Merge pull request from GHSA-92x4-vfjf-rmf7

2024-05-10 07:54:54 +00:00 · 2023-04-21 12:08:04 -07:00
parent c8988bac8a
commit 89fa546a14
1 changed files with 14 additions and 1 deletions
--- a/netbox/extras/models/models.py
+++ b/netbox/extras/models/models.py
@@ -1,4 +1,5 @@
 import json
+import urllib.parse
 import uuid

 from django.conf import settings
@@ -28,7 +29,7 @@ from netbox.models.features import (
    CloningMixin, CustomFieldsMixin, CustomLinksMixin, ExportTemplatesMixin, JobResultsMixin, TagsMixin, WebhooksMixin,
 )
 from utilities.querysets import RestrictedQuerySet
-from utilities.utils import render_jinja2
+from utilities.utils import clean_html, render_jinja2

 __all__ = (
    'ConfigRevision',
@@ -273,6 +274,18 @@ class CustomLink(CloningMixin, ExportTemplatesMixin, WebhooksMixin, ChangeLogged
        link = render_jinja2(self.link_url, context)
        link_target = ' target="_blank"' if self.new_window else ''

+        # Sanitize link text
+        allowed_schemes = get_config().ALLOWED_URL_SCHEMES
+        text = clean_html(text, allowed_schemes)
+
+        # Sanitize link
+        link = urllib.parse.quote_plus(link, safe='/:?&')
+
+        # Verify link scheme is allowed
+        result = urllib.parse.urlparse(link)
+        if result.scheme and result.scheme not in allowed_schemes:
+            link = ""
+
        return {
            'text': text,
            'link': link,