mirror of
https://github.com/go-vikunja/vikunja.git
synced 2026-05-07 20:38:46 -05:00
0f3730d045
Task titles, project titles, team names, doer/assignee names, and API token titles were interpolated raw into Line(...) calls whose content is rendered to HTML by goldmark and then sanitized with bluemonday UGCPolicy. UGCPolicy intentionally allows safe <a href> and <img src> with http/https URLs, so a title containing Markdown link or image syntax would survive sanitization as a working phishing link or tracking pixel in a legitimate Vikunja email. Introduce notifications.EscapeMarkdown, which prefixes every CommonMark §2.4 backslash-escapable ASCII punctuation character — including '<' so autolinks like `<https://evil.com>` are neutralized before reaching goldmark — with a backslash. Apply it to every user-controlled argument of every Line(...) call in pkg/models that feeds into an i18n template, and to the hand-built "* [title](url) (project)" Markdown link in the overdue-tasks digest notification. Also escape the migration error string in MigrationFailedNotification, an additional sink not listed in the advisory (error messages can carry user-controlled content from the external migration source). Subject(...), Greeting(...), and CreateConversationalHeader(...) are left unchanged: Subject is passed directly to the mail library and is not markdown-rendered, Greeting is rendered via html/template's built-in HTML escaping without markdown, and the conversational header is sanitized as raw HTML by bluemonday in mail_render.go. Fixes GHSA-45q4-x4r9-8fqj.
42 lines
1.6 KiB
Go
42 lines
1.6 KiB
Go
// Vikunja is a to-do list application to facilitate your life.
|
|
// Copyright 2018-present Vikunja and contributors. All rights reserved.
|
|
//
|
|
// This program is free software: you can redistribute it and/or modify
|
|
// it under the terms of the GNU Affero General Public License as published by
|
|
// the Free Software Foundation, either version 3 of the License, or
|
|
// (at your option) any later version.
|
|
//
|
|
// This program is distributed in the hope that it will be useful,
|
|
// but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
// GNU Affero General Public License for more details.
|
|
//
|
|
// You should have received a copy of the GNU Affero General Public License
|
|
// along with this program. If not, see <https://www.gnu.org/licenses/>.
|
|
|
|
package notifications
|
|
|
|
import "strings"
|
|
|
|
// markdownSpecialChars is the full CommonMark §2.4 backslash-escapable set.
|
|
// '<' is included to neutralize autolinks (`<https://evil.com>`), which
|
|
// bluemonday's UGC policy would otherwise render as clickable <a> tags.
|
|
// '\' is handled separately first so inserted backslashes are not re-escaped.
|
|
const markdownSpecialChars = "`*_{}[]()<>#+-.!|~"
|
|
|
|
// EscapeMarkdown escapes every CommonMark-special character in s. Fixes
|
|
// GHSA-45q4-x4r9-8fqj (Markdown injection in notification emails).
|
|
func EscapeMarkdown(s string) string {
|
|
// Backslash first so inserted backslashes are not double-escaped.
|
|
s = strings.ReplaceAll(s, `\`, `\\`)
|
|
var b strings.Builder
|
|
b.Grow(len(s))
|
|
for _, r := range s {
|
|
if r < 128 && strings.ContainsRune(markdownSpecialChars, r) {
|
|
b.WriteByte('\\')
|
|
}
|
|
b.WriteRune(r)
|
|
}
|
|
return b.String()
|
|
}
|