Fix CSS injection

2018-01-11 18:09:01 +01:00 · 2018-01-11 18:09:01 +01:00 · 6a43248cb3
commit 6a43248cb3
parent a6cdf714a6
7 changed files with 14 additions and 5 deletions
--- a/.circleci/config.yml
+++ b/.circleci/config.yml
@ -68,7 +68,7 @@ jobs:
          command: bundle exec rubocop -R
      - run:
          name: Run brakeman
-          command: bundle exec brakeman --no-exit-on-warn
+          command: bundle exec brakeman -z
      - run:
          name: Run haml-lint
          command: bundle exec haml-lint app/views/
--- a/2
+++ b/2
@ -94,6 +94,8 @@ gem 'skylight'

 gem 'scenic'

+gem 'sanitize-url'
+
 # Cron jobs
 gem 'delayed_job_active_record'
 gem "daemons"
--- a/Gemfile.lock
+++ b/Gemfile.lock
@ -593,6 +593,7 @@ GEM
      sexp_processor (~> 4.9)
    rubyzip (1.0.0)
    safe_yaml (1.0.4)
+    sanitize-url (0.1.4)
    sass (3.4.22)
    sass-rails (5.0.6)
      railties (>= 4.0.0, < 6)
@ -782,6 +783,7 @@ DEPENDENCIES
  rspec_junit_formatter
  rubocop
  rubocop-rspec-focused
+  sanitize-url
  sass-rails (~> 5.0)
  scenic
  scss_lint
--- a/app/helpers/application_helper.rb
+++ b/app/helpers/application_helper.rb
@ -1,4 +1,10 @@
 module ApplicationHelper
+  include SanitizeUrl
+
+  def sanitize_url(url)
+    super(url, schemes: ['http', 'https'], replace_evil_with: root_url)
+  end
+
  def flash_class(level)
    case level
    when "notice" then "alert-success"
--- a/app/views/admin/procedures/show.html.haml
+++ b/app/views/admin/procedures/show.html.haml
@ -47,7 +47,7 @@
      %h3 Lien procédure
      %div{ style: 'margin-left: 3%;' }
        - if @facade.procedure.publiee_ou_archivee?
-          = link_to @facade.procedure.lien, @facade.procedure.lien, target: '_blank'
+          = link_to @facade.procedure.lien, sanitize_url(@facade.procedure.lien), target: :blank
        - else
          %b
            Cette procédure n'a pas encore été publiée et n'est donc pas accessible par le public.
--- a/app/views/dossiers/etapes/_etape1.html.haml
+++ b/app/views/dossiers/etapes/_etape1.html.haml
@ -20,5 +20,4 @@

        - if @facade.procedure.lien_site_web.present?
          .center
-            %a{ href: @facade.procedure.lien_site_web, target: '_blank' }
-              En savoir plus ...
+            = link_to "En savoir plus ...", sanitize_url(@facade.procedure.lien_site_web), target: '_blank'
--- a/app/views/users/description/_pieces_justificatives.html.haml
+++ b/app/views/users/description/_pieces_justificatives.html.haml
@ -7,7 +7,7 @@
        - if dossier.procedure.lien_demarche.present?
          %em
            Récupérer le formulaire de demande ou CERFA vierge pour mon dossier :
-            = link_to "Télécharger", "#{dossier.procedure.lien_demarche}", target: :blank, id: :lien_cerfa
+            = link_to "Télécharger", sanitize_url(dossier.procedure.lien_demarche), target: :blank, id: :lien_cerfa
            -# %a#lien_cerfa{ href: "#{dossier.procedure.lien_demarche}", target: '_blank' } Télécharger

      %td