Disable rst raw and include directives.

rouilj · rouilj · commit 79250e1f20e8 · 2020-02-20T21:38:32.000-05:00
reStructuredText has some directives that can include files or pass raw html to the output. Create new property so user can enable raw or include directives if desired. See: https://docutils.sourceforge.io/docs/howto/security.html for details.
diff --git a/roundup/cgi/templating.py b/roundup/cgi/templating.py
@@ -1455,7 +1455,10 @@ class StringHTMLProperty(HTMLProperty):
     )''', re.X | re.I)
     protocol_re = re.compile('^(ht|f)tp(s?)://', re.I)
 
-
+    # disable rst directives that have security implications
+    rst_defaults = {'file_insertion_enabled': 0,
+                    'raw_enabled': 0,
+                    '_disable_config': 1}
 
     def _hyper_repl(self, match):
         if match.group('url'):
@@ -1619,7 +1622,8 @@ def rst(self, hyperlink=1):
         s = self.plain(escape=0, hyperlink=0)
         if hyperlink:
             s = self.hyper_re.sub(self._hyper_repl_rst, s)
-        return u2s(ReStructuredText(s, writer_name="html")["html_body"])
+        return u2s(ReStructuredText(s, writer_name="html",
+                       settings_overrides=self.rst_defaults)["html_body"])
 
     def markdown(self, hyperlink=1):
         """ Render the value of the property as markdown.
diff --git a/test/test_templating.py b/test/test_templating.py
@@ -264,8 +264,41 @@ def test_string_rst_installed(self):
 
     def test_string_rst(self):
         p = StringHTMLProperty(self.client, 'test', '1', None, 'test', u2s(u'A string with cmeerw@example.com *embedded* \u00df'))
+
+        # test case to make sure include directive is disabled
+        q = StringHTMLProperty(self.client, 'test', '1', None, 'test', u2s(u'\n\n.. include:: XyZrMt.html\n\n<badtag>\n\n'))
+        q_result=u'''<div class="document">
+<div class="system-message">
+<p class="system-message-title">System Message: WARNING/2 (<tt class="docutils">&lt;string&gt;</tt>, line 3)</p>
+<p>&quot;include&quot; directive disabled.</p>
+<pre class="literal-block">
+.. include:: XyZrMt.html
+
+</pre>
+</div>
+<p>&lt;badtag&gt;</p>
+</div>
+'''
+
+        # test case to make sure raw directive is disabled
+        r =  StringHTMLProperty(self.client, 'test', '1', None, 'test', u2s(u'\n\n.. raw:: html\n\n   <badtag>\n\n'))
+        r_result='''<div class="document">
+<div class="system-message">
+<p class="system-message-title">System Message: WARNING/2 (<tt class="docutils">&lt;string&gt;</tt>, line 3)</p>
+<p>&quot;raw&quot; directive disabled.</p>
+<pre class="literal-block">
+.. raw:: html
+
+   &lt;badtag&gt;
+
+</pre>
+</div>
+</div>
+'''
         if ReStructuredText:
             self.assertEqual(p.rst(), u2s(u'<div class="document">\n<p>A string with <a class="reference external" href="mailto:cmeerw&#64;example.com">cmeerw&#64;example.com</a> <em>embedded</em> \u00df</p>\n</div>\n'))
+            self.assertEqual(q.rst(), u2s(q_result))
+            self.assertEqual(r.rst(), u2s(r_result))
         else:
             self.assertEqual(p.rst(), u2s(u'A string with <a href="mailto:cmeerw@example.com">cmeerw@example.com</a> *embedded* \u00df'))
 
