From bae0f9443e68968c2c75ca990db8917a68e3e861 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=D0=BD=D0=B0=D0=B1?= Date: Mon, 27 Jul 2020 21:44:50 +0200 Subject: [PATCH] Don't mangle commit subjects in submitted builds This led to, e.g. these builds https://builds.sr.ht/~nabijaczleweli/job/263566 https://builds.sr.ht/~nabijaczleweli/job/263563 having these subject lines > Match "{En,Dis}able notifications" capitalisation in ticket to tracker's > Wrap valid punctuation in tracker creation error in s whereas the correct subject lines are > Match "{En,Dis}able notifications" capitalisation in ticket to tracker's > Wrap valid punctuation in tracker creation error in s confer this msgid with more details: <20200724201202.7bzadgfprxutt4ty@tarta.local.nabijaczleweli.xyz> The markdown code block double-escaped the entities produced by bluemonday, and builds.sr.ht filters it anyway, nullifying risks of XSS. --- gitsrht-update-hook/go.mod | 1 - gitsrht-update-hook/go.sum | 2 -- gitsrht-update-hook/submitter.go | 4 +--- 3 files changed, 1 insertion(+), 6 deletions(-) diff --git a/gitsrht-update-hook/go.mod b/gitsrht-update-hook/go.mod index d69f424..cc86814 100644 --- a/gitsrht-update-hook/go.mod +++ b/gitsrht-update-hook/go.mod @@ -8,7 +8,6 @@ require ( github.com/google/uuid v1.1.1 github.com/lib/pq v1.2.0 github.com/mattn/go-runewidth v0.0.6 - github.com/microcosm-cc/bluemonday v1.0.2 github.com/pkg/errors v0.8.1 github.com/vaughan0/go-ini v0.0.0-20130923145212-a98ad7ee00ec golang.org/x/crypto v0.0.0-20190701094942-4def268fd1a4 diff --git a/gitsrht-update-hook/go.sum b/gitsrht-update-hook/go.sum index ea71423..71e9d69 100644 --- a/gitsrht-update-hook/go.sum +++ b/gitsrht-update-hook/go.sum @@ -28,8 +28,6 @@ github.com/lib/pq v1.2.0 h1:LXpIM/LZ5xGFhOpXAQUIMM1HdyqzVYM13zNdjCEEcA0= github.com/lib/pq v1.2.0/go.mod h1:5WUZQaWbwv1U+lTReE5YruASi9Al49XbQIvNi/34Woo= github.com/mattn/go-runewidth v0.0.6 h1:V2iyH+aX9C5fsYCpK60U8BYIvmhqxuOL3JZcqc1NB7k= github.com/mattn/go-runewidth v0.0.6/go.mod h1:H031xJmbD/WCDINGzjvQ9THkh0rPKHF+m2gUSrubnMI= -github.com/microcosm-cc/bluemonday v1.0.2 h1:5lPfLTTAvAbtS0VqT+94yOtFnGfUWYyx0+iToC3Os3s= -github.com/microcosm-cc/bluemonday v1.0.2/go.mod h1:iVP4YcDBq+n/5fb23BhYFvIMq/leAFZyRl6bYmGDlGc= github.com/mitchellh/go-homedir v1.1.0 h1:lukF9ziXFxDFPkA1vsr5zpc1XuPDn/wFntq5mG+4E0Y= github.com/mitchellh/go-homedir v1.1.0/go.mod h1:SfyaCUpYCn1Vlf4IUYiD9fPX4A5wJrkLzIz1N1q0pr0= github.com/pelletier/go-buffruneio v0.2.0/go.mod h1:JkE26KsDizTr40EUHkXVtNPvgGtbSNq5BcowyYOWdKo= diff --git a/gitsrht-update-hook/submitter.go b/gitsrht-update-hook/submitter.go index f13652e..649c765 100644 --- a/gitsrht-update-hook/submitter.go +++ b/gitsrht-update-hook/submitter.go @@ -14,7 +14,6 @@ import ( "unicode/utf8" "github.com/fernet/fernet-go" - "github.com/microcosm-cc/bluemonday" "github.com/pkg/errors" "gopkg.in/src-d/go-git.v4" "gopkg.in/src-d/go-git.v4/plumbing/object" @@ -169,14 +168,13 @@ func indent(indent, s string) string { } func (submitter GitBuildSubmitter) GetCommitNote() string { - policy := bluemonday.StrictPolicy() commitUrl := fmt.Sprintf("%s/~%s/%s/commit/%s", submitter.GitOrigin, submitter.OwnerName, submitter.RepoName, submitter.GetCommitId()) return fmt.Sprintf("[%s][0] — [%s][1]\n\n%s\n\n[0]: %s\n[1]: mailto:%s", submitter.GetCommitId()[:7], submitter.Commit.Author.Name, - indent(" ", policy.Sanitize(firstLine(submitter.Commit.Message))), + indent(" ", firstLine(submitter.Commit.Message)), commitUrl, submitter.Commit.Author.Email) } -- 2.38.4