Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

SECURITY: Multiple commits for version bump beta3 #20710

Merged
merged 7 commits into from Mar 16, 2023

Conversation

oblakeerickson
Copy link
Member

SECURITY: Fix XSS in full name composer reply
SECURITY: Monkey-patch web-push gem to use safer HTTP client
SECURITY: SSRF protection bypass with IPv4-mapped IPv6 addresses
SECURITY: XSS on chat excerpts
FIX: Escaped mentions in chat excerpts
SECURITY: Add FinalDestination::FastImage that's SSRF safe

oblakeerickson and others added 6 commits March 16, 2023 13:08
We are using htmlSafe when rendering the name field so we need to escape
any html being passed in.
`FinalDestination::HTTP` is our patch of `Net::HTTP` which defend us
against SSRF and DNS rebinding attacks.
Non-markdown tags weren't being escaped in chat excerpts. This could be
triggered by editing a chat message containing a tag (self XSS), or by
replying to a chat message with a tag (XSS).

Co-authored-by: Jan Cernik <jancernik12@gmail.com>
Mentions are now displayed as using the non-cooked message which fixes
the problem. This is not ideal. I think we might want to rework how
these excerpts are created and rendered in the near future.

Co-authored-by: Jan Cernik <jancernik12@gmail.com>
@github-actions github-actions bot added the chat PRs which include a change to Chat plugin label Mar 16, 2023
The screenshot looks good, but the test appears to be bad. Skipping this
test for now, will follow-up later.
@oblakeerickson oblakeerickson merged commit 5103d24 into main Mar 16, 2023
13 checks passed
@oblakeerickson oblakeerickson deleted the security-version-bump-beta3 branch March 16, 2023 21:27
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
chat PRs which include a change to Chat plugin
4 participants