Skip to content

Commit 1b8fd33

Browse files
committed
Add option forbidden_inline_options
It is sometimes necessary to restrict the options that can be set inline, ie. using the {::options ...} extensions. By default, the template option is now forbidden to avoid possible security problems. This addresses CVE-2020-14001.
1 parent dd1bab4 commit 1b8fd33

File tree

3 files changed

+18
-0
lines changed

3 files changed

+18
-0
lines changed

Diff for: lib/kramdown/options.rb

+10
Original file line numberDiff line numberDiff line change
@@ -589,6 +589,16 @@ def self.simple_hash_validator(val, name)
589589
Used by: HTML converter
590590
EOF
591591

592+
define(:forbidden_inline_options, Object, %w[template], <<~EOF) do |val|
593+
Defines the options that may not be set using the {::options} extension
594+
595+
Default: template
596+
Used by: HTML converter
597+
EOF
598+
val.map! {|item| item.kind_of?(String) ? str_to_sym(item) : item }
599+
simple_array_validator(val, :forbidden_inline_options)
600+
end
601+
592602
end
593603

594604
end

Diff for: lib/kramdown/parser/kramdown/extensions.rb

+6
Original file line numberDiff line numberDiff line change
@@ -110,6 +110,12 @@ def handle_extension(name, opts, body, type, line_no = nil)
110110
opts.select do |k, v|
111111
k = k.to_sym
112112
if Kramdown::Options.defined?(k)
113+
if @options[:forbidden_inline_options].include?(k) ||
114+
k == :forbidden_inline_options
115+
warning("Option #{k} may not be set inline")
116+
next false
117+
end
118+
113119
begin
114120
val = Kramdown::Options.parse(k, v)
115121
@options[k] = val

Diff for: test/testcases/block/12_extension/options.text

+2
Original file line numberDiff line numberDiff line change
@@ -19,3 +19,5 @@ some <span>*para*</span>
1919
Some text[^ab].
2020

2121
[^ab]: Some text.
22+
23+
{::options template="/etc/passwd" /}

0 commit comments

Comments
 (0)