resolves #3765 download and embed custom remote stylesheet if allow-u…

…ri-read is set
asciidoctor · Sep 28, 2020 · dc49b35 · dc49b35
1 parent 99af074
commit dc49b35
Show file tree

Hide file tree

Showing 3 changed files with 58 additions and 1 deletion.
diff --git a/CHANGELOG.adoc b/CHANGELOG.adoc
@@ -13,6 +13,12 @@ endif::[]
 This document provides a high-level view of the changes introduced in Asciidoctor by release.
 For a detailed view of what has changed, refer to the {uri-repo}/commits/master[commit history] on GitHub.
 
+== Unrelease (minor)
+
+Enhancements / Compliance::
+
+  * Download and embed remote custom stylesheet if allow-uri-read is set (#3765)
+
 == Unreleased
 
 Bug Fixes::

diff --git a/lib/asciidoctor/converter/html5.rb b/lib/asciidoctor/converter/html5.rb
@@ -138,7 +138,7 @@ def convert_document node
         result << %(<link rel="stylesheet" href="#{node.normalize_web_path((node.attr 'stylesheet'), (node.attr 'stylesdir', ''))}"#{slash}>)
       else
         result << %(<style>
-#{node.read_asset node.normalize_system_path((node.attr 'stylesheet'), (node.attr 'stylesdir', '')), warn_on_failure: true, label: 'stylesheet'}
+#{node.read_contents (node.attr 'stylesheet'), start: (node.attr 'stylesdir'), warn_on_failure: true, label: 'stylesheet'}
 </style>)
       end
     end

diff --git a/test/api_test.rb b/test/api_test.rb
@@ -1153,6 +1153,23 @@ def for name
       refute_empty styles.strip
     end
 
+    test 'should embed remote stylesheet by default if SafeMode is less than SECURE and allow-uri-read is set' do
+      input = <<~'EOS'
+      = Document Title
+
+      text
+      EOS
+
+      output = using_test_webserver do
+        Asciidoctor.convert input, safe: Asciidoctor::SafeMode::SERVER, standalone: true, attributes: { 'allow-uri-read' => '', 'stylesheet' => %(http://#{resolve_localhost}:9876/fixtures/custom.css) }
+      end
+      stylenode = xmlnodes_at_css 'html:root > head > style', output, 1
+      styles = stylenode.content
+      refute_nil styles
+      refute_empty styles.strip
+      assert_include 'color: green', styles
+    end
+
     test 'should not allow linkcss be unset from document if SafeMode is SECURE or greater' do
       input = <<~'EOS'
       = Document Title
@@ -1244,6 +1261,40 @@ def for name
       refute_empty styles.strip
     end
 
+    test 'should embed custom remote stylesheet if SafeMode is less than SECURE and allow-uri-read is set' do
+      input = <<~'EOS'
+      = Document Title
+
+      text
+      EOS
+
+      output = using_test_webserver do
+        Asciidoctor.convert input, safe: Asciidoctor::SafeMode::SERVER, standalone: true, attributes: { 'allow-uri-read' => '', 'stylesheet' => %(http://#{resolve_localhost}:9876/fixtures/custom.css) }
+      end
+      stylenode = xmlnodes_at_css 'html:root > head > style', output, 1
+      styles = stylenode.content
+      refute_nil styles
+      refute_empty styles.strip
+      assert_include 'color: green', styles
+    end
+
+    test 'should embed custom stylesheet in remote stylesdir if SafeMode is less than SECURE and allow-uri-read is set' do
+      input = <<~'EOS'
+      = Document Title
+
+      text
+      EOS
+
+      output = using_test_webserver do
+        Asciidoctor.convert input, safe: Asciidoctor::SafeMode::SERVER, standalone: true, attributes: { 'allow-uri-read' => '', 'stylesdir' => %(http://#{resolve_localhost}:9876/fixtures), 'stylesheet' => 'custom.css' }
+      end
+      stylenode = xmlnodes_at_css 'html:root > head > style', output, 1
+      styles = stylenode.content
+      refute_nil styles
+      refute_empty styles.strip
+      assert_include 'color: green', styles
+    end
+
     test 'should convert source file and write result to adjacent file by default' do
       sample_input_path = fixture_path('sample.adoc')
       sample_output_path = fixture_path('sample.html')