Merge tag 'debian/13.9.4+ds1-2' into buster-fasttrack

gitlab Debian release 13.9.4+ds1-2

CHANGELOG.md

@@ -2,6 +2,13 @@
 documentation](doc/development/changelog.md) for instructions on adding your own
 entry.
 
+## 13.9.4 (2021-03-17)
+
+### Security (1 change)
+
+- Patch Kramdown syntax highlighter gem.
+
+
 ## 13.9.3 (2021-03-08)
 
 ### Fixed (4 changes)

GITALY_SERVER_VERSION

@@ -1 +1 @@
-13.9.3
+13.9.4

VERSION

@@ -1 +1 @@
-13.9.3
+13.9.4

config/initializers/kramdown_patch.rb

@@ -0,0 +1,25 @@
+# frozen_string_literal: true
+#
+# This pulls in https://github.com/gettalong/kramdown/pull/708 for kramdown v2.3.0.
+# Remove this file when that pull request is merged and released.
+require 'kramdown/converter'
+require 'kramdown/converter/syntax_highlighter/rouge'
+
+module Kramdown::Converter::SyntaxHighlighter
+  module Rouge
+    def self.formatter_class(opts = {})
+      case formatter = opts[:formatter]
+      when Class
+        formatter
+      when /\A[[:upper:]][[:alnum:]_]*\z/
+        ::Rouge::Formatters.const_get(formatter, false)
+      else
+        # Available in Rouge 2.0 or later
+        ::Rouge::Formatters::HTMLLegacy
+      end
+    rescue NameError
+      # Fallback to Rouge 1.x
+      ::Rouge::Formatters::HTML
+    end
+  end
+end

debian/changelog

@@ -1,3 +1,17 @@
+gitlab (13.9.4+ds1-2) experimental; urgency=medium
+
+  * Revert "Update minimum versions of ruby-rugged and ruby-licensee"
+    ruby-rugged/libgit2 1.x breakage is not yet fixed.
+
+ -- Pirate Praveen <praveen@debian.org>  Tue, 23 Mar 2021 23:41:10 +0530
+
+gitlab (13.9.4+ds1-1) experimental; urgency=medium
+
+  * New upstream version 13.9.4+ds1 (Fixes Remote code execution via unsafe
+    user-controlled markdown rendering options)
+
+ -- Pirate Praveen <praveen@debian.org>  Fri, 19 Mar 2021 00:10:35 +0530
+
 gitlab (13.9.3+ds1-2~fto10+1) buster-fasttrack; urgency=medium
 
   * Rebuild for buster-fasttrack.

debian/control

@@ -47,7 +47,7 @@ Depends: ${shlibs:Depends}, ${misc:Depends},
  ruby-default-value-for (>= 3.4~),
 #ruby-mysql2 | ruby-pg,
  ruby-pg (>= 1.1~),
- ruby-rugged (>= 1.0~),
+ ruby-rugged (>= 0.28~),
  ruby-grape-path-helpers (>= 1.6.1~),
  ruby-faraday (>= 1.0~),
  ruby-marginalia (>= 1.10~),
@@ -237,7 +237,7 @@ Depends: ${shlibs:Depends}, ${misc:Depends},
 # Sanitizes SVG input
  ruby-loofah (>= 2.2~),
 # Working with license
- ruby-licensee (>= 9.14.1~),
+ ruby-licensee (>= 8.9~),
 # Protect against bruteforcing
  ruby-rack-attack (>= 6.3~),
 # Ace editor

spec/initializers/kramdown_patch_spec.rb

@@ -0,0 +1,38 @@
+# frozen_string_literal: true
+
+require 'spec_helper'
+
+RSpec.describe 'Kramdown patch for syntax highlighting formatters' do
+  subject { Kramdown::Document.new(options + "\n" + code).to_html }
+
+  let(:code) do
+    <<-RUBY
+~~~ ruby
+    def what?
+      42
+    end
+~~~
+    RUBY
+  end
+
+  context 'with invalid formatter' do
+    let(:options) { %({::options auto_ids="false" footnote_nr="5" syntax_highlighter="rouge" syntax_highlighter_opts="{formatter: CSV, line_numbers: true\\}" /}) }
+
+    it 'falls back to standard HTML and disallows CSV' do
+      expect(CSV).not_to receive(:new)
+      expect(::Rouge::Formatters::HTML).to receive(:new).and_call_original
+
+      expect(subject).to be_present
+    end
+  end
+
+  context 'with valid formatter' do
+    let(:options) { %({::options auto_ids="false" footnote_nr="5" syntax_highlighter="rouge" syntax_highlighter_opts="{formatter: HTMLLegacy\\}" /}) }
+
+    it 'allows formatter' do
+      expect(::Rouge::Formatters::HTMLLegacy).to receive(:new).and_call_original
+
+      expect(subject).to be_present
+    end
+  end
+end