Merge pull request #3498 from evazion/fix-3497

Fix #3497: Invalid DText denial of service attack
2018-01-15 11:07:43 -08:00
parent 33e25314e7 88f4a56890
commit 20487e131d
29 changed files with 26 additions and 64 deletions
--- a/app/helpers/application_helper.rb
+++ b/app/helpers/application_helper.rb
@@ -51,10 +51,12 @@ module ApplicationHelper
  def format_text(text, **options)
    raw DTextRagel.parse(text, **options)
  rescue DTextRagel::Error => e
    raw ""
  end
  def strip_dtext(text)
-    raw(DTextRagel.parse_strip(text))
+    format_text(text, strip: true)
  end
  def error_messages_for(instance_name)
--- a/app/presenters/wiki_page_presenter.rb
+++ b/app/presenters/wiki_page_presenter.rb
@@ -9,10 +9,6 @@ class WikiPagePresenter
    wiki_page.body
  end
  def blurb
    DTextRagel.parse_strip(excerpt.to_s)
  end
  # Produce a formatted page that shows the difference between two versions of a page.
  def diff(other_version)
    pattern = Regexp.new('(?:<.+?>)|(?:[0-9_A-Za-z\x80-\xff]+[\x09\x20]?)|(?:[ \t]+)|(?:\r?\n)|(?:.+?)')
--- a/app/views/posts/index.html.erb
+++ b/app/views/posts/index.html.erb
@@ -72,7 +72,7 @@
    <%= content_tag :link, nil, rel: "prev", href: prev_page_url %>
  <% end %>
  <% if @post_set.has_wiki? %>
-    <meta name="description" content="<%= @post_set.wiki_page.presenter.blurb %>">
+    <meta name="description" content="<%= strip_dtext(@post_set.wiki_page.presenter.excerpt) %>">
  <% else %>
    <meta name="description" content="<%= Danbooru.config.description %>">
  <% end %>
--- a/app/views/wiki_pages/show.html.erb
+++ b/app/views/wiki_pages/show.html.erb
@@ -44,7 +44,7 @@
 <% end %>
 <% content_for(:html_header) do %>
-  <meta name="description" content="<%= @wiki_page.presenter.blurb %>"></meta>
+  <meta name="description" content="<%= strip_dtext(@wiki_page.presenter.excerpt) %>"></meta>
 <% end %>
 <%= render "secondary_links" %>
--- a/test/functional/iqdb_queries_controller_test.rb
+++ b/test/functional/iqdb_queries_controller_test.rb
@@ -1,9 +1,6 @@
 require 'test_helper'
 require 'helpers/iqdb_test_helper'
 class IqdbQueriesControllerTest < ActionController::TestCase
  include IqdbTestHelper
  context "The iqdb controller" do
    setup do
      @user = FactoryGirl.create(:user)
--- a/test/functional/pool_elements_controller_test.rb
+++ b/test/functional/pool_elements_controller_test.rb
@@ -1,9 +1,6 @@
 require 'test_helper'
 require 'helpers/pool_archive_test_helper'
 class PoolElementsControllerTest < ActionController::TestCase
  include PoolArchiveTestHelper
  context "The pools posts controller" do
    setup do
      mock_pool_archive_service!
--- a/test/functional/pool_versions_controller_test.rb
+++ b/test/functional/pool_versions_controller_test.rb
@@ -1,9 +1,6 @@
 require 'test_helper'
 require 'helpers/pool_archive_test_helper'
 class PoolVersionsControllerTest < ActionController::TestCase
  include PoolArchiveTestHelper
  context "The pool versions controller" do
    setup do
      mock_pool_archive_service!
