPolicy *bluemonday.Policy
	rendererPolicies  map[string]*bluemonday.Policy
	allowAllRegex     *regexp.Regexp
}

var (
	defaultSanitizer     *Sanitizer
	defaultSanitizerOnce sync.Once
)

func GetDefaultSanitizer() *Sanitizer {
	defaultSanitizerOnce.Do(func() {
		defaultSanitizer = &Sanitizer{
			rendererPolicies: map[string]*bluemonday.Policy{},
			allowAllRegex:    regexp.MustCompile(".+"),
		}
		for name, renderer := range renderers {
			sanitizerRules := renderer.SanitizerRules()
			if len(sanitizerRules) > 0 {
				policy := defaultSanitizer.createDefaultPolicy()
				defaultSanitizer.addSanitizerRules(policy, sanitizerRules)
				defaultSanitizer.rendererPolicies[name] = policy
			}
		}
		defaultSanitizer.defaultPolicy = defaultSanitizer.createDefaultPolicy()
		defaultSanitizer.descriptionPolicy = defaultSanitizer.createRepoDescriptionPolicy()
	})
	return defaultSanitizer
}

func ResetDefaultSanitizerForTesting() {
	defaultSanitizer = nil
	defaultSanitizerOnce = sync.Once{}
}
Sanitation fix from Gogs (#1461) * Santiation fix from Gogs * Linting * Fix build-errors * still not working * Fix all the things! * gofmt * Add code-injection checks 2017-04-13 05:52:24 +03:00			`// Copyright 2017 The Gitea Authors. All rights reserved.`
			`// Copyright 2017 The Gogs Authors. All rights reserved.`
Implement FSFE REUSE for golang files (#21840) Change all license headers to comply with REUSE specification. Fix #16132 Co-authored-by: flynnnnnnnnnn <flynnnnnnnnnn@github> Co-authored-by: John Olheiser <john.olheiser@gmail.com> 2022-11-27 21:20:29 +03:00			`// SPDX-License-Identifier: MIT`
Sanitation fix from Gogs (#1461) * Santiation fix from Gogs * Linting * Fix build-errors * still not working * Fix all the things! * gofmt * Add code-injection checks 2017-04-13 05:52:24 +03:00
Restructure markup & markdown to prepare for multiple markup language… (#2411) * restructure markup & markdown to prepare for multiple markup languages support * adjust some functions between markdown and markup * fix tests * improve the comments 2017-09-16 20:17:57 +03:00			`package markup`
Sanitation fix from Gogs (#1461) * Santiation fix from Gogs * Linting * Fix build-errors * still not working * Fix all the things! * gofmt * Add code-injection checks 2017-04-13 05:52:24 +03:00
			`import (`
			`"regexp"`
			`"sync"`

			`"github.com/microcosm-cc/bluemonday"`
			`)`

			`// Sanitizer is a protection wrapper of *bluemonday.Policy which does not allow`
			`// any modification to the underlying policies once it's been created.`
			`type Sanitizer struct {`
Use restricted sanitizer for repository description (#28141) - Currently the repository description uses the same sanitizer as a normal markdown document. This means that element such as heading and images are allowed and can be abused. - Create a minimal restricted sanitizer for the repository description, which only allows what the postprocessor currently allows, which are links and emojis. - Added unit testing. - Resolves https://codeberg.org/forgejo/forgejo/issues/1202 - Resolves https://codeberg.org/Codeberg/Community/issues/1122 (cherry picked from commit 631c87cc2347f0036a75dcd21e24429bbca28207) Co-authored-by: Gusted <postmaster@gusted.xyz> 2023-11-23 19:34:25 +03:00			`defaultPolicy *bluemonday.Policy`
			`descriptionPolicy *bluemonday.Policy`
			`rendererPolicies map[string]*bluemonday.Policy`
Split sanitizer functions and fine-tune some tests (#31192) 2024-05-31 16:26:01 +03:00			`allowAllRegex *regexp.Regexp`
Sanitation fix from Gogs (#1461) * Santiation fix from Gogs * Linting * Fix build-errors * still not working * Fix all the things! * gofmt * Add code-injection checks 2017-04-13 05:52:24 +03:00			`}`

