1
0
Fork 0
mirror of https://codeberg.org/forgejo/forgejo.git synced 2024-11-27 09:11:53 -05:00

[v7.0/forgejo] Don't panic on empty blockquote

- On a empty blockquote the callout feature would panic, as it expects
to always have at least one child.
- This panic cannot result in a DoS, because any panic that happens
while rendering any markdown input will be recovered gracefully.
- Adds a simple condition to avoid this panic.

(cherry picked from commit efd63ec1d8)
This commit is contained in:
Gusted 2024-07-21 01:02:31 +02:00
parent 1f9c3040dc
commit ff4662be92
No known key found for this signature in database
GPG key ID: FD821B732837125F
3 changed files with 22 additions and 0 deletions

View file

@ -36,6 +36,10 @@ func (g *GitHubCalloutTransformer) Transform(node *ast.Document, reader text.Rea
switch v := n.(type) {
case *ast.Blockquote:
if v.ChildCount() == 0 {
return ast.WalkContinue, nil
}
// We only want attention blockquotes when the AST looks like:
// Text: "["
// Text: "!TYPE"

View file

@ -25,6 +25,10 @@ func (g *GitHubLegacyCalloutTransformer) Transform(node *ast.Document, reader te
switch v := n.(type) {
case *ast.Blockquote:
if v.ChildCount() == 0 {
return ast.WalkContinue, nil
}
// The first paragraph contains the callout type.
firstParagraph := v.FirstChild()
if firstParagraph.ChildCount() < 1 {

View file

@ -1212,3 +1212,17 @@ func TestCustomMarkdownURL(t *testing.T) {
test("[test](abp)",
`<p><a href="http://localhost:3000/gogits/gogs/src/branch/main/abp" rel="nofollow">test</a></p>`)
}
func TestCallout(t *testing.T) {
setting.AppURL = AppURL
test := func(input, expected string) {
buffer, err := markdown.RenderString(&markup.RenderContext{
Ctx: git.DefaultContext,
}, input)
assert.NoError(t, err)
assert.Equal(t, strings.TrimSpace(expected), strings.TrimSpace(string(buffer)))
}
test(">\n0", "<blockquote>\n</blockquote>\n<p>0</p>")
}