--- a/test/functional/pools_controller_test.rb
+++ b/test/functional/pools_controller_test.rb
@@ -1,9 +1,6 @@
 require 'test_helper'
 require 'helpers/pool_archive_test_helper'
 class PoolsControllerTest < ActionController::TestCase
  include PoolArchiveTestHelper
  context "The pools controller" do
    setup do
      Timecop.travel(1.month.ago) do
--- a/test/functional/post_versions_controller_test.rb
+++ b/test/functional/post_versions_controller_test.rb
@@ -1,11 +1,9 @@
 require 'test_helper'
 require 'helpers/post_archive_test_helper'
 class PostVersionsControllerTest < ActionController::TestCase
  include PostArchiveTestHelper
  def setup
    super
    @user = FactoryGirl.create(:user)
    CurrentUser.user = @user
    CurrentUser.ip_addr = "127.0.0.1"
@@ -13,6 +11,7 @@ class PostVersionsControllerTest < ActionController::TestCase
  def teardown
    super
    CurrentUser.user = nil
    CurrentUser.ip_addr = nil
  end
--- a/test/functional/reports_controller_test.rb
+++ b/test/functional/reports_controller_test.rb
@@ -1,9 +1,6 @@
 require 'test_helper'
 require 'helpers/post_archive_test_helper'
 class ReportsControllerTest < ActionController::TestCase
  include PostArchiveTestHelper
  def setup
    super
--- a/test/functional/saved_searches_controller_test.rb
+++ b/test/functional/saved_searches_controller_test.rb
@@ -1,9 +1,6 @@
 require 'test_helper'
 require 'helpers/saved_search_test_helper'
 class SavedSearchesControllerTest < ActionController::TestCase
  include SavedSearchTestHelper
  context "The saved searches controller" do
    setup do
      @user = FactoryGirl.create(:user)
--- a/test/functional/uploads_controller_test.rb
+++ b/test/functional/uploads_controller_test.rb
@@ -1,9 +1,6 @@
 require 'test_helper'
 require 'helpers/iqdb_test_helper'
 class UploadsControllerTest < ActionController::TestCase
  include IqdbTestHelper
  def setup
    super
    mock_iqdb_service!
--- a/test/helpers/application_helper_test.rb
+++ b/test/helpers/application_helper_test.rb
@@ -0,0 +1,14 @@
 require "test_helper"
 class ApplicationHelperTest < ActionView::TestCase
  context "The application helper" do
    context "format_text method" do
      should "not raise an exception for invalid DText" do
        dtext = "* a\n" * 513
        assert_nothing_raised { format_text(dtext) }
        assert_equal("", format_text(dtext))
      end
    end
  end
 end
--- a/test/test_helper.rb
+++ b/test/test_helper.rb
@@ -14,7 +14,7 @@ require 'cache'
 require 'webmock/minitest'
 Dir[File.expand_path(File.dirname(__FILE__) + "/factories/*.rb")].each {|file| require file}
-Dir[File.expand_path(File.dirname(__FILE__) + "/helpers/*.rb")].each {|file| require file}
+Dir[File.expand_path(File.dirname(__FILE__) + "/test_helpers/*.rb")].each {|file| require file}
 Shoulda::Matchers.configure do |config|
  config.integrate do |with|
@@ -24,8 +24,12 @@ end
 class ActiveSupport::TestCase
  include PostArchiveTestHelper
  include PoolArchiveTestHelper
  include ReportbooruHelper
  include DownloadTestHelper
  include IqdbTestHelper
  include SavedSearchTestHelper
  include UploadTestHelper
  setup do
    mock_popular_search_service!
