github-starred/vikunja
2
0
Fork 0
mirror of https://github.com/go-vikunja/vikunja.git synced 2026-05-08 21:08:04 -05:00
Code Issues 690 Packages Projects Releases 11 Wiki Activity
Files
spike-huma-openapi3
vikunja/pkg/modules/migration/handler/notifications.go
kolaente 0f3730d045 fix(notifications): escape markdown in user-controlled strings in email lines 
Task titles, project titles, team names, doer/assignee names, and API
token titles were interpolated raw into Line(...) calls whose content is
rendered to HTML by goldmark and then sanitized with bluemonday UGCPolicy.
UGCPolicy intentionally allows safe <a href> and <img src> with
http/https URLs, so a title containing Markdown link or image syntax
would survive sanitization as a working phishing link or tracking pixel
in a legitimate Vikunja email.

Introduce notifications.EscapeMarkdown, which prefixes every CommonMark
§2.4 backslash-escapable ASCII punctuation character — including '<' so
autolinks like `<https://evil.com>` are neutralized before reaching
goldmark — with a backslash. Apply it to every user-controlled argument
of every Line(...) call in pkg/models that feeds into an i18n template,
and to the hand-built "* [title](url) (project)" Markdown link in the
overdue-tasks digest notification.

Also escape the migration error string in MigrationFailedNotification,
an additional sink not listed in the advisory (error messages can carry
user-controlled content from the external migration source).

Subject(...), Greeting(...), and CreateConversationalHeader(...) are
left unchanged: Subject is passed directly to the mail library and is
not markdown-rendered, Greeting is rendered via html/template's built-in
HTML escaping without markdown, and the conversational header is
sanitized as raw HTML by bluemonday in mail_render.go.

Fixes GHSA-45q4-x4r9-8fqj.
2026-04-09 15:44:04 +00:00

107 lines
4.1 KiB
Go
Raw Permalink Blame History

// Vikunja is a to-do list application to facilitate your life.
// Copyright 2018-present Vikunja and contributors. All rights reserved.
//
// This program is free software: you can redistribute it and/or modify
// it under the terms of the GNU Affero General Public License as published by
// the Free Software Foundation, either version 3 of the License, or
// (at your option) any later version.
//
// This program is distributed in the hope that it will be useful,
// but WITHOUT ANY WARRANTY; without even the implied warranty of
// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
// GNU Affero General Public License for more details.
//
// You should have received a copy of the GNU Affero General Public License
// along with this program. If not, see <https://www.gnu.org/licenses/>.
package handler
import (
"golang.org/x/text/cases"
"golang.org/x/text/language"
"code.vikunja.io/api/pkg/config"
"code.vikunja.io/api/pkg/i18n"
"code.vikunja.io/api/pkg/notifications"
)
// MigrationDoneNotification represents a MigrationDoneNotification notification
type MigrationDoneNotification struct {
MigratorName string
}
// ToMail returns the mail notification for MigrationDoneNotification
func (n *MigrationDoneNotification) ToMail(lang string) *notifications.Mail {
kind := cases.Title(language.English).String(n.MigratorName)
return notifications.NewMail().
Subject(i18n.T(lang, "notifications.migration.done.subject", kind)).
Line(i18n.T(lang, "notifications.migration.done.imported", kind)).
Action(i18n.T(lang, "notifications.common.actions.open_vikunja"), config.ServicePublicURL.GetString()).
Line(i18n.T(lang, "notifications.migration.done.have_fun"))
}
// ToDB returns the MigrationDoneNotification notification in a format which can be saved in the db
func (n *MigrationDoneNotification) ToDB() interface{} {
return nil
}
// Name returns the name of the notification
func (n *MigrationDoneNotification) Name() string {
return "migration.done"
}
// MigrationFailedReportedNotification represents a MigrationFailedReportedNotification notification
type MigrationFailedReportedNotification struct {
MigratorName string
}
// ToMail returns the mail notification for MigrationFailedReportedNotification
func (n *MigrationFailedReportedNotification) ToMail(lang string) *notifications.Mail {
kind := cases.Title(language.English).String(n.MigratorName)
return notifications.NewMail().
Subject(i18n.T(lang, "notifications.migration.failed.subject", kind)).
Line(i18n.T(lang, "notifications.migration.failed.message", kind)).
Line(i18n.T(lang, "notifications.migration.failed.retry", kind)).
Line(i18n.T(lang, "notifications.migration.failed.working_on_it"))
}
// ToDB returns the MigrationFailedReportedNotification notification in a format which can be saved in the db
func (n *MigrationFailedReportedNotification) ToDB() interface{} {
return nil
}
// Name returns the name of the notification
func (n *MigrationFailedReportedNotification) Name() string {
return "migration.failed.reported"
}
// MigrationFailedNotification represents a MigrationFailedNotification notification
type MigrationFailedNotification struct {
MigratorName string
Error error
}
// ToMail returns the mail notification for MigrationFailedNotification
func (n *MigrationFailedNotification) ToMail(lang string) *notifications.Mail {
kind := cases.Title(language.English).String(n.MigratorName)
return notifications.NewMail().
Subject(i18n.T(lang, "notifications.migration.failed.subject", kind)).
Line(i18n.T(lang, "notifications.migration.failed.message", kind)).
Line(i18n.T(lang, "notifications.migration.failed.retry", kind)).
Line(i18n.T(lang, "notifications.migration.failed.error", notifications.EscapeMarkdown(n.Error.Error()))).
Line(i18n.T(lang, "notifications.migration.failed.report"))
}
// ToDB returns the MigrationFailedNotification notification in a format which can be saved in the db
func (n *MigrationFailedNotification) ToDB() interface{} {
return nil
}
// Name returns the name of the notification
func (n *MigrationFailedNotification) Name() string {
return "migration.failed"
}
Reference in New Issue View Git Blame Copy Permalink