Allow all URL schemes in Markdown links by default (#24805) - Closes #21146 - Closes #16721 ## :warning: BREAKING :warning: This changes the default behavior to now create links for any URL scheme when the user uses the markdown form for links (`[label](URL)`), this doesn't affect the rendering of inline links. To opt-out set the `markdown.CUSTOM_URL_SCHEMES` setting to a list of allowed schemes, all other schemes (except `http` and `https`) won't be allowed. # Before ![image](https://github.com/go-gitea/gitea/assets/20454870/35fa18ce-7dda-4995-b5b3-3f360f38296d) # After ![image](https://github.com/go-gitea/gitea/assets/20454870/0922216b-0b35-4b77-9919-21a5c21dd5d0) --------- Signed-off-by: Yarden Shoham <git@yardenshoham.com> Co-authored-by: Giteabot <teabot@gitea.io> 2023-05-19 18:17:07 +03:00			`var (`
Split sanitizer functions and fine-tune some tests (#31192) 2024-05-31 16:26:01 +03:00			`defaultSanitizer *Sanitizer`
			`defaultSanitizerOnce sync.Once`
Allow all URL schemes in Markdown links by default (#24805) - Closes #21146 - Closes #16721 ## :warning: BREAKING :warning: This changes the default behavior to now create links for any URL scheme when the user uses the markdown form for links (`[label](URL)`), this doesn't affect the rendering of inline links. To opt-out set the `markdown.CUSTOM_URL_SCHEMES` setting to a list of allowed schemes, all other schemes (except `http` and `https`) won't be allowed. # Before ![image](https://github.com/go-gitea/gitea/assets/20454870/35fa18ce-7dda-4995-b5b3-3f360f38296d) # After ![image](https://github.com/go-gitea/gitea/assets/20454870/0922216b-0b35-4b77-9919-21a5c21dd5d0) --------- Signed-off-by: Yarden Shoham <git@yardenshoham.com> Co-authored-by: Giteabot <teabot@gitea.io> 2023-05-19 18:17:07 +03:00			`)`
Sanitation fix from Gogs (#1461) * Santiation fix from Gogs * Linting * Fix build-errors * still not working * Fix all the things! * gofmt * Add code-injection checks 2017-04-13 05:52:24 +03:00
Split sanitizer functions and fine-tune some tests (#31192) 2024-05-31 16:26:01 +03:00			`func GetDefaultSanitizer() *Sanitizer {`
			`defaultSanitizerOnce.Do(func() {`
			`defaultSanitizer = &Sanitizer{`
			`rendererPolicies: map[string]*bluemonday.Policy{},`
			`allowAllRegex: regexp.MustCompile(".+"),`
Disallow dangerous url schemes (#25960) Regression: https://github.com/go-gitea/gitea/pull/24805 Closes: #25945 - Disallow `javascript`, `vbscript` and `data` (data uri images still work) url schemes even if all other schemes are allowed - Fixed older `cbthunderlink` tests --------- Co-authored-by: delvh <dev.lh@web.de> 2023-07-18 18:18:37 +03:00			`}`
Split sanitizer functions and fine-tune some tests (#31192) 2024-05-31 16:26:01 +03:00			`for name, renderer := range renderers {`
			`sanitizerRules := renderer.SanitizerRules()`
			`if len(sanitizerRules) > 0 {`
			`policy := defaultSanitizer.createDefaultPolicy()`
			`defaultSanitizer.addSanitizerRules(policy, sanitizerRules)`
			`defaultSanitizer.rendererPolicies[name] = policy`
Add sanitizer rules per renderer (#16110) * Added sanitizer rules per renderer. * Updated documentation. Co-authored-by: techknowlogick <techknowlogick@gitea.io> 2021-06-24 00:09:51 +03:00			`}`
Markdown: Sanitizier Configuration (#9075) * Support custom sanitization policy Allowing the gitea administrator to configure sanitization policy allows them to couple external renders and custom templates to support more markup. In particular, the `pandoc` renderer allows generating KaTeX annotations, wrapping them in `<span>` elements with class `math` and either `inline` or `display` (depending on whether or not inline or block mode was requested). This iteration gives the administrator whitelisting powers; carefully crafted regexes will thus let through only the desired attributes necessary to support their custom markup. Resolves: #9054 Signed-off-by: Alexander Scheel <alexander.m.scheel@gmail.com> * Document new sanitization configuration - Adds basic documentation to app.ini.sample, - Adds an example to the Configuration Cheat Sheet, and - Adds extended information to External Renderers section. Signed-off-by: Alexander Scheel <alexander.m.scheel@gmail.com> * Drop extraneous length check in newMarkupSanitizer(...) Signed-off-by: Alexander Scheel <alexander.m.scheel@gmail.com> * Fix plural ELEMENT and ALLOW_ATTR in docs These were left over from their initial names. Make them singular to conform with the current expectations. Signed-off-by: Alexander Scheel <alexander.m.scheel@gmail.com> 2019-12-07 22:49:04 +03:00			`}`
Split sanitizer functions and fine-tune some tests (#31192) 2024-05-31 16:26:01 +03:00			`defaultSanitizer.defaultPolicy = defaultSanitizer.createDefaultPolicy()`
			`defaultSanitizer.descriptionPolicy = defaultSanitizer.createRepoDescriptionPolicy()`
			`})`
			`return defaultSanitizer`
Sanitation fix from Gogs (#1461) * Santiation fix from Gogs * Linting * Fix build-errors * still not working * Fix all the things! * gofmt * Add code-injection checks 2017-04-13 05:52:24 +03:00			`}`

Split sanitizer functions and fine-tune some tests (#31192) 2024-05-31 16:26:01 +03:00			`func ResetDefaultSanitizerForTesting() {`
			`defaultSanitizer = nil`
			`defaultSanitizerOnce = sync.Once{}`
Change markdown rendering from blackfriday to goldmark (#9533) * Move to goldmark Markdown rendering moved from blackfriday to the goldmark. Multiple subtle changes required to the goldmark extensions to keep current rendering and defaults. Can go further with goldmark linkify and have this work within markdown rendering making the link processor unnecessary. Need to think about how to go about allowing extensions - at present it seems that these would be hard to do without recompilation. * linter fixes Co-authored-by: Lauris BH <lauris@nix.lv> 2019-12-31 04:53:28 +03:00			`}`