@@ -40,8 +44,6 @@ class ActiveSupport::TestCase
 end
 class ActionController::TestCase
  include PostArchiveTestHelper
  def assert_authentication_passes(action, http_method, role, params, session)
    __send__(http_method, action, params, session.merge(:user_id => @users[role].id))
    assert_response :success
--- a/test/test_helpers/download_helper.rb
+++ b/test/test_helpers/download_helper.rb
--- a/test/test_helpers/iqdb_test_helper.rb
+++ b/test/test_helpers/iqdb_test_helper.rb
--- a/test/test_helpers/pool_archive_test_helper.rb
+++ b/test/test_helpers/pool_archive_test_helper.rb
--- a/test/test_helpers/post_archive_test_helper.rb
+++ b/test/test_helpers/post_archive_test_helper.rb
--- a/test/test_helpers/reportbooru_helper.rb
+++ b/test/test_helpers/reportbooru_helper.rb
--- a/test/test_helpers/saved_search_test_helper.rb
+++ b/test/test_helpers/saved_search_test_helper.rb
--- a/test/test_helpers/upload_test_helper.rb
+++ b/test/test_helpers/upload_test_helper.rb
--- a/test/unit/moderator/tag_batch_change_test.rb
+++ b/test/unit/moderator/tag_batch_change_test.rb
@@ -1,10 +1,7 @@
 require "test_helper"
 require 'helpers/saved_search_test_helper'
 module Moderator
  class TagBatchChangeTest < ActiveSupport::TestCase
    include SavedSearchTestHelper
    def setup
      super
      mock_saved_search_service!
--- a/test/unit/pool_test.rb
+++ b/test/unit/pool_test.rb
@@ -1,11 +1,8 @@
 # encoding: utf-8
 require 'test_helper'
 require 'helpers/pool_archive_test_helper'
 class PoolTest < ActiveSupport::TestCase
  include PoolArchiveTestHelper
  setup do
    Timecop.travel(1.month.ago) do
      @user = FactoryGirl.create(:user)
--- a/test/unit/post_replacement_test.rb
+++ b/test/unit/post_replacement_test.rb
@@ -1,9 +1,6 @@
 require 'test_helper'
 require 'helpers/iqdb_test_helper'
 class PostReplacementTest < ActiveSupport::TestCase
  include IqdbTestHelper
  def upload_file(path, filename, &block)
    Tempfile.open do |file|
      file.write(File.read(path))
--- a/test/unit/post_sets/pool_test.rb
+++ b/test/unit/post_sets/pool_test.rb
@@ -1,10 +1,7 @@
 require 'test_helper'
 require 'helpers/pool_archive_test_helper'
 module PostSets
  class PoolTest < ActiveSupport::TestCase
    include PoolArchiveTestHelper
    context "In all cases" do
      setup do
        @user = FactoryGirl.create(:user)
--- a/test/unit/post_test.rb
+++ b/test/unit/post_test.rb
@@ -1,13 +1,6 @@
 require 'test_helper'
 require 'helpers/pool_archive_test_helper'
 require 'helpers/saved_search_test_helper'
 require 'helpers/iqdb_test_helper'
 class PostTest < ActiveSupport::TestCase
  include PoolArchiveTestHelper
  include SavedSearchTestHelper
  include IqdbTestHelper
  def assert_tag_match(posts, query)
    assert_equal(posts.map(&:id), Post.tag_match(query).pluck(:id))
  end
--- a/test/unit/saved_search_test.rb
+++ b/test/unit/saved_search_test.rb
@@ -1,9 +1,6 @@
 require 'test_helper'
 require 'helpers/saved_search_test_helper'
 class SavedSearchTest < ActiveSupport::TestCase
  include SavedSearchTestHelper
  def setup
    super
    @user = FactoryGirl.create(:user)
--- a/test/unit/tag_alias_test.rb
+++ b/test/unit/tag_alias_test.rb
@@ -1,9 +1,6 @@
 require 'test_helper'
 require 'helpers/saved_search_test_helper'
 class TagAliasTest < ActiveSupport::TestCase
  include SavedSearchTestHelper
  context "A tag alias" do
    setup do
      Timecop.travel(1.month.ago) do
--- a/test/unit/upload_test.rb
+++ b/test/unit/upload_test.rb
@@ -1,11 +1,6 @@
 require 'test_helper'
 require 'helpers/iqdb_test_helper'
 require 'helpers/upload_test_helper'
 class UploadTest < ActiveSupport::TestCase
  include IqdbTestHelper
  include UploadTestHelper
  def setup
    super