Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Sanitation fix from Gogs #1461

Merged
merged 7 commits into from
Apr 13, 2017
Merged

Sanitation fix from Gogs #1461

merged 7 commits into from
Apr 13, 2017

Conversation

bkcsoft
Copy link
Member

@bkcsoft bkcsoft commented Apr 7, 2017

No description provided.

@bkcsoft bkcsoft requested review from lunny and tboerger April 7, 2017 07:31
@tboerger
Copy link
Member

tboerger commented Apr 7, 2017

LGTM

@tboerger tboerger added lgtm/need 1 This PR needs approval from one additional maintainer to be merged. topic/security Something leaks user information or is otherwise vulnerable. Should be fixed! labels Apr 7, 2017
@tboerger tboerger added this to the 1.2.0 milestone Apr 7, 2017
@appleboy
Copy link
Member

appleboy commented Apr 7, 2017

LGTM

@tboerger tboerger added lgtm/done This PR has enough approvals to get merged. There are no important open reservations anymore. and removed lgtm/need 1 This PR needs approval from one additional maintainer to be merged. labels Apr 7, 2017

"github.com/microcosm-cc/bluemonday"

"github.com/gogits/gogs/modules/setting"
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

github.com/go-gitea/gitea

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

actually "code.gitea.io/gitea/modules/setting"

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good catch

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

^

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Noted

import (
"testing"

. "github.com/smartystreets/goconvey/convey"
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

goconvey has been removed before. I think change this test file to github.com/stretchr/testify is better

@bkcsoft
Copy link
Member Author

bkcsoft commented Apr 7, 2017

I'm getting nil-panics in some tests 🙄

@ChALkeR
Copy link

ChALkeR commented Apr 9, 2017

@bkcsoft
Copy link
Member Author

bkcsoft commented Apr 10, 2017

And done! @appleboy @lunny please re-review 😄

@@ -48,10 +48,19 @@ func NewSanitizer() {

// Sanitize takes a string that contains a HTML fragment or document and applies policy whitelist.
func Sanitize(s string) string {
if sanitizer == nil {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It seems a race problem?


"github.com/microcosm-cc/bluemonday"

"code.gitea.io/gitea/modules/setting"
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

merge the gitea internal packages.


// Sanitize takes a string that contains a HTML fragment or document and applies policy whitelist.
func Sanitize(s string) string {
if sanitizer.policy == nil {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

how about

func init() {
NewSanitizer(0
}

?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We don't wanna initialize it unless we need to.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

But this maybe a race problem.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It uses sync.Once so there's no race-condition that I can see...

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

OK

@lunny
Copy link
Member

lunny commented Apr 13, 2017

let L-G-T-M work

@lunny lunny merged commit d409d3a into master Apr 13, 2017
@lunny
Copy link
Member

lunny commented Apr 13, 2017

@bkcsoft could you send a backport to v1.1.1?

lunny added a commit to lunny/gitea that referenced this pull request Apr 19, 2017
lunny added a commit that referenced this pull request Apr 19, 2017
@bkcsoft bkcsoft deleted the bkcsoft/fix-code-injection branch June 15, 2017 02:42
@bkcsoft bkcsoft added the backport/done All backports for this PR have been created label Jul 10, 2017
@go-gitea go-gitea locked and limited conversation to collaborators Nov 23, 2020
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
backport/done All backports for this PR have been created lgtm/done This PR has enough approvals to get merged. There are no important open reservations anymore. topic/security Something leaks user information or is otherwise vulnerable. Should be fixed!
Projects
None yet
Development

Successfully merging this pull request may close these issues.

6 participants