Guard against malicious file names

README.md

@@ -6,7 +6,7 @@ gollum -- A git-based Wiki
 [![Open Source Helpers](https://www.codetriage.com/gollum/gollum/badges/users.svg)](https://www.codetriage.com/gollum/gollum)
 [![Cutting Edge Dependency Status](https://dometto-cuttingedge.herokuapp.com/github/gollum/gollum/svg 'Cutting Edge Dependency Status')](https://dometto-cuttingedge.herokuapp.com/github/gollum/gollum/info)
 
-**Please update to gollum 5.1.1 to counter a recent exploit in the kramdown rendering gem, [CVE-2020-14001](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14001)**
+**Please update to gollum 5.1.2 to counter a recent exploit. More info will follow after CVE is assigned.**
 
 **Gollum version 5.0 is out!** See [here](https://github.com/gollum/gollum/wiki/5.0-release-notes) for a list of changes and new features compared to Gollum version 4.x, and see some [Screenshots](https://github.com/gollum/gollum/wiki/Screenshots) of Gollum's features.
 

lib/gollum/views/overview.rb

@@ -25,9 +25,9 @@ module Precious
             title = crumb.basename
 
             if title == path.basename
-              breadcrumb << %{<li class="breadcrumb-item" aria-current="page">#{title}</li>}
+              breadcrumb << %{<li class="breadcrumb-item" aria-current="page">#{CGI.escape(title.to_s)}</li>}
             else
-              breadcrumb << %{<li class="breadcrumb-item"><a href="#{overview_path}/#{crumb}/">#{title}</a></li>}
+              breadcrumb << %{<li class="breadcrumb-item"><a href="#{overview_path}/#{crumb}/">#{CGI.escape(title.to_s)}</a></li>}
             end
           end
           breadcrumb << %{</ol></nav>}

lib/gollum/views/page.rb

@@ -32,7 +32,7 @@ module Precious
         path.descend do |crumb|
           element = "#{crumb.basename}"
           next if element == @page.title
-          breadcrumb << %{<li class="breadcrumb-item"><a href="#{overview_path}/#{crumb}/">#{element}</a></li>}
+          breadcrumb << %{<li class="breadcrumb-item"><a href="#{overview_path}/#{crumb}/">#{CGI.escape(element.to_s)}</a></li>}
         end
         breadcrumb << %{</ol></nav>}
         breadcrumb.join("\n")

test/test_overview_view.rb

@@ -43,6 +43,13 @@ context "Precious::Views::Overview" do
     @page.instance_variable_set("@base_url", "")
     assert_equal "<nav aria-label=\"Breadcrumb\"><ol><li class=\"breadcrumb-item\"><a href=\"/gollum/overview\">Home</a></li>\n<li class=\"breadcrumb-item\"><a href=\"/gollum/overview/Mordor/\">Mordor</a></li>\n<li class=\"breadcrumb-item\"><a href=\"/gollum/overview/Mordor/Eye-Of-Sauron/\">Eye-Of-Sauron</a></li>\n<li class=\"breadcrumb-item\" aria-current=\"page\">Saruman</li>\n</ol></nav>", @page.breadcrumb
   end
+  
+  test 'guard against malicious filenames' do
+    malicious_title = '<img src=x onerror=alert(1) />'
+    @page.instance_variable_set("@path", malicious_title)
+    @page.instance_variable_set("@base_url", "")
+    assert @page.breadcrumb.include?(">%3Cimg+src%3Dx+onerror%3Dalert%281%29+</a>")
+  end
 
   test "breadcrumb with no path" do
     assert_equal 'Home', @page.breadcrumb

test/test_page_view.rb

@@ -12,6 +12,17 @@ context "Precious::Views::Page" do
   teardown do
     FileUtils.rm_rf(@path)
   end
+  
+  test 'guard against malicious filenames' do
+    malicious_title = '<img src=x onerror=alert(1) />'
+    @wiki.write_page(malicious_title, :markdown, 'Is Bilbo a hobbit? Why certainly!')
+    page = @wiki.page(malicious_title)
+    @view = Precious::Views::Page.new
+    @view.instance_variable_set :@page, page
+    @view.instance_variable_set :@content, page.formatted_data
+    @view.instance_variable_set :@h1_title, false
+    assert @view.breadcrumb.include?(">%3Cimg+src%3Dx+onerror%3Dalert%281%29+</a>")
+  end
 
   test "h1 title sanitizes correctly" do
     title = 'H1'