GHSL-2021-1027, GHSL-2021-1028

jupyter · Aug 9, 2022 · 14185eb · 14185eb
1 parent 1afcaae
commit 14185eb
Show file tree

Hide file tree

Showing 4 changed files with 36 additions and 4 deletions.
diff --git a/nbconvert/exporters/tests/files/notebook_inject.ipynb b/nbconvert/exporters/tests/files/notebook_inject.ipynb
@@ -9,6 +9,22 @@
    },
    "outputs": [],
    "source": []
+  },
+  {
+    "cell_type": "raw",
+    "id": "372c2bf1",
+    "metadata": {},
+    "source": [
+     "Payload in raw cell <script>alert('raw cell')</script>"
+    ]
+  },
+  {
+    "cell_type": "markdown",
+    "id": "2d42de4a",
+    "metadata": {},
+    "source": [
+      "<script>alert('markdown cell')</script>"
+    ]
   }
  ],
  "metadata": {

diff --git a/nbconvert/exporters/tests/test_html.py b/nbconvert/exporters/tests/test_html.py
@@ -147,3 +147,7 @@ def test_javascript_injection(self):
 
             # Check injection in the cell.metadata.tags of the Notebook
             assert "<script>alert('cell_tag')</script>" not in output
+
+            # Check injection in the cell.source of the Notebook
+            assert "<script>alert('raw cell')</script>" not in output
+            assert "<script>alert('markdown cell')</script>" not in output
diff --git a/share/jupyter/nbconvert/templates/classic/base.html.j2 b/share/jupyter/nbconvert/templates/classic/base.html.j2
@@ -46,7 +46,7 @@
 {% block input %}
 <div class="inner_cell">
     <div class="input_area">
-{{ cell.source | highlight_code(metadata=cell.metadata) }}
+{{ cell.source | highlight_code(metadata=cell.metadata) | clean_html }}
     </div>
 </div>
 {%- endblock input %}
@@ -81,12 +81,18 @@
 {%- endif -%}
 <div class="inner_cell">
 <div class="text_cell_render border-box-sizing rendered_html">
-{{ cell.source  | markdown2html | strip_files_prefix }}
+{{ cell.source  | markdown2html | strip_files_prefix | clean_html }}
 </div>
 </div>
 </div>
 {%- endblock markdowncell %}
 
+{% block rawcell scoped %}
+{%- if cell.metadata.get('raw_mimetype', '').lower() in resources.get('raw_mimetypes', ['']) -%}
+{{ cell.source | clean_html }}
+{%- endif -%}
+{%- endblock rawcell %}
+
 {% block unknowncell scoped %}
 unknown type  {{ cell.type }}
 {% endblock unknowncell %}

diff --git a/share/jupyter/nbconvert/templates/lab/base.html.j2 b/share/jupyter/nbconvert/templates/lab/base.html.j2
@@ -26,7 +26,7 @@
 {% block input %}
 <div class="jp-CodeMirrorEditor jp-Editor jp-InputArea-editor" data-type="inline">
      <div class="CodeMirror cm-s-jupyter">
-{{ cell.source | highlight_code(metadata=cell.metadata) }}
+{{ cell.source | highlight_code(metadata=cell.metadata) | clean_html }}
      </div>
 </div>
 {%- endblock input %}
@@ -98,13 +98,19 @@
     {{ self.empty_in_prompt() }}
 {%- endif -%}
 <div class="jp-RenderedHTMLCommon jp-RenderedMarkdown jp-MarkdownOutput {{ celltags(cell) }}" data-mime-type="text/markdown">
-{{ cell.source  | markdown2html | strip_files_prefix }}
+{{ cell.source  | markdown2html | strip_files_prefix | clean_html }}
 </div>
 </div>
 </div>
 </div>
 {%- endblock markdowncell %}
 
+{% block rawcell scoped %}
+{%- if cell.metadata.get('raw_mimetype', '').lower() in resources.get('raw_mimetypes', ['']) -%}
+{{ cell.source | clean_html }}
+{%- endif -%}
+{%- endblock rawcell %}
+
 {% block unknowncell scoped %}
 unknown type  {{ cell.type }}
 {% endblock unknowncell %}