Add URL schemes that are allowed within links

Fix bug Stored XSS via markdown Disclosure: https://huntr.dev/bounties/be7f211d-4bfd-44fd-91e8-682329906fbd/
2024-12-13 02:10:49 +01:00 · 2021-11-19 13:00:03 +07:00 · 2021-11-19 13:00:03 +07:00 · c54b89f143
commit c54b89f143
parent 3f245871ac
2 changed files with 8 additions and 1 deletions
--- a/helpdesk/models.py
+++ b/helpdesk/models.py
@ -56,6 +56,10 @@ def get_markdown(text):
    if not text:
        return ""

+    schemes = '|'.join(helpdesk_settings.ALLOWED_URL_SCHEMES)
+    pattern = fr'\[(.+)\]\((?!({schemes})).*:(.+)\)'
+    text = re.sub(pattern, '[\\1](\\3)', text, flags=re.IGNORECASE)
+
    return mark_safe(
        markdown(
            text,
--- a/helpdesk/settings.py
+++ b/helpdesk/settings.py
@ -76,7 +76,10 @@ HELPDESK_AUTO_SUBSCRIBE_ON_TICKET_RESPONSE = getattr(settings,
                                                     'HELPDESK_AUTO_SUBSCRIBE_ON_TICKET_RESPONSE',
                                                     False)

-
+# URL schemes that are allowed within links
+ALLOWED_URL_SCHEMES = getattr(settings, 'ALLOWED_URL_SCHEMES', (
+     'file', 'ftp', 'ftps', 'http', 'https', 'irc', 'mailto', 'sftp', 'ssh', 'tel', 'telnet', 'tftp', 'vnc', 'xmpp',
+))
 ############################
 # options for public pages #
 ############################