Add option for custom js (like custom css)

[simonista]

• Add a new 'js' flag to indicate you want to embed a file named 'custom.js'
  which should exist at the root of the wiki

[simonista]

Hey, I wasn't sure if you guys would even be interested in this, but I thought I'd send a pull request to see, and at least open the conversation. I think it would help a lot in adding the ability to customize the experience of using gollum for end users.

[bootstraponline]

I agree. I think as long as random wiki people can't insert JS, then it should be fine.

[dekimsey]

I approve.

An aside, it may be appropriate to have the Gollum inject a javascript
dictionary of useful Gollum information... something like...

window.gollum = {
  pageName: 'bar',
  pagePath: 'foo/bar',
  siteRoot: 'https://my.company.com/our-wiki-instance/',
  currentAction:  'edit', // valid options such as 'page', 'files',
'live-crazy-js-editor',  'history', etc. or just the template name, or
the body class that most gollum generated pages have.
  // other useful information here...
}

The rationale being currently, any javascript running will have to do
some fun and interesting shenanigans to determine what is currently
happening. (I have personal experience in this in my efforts to make
javascript edit/new pages directory aware)

[bootstraponline]

Doesn't this enable anyone with edit abilities on the wiki to inject JS? I think we'd want some way to ensure it's only possible to be set by the user who starts the gollum server.

[bootstraponline]

An aside, it may be appropriate to have the Gollum inject a javascript
dictionary of useful Gollum information

I agree that makes sense.

[simonista]

@dekimsey +1 on the javascript object idea

@bootstraponline well it would require you to create a page named custom.js, and I thought that regular edit permission did not allow adding arbitrary files to the wiki? If this were true, it would also be true for custom.css currently.

[dekimsey]

Doesn't this enable anyone with edit abilities on the wiki to inject JS?

It is an interesting question. For some, editing the wiki == access to the
gollum server and therefore the question is irrelevant (my instance is like
this). Others, might not have that situation. I do not believe that gollum
supports editing the custom.css file from the web interface at the moment
so editing custom.js shouldn't be an issue from that perspective. However,
if rugged ever lets us work with a remote repository, that could change.

A solution might be to have the served file be locked to a particular
revision in configuration or the HEAD rev-id at start. If so, that should
apply to both custom.css and custom.js. It is important to secure the css
file as well since there are cute ways of xss attacks via stylesheets.

Danny.

The mind of the believer stagnates. It fails to grow outward into an
unlimited, infinite universe.
-Frank Herbert

On Tue, Mar 19, 2013 at 6:38 PM, bootstraponline
notifications@github.comwrote:

An aside, it may be appropriate to have the Gollum inject a javascript
dictionary of useful Gollum information

I agree that makes sense.

—
Reply to this email directly or view it on GitHubhttps://github.com//pull/661#issuecomment-15148026
.

[bootstraponline]

well it would require you to create a page named custom.js, and I thought that regular edit permission did not allow adding arbitrary files to the wiki? If this were true, it would also be true for custom.css currently.

I think it lets you create arbitrary files. Injecting CSS is not great, however injecting JS is an entirely different level in terms of potential surface area for attackers.

[dekimsey]

Injecting css let's you inject js. They are both vulnerabilities.
On Mar 19, 2013 7:04 PM, "bootstraponline" notifications@github.com wrote:

well it would require you to create a page named custom.js, and I thought
that regular edit permission did not allow adding arbitrary files to the
wiki? If this were true, it would also be true for custom.css currently.

I think it lets you create arbitrary files. Injecting CSS is not great,
however injecting JS is an entirely different level in terms of potential
surface area for attackers.

—
Reply to this email directly or view it on GitHubhttps://github.com//pull/661#issuecomment-15149242
.

[bootstraponline]

Injecting css let's you inject js

How do you load JS from CSS?

They are both vulnerabilities.

I agree. The same fix will work for both. I wonder if we need an admin mode or some other creative way to manage permissions.

[bootstraponline]

I found this on StackOverflow. Browsers are fun.

[dekimsey]

Browsers are fun.

Yup.

Danny.

The mind of the believer stagnates. It fails to grow outward into an
unlimited, infinite universe.
-Frank Herbert

On Tue, Mar 19, 2013 at 7:54 PM, bootstraponline
notifications@github.com wrote:

I found this on StackOverflow. Browsers are fun.

—
Reply to this email directly or view it on GitHub.

[bootstraponline]

custom.css gets transformed to custom dot css so it doesn't appear that it's possible to create random files. I think it's fine to merge this for the secure use case (where every user is trusted via a 3rd party authentication system such as omnigollum). I'll update the docs to warn people about the potential security issues of using custom css or js on public instances until we have a real solution.