fix(security): use LimitedRenderer in Suggested fix output (#68176)

oioki · web-flow · commit 6d3d7c2dd49b · 2024-04-05T09:58:50.000Z
Before: ![image](https://github.com/getsentry/sentry/assets/1127549/698ea722-63b3-448b-a86d-0b0f7ca49664) After: ![image](https://github.com/getsentry/sentry/assets/1127549/00e0870a-ca94-465a-9eb0-084ae24932eb)
diff --git a/static/app/components/events/aiSuggestedSolution/suggestion.tsx b/static/app/components/events/aiSuggestedSolution/suggestion.tsx
@@ -17,7 +17,7 @@ import type {Event, Project} from 'sentry/types';
 import {trackAnalytics} from 'sentry/utils/analytics';
 import {getAnalyticsDataForEvent} from 'sentry/utils/events';
 import {isActiveSuperuser} from 'sentry/utils/isActiveSuperuser';
-import marked from 'sentry/utils/marked';
+import {limitedMarked} from 'sentry/utils/marked';
 import {useApiQuery} from 'sentry/utils/queryClient';
 import {useIsSentryEmployee} from 'sentry/utils/useIsSentryEmployee';
 import useOrganization from 'sentry/utils/useOrganization';
@@ -182,7 +182,7 @@ export function Suggestion({onHideSuggestion, projectSlug, event}: Props) {
         ) : (
           <Content
             dangerouslySetInnerHTML={{
-              __html: marked(data.suggestion, {
+              __html: limitedMarked(data.suggestion, {
                 gfm: true,
                 breaks: true,
               }),
diff --git a/static/app/utils/marked.spec.tsx b/static/app/utils/marked.spec.tsx
@@ -1,6 +1,6 @@
 /* eslint no-script-url:0 */
 
-import marked from 'sentry/utils/marked';
+import marked, {limitedMarked} from 'sentry/utils/marked';
 
 function expectMarkdown(test) {
   expect(marked(test[0])).toEqual('<p>' + test[1] + '</p>\n');
@@ -58,4 +58,13 @@ describe('marked', function () {
       ],
     ].forEach(expectMarkdown);
   });
+
+  it('limited renderer does not render images and hyperlinks as html', function () {
+    for (const test of [
+      ['![alt](http://example.com/rick.gif)', 'http://example.com/rick.gif'],
+      ['[click me](http://example.com)', 'http://example.com'],
+    ]) {
+      expect(limitedMarked(test[0])).toEqual('<p>' + test[1] + '</p>\n');
+    }
+  });
 });
diff --git a/static/app/utils/marked.tsx b/static/app/utils/marked.tsx
@@ -43,6 +43,16 @@ class SafeRenderer extends marked.Renderer {
   }
 }
 
+class LimitedRenderer extends marked.Renderer {
+  link(href: string) {
+    return href;
+  }
+
+  image(href: string) {
+    return href;
+  }
+}
+
 class NoParagraphRenderer extends SafeRenderer {
   paragraph(text: string) {
     return text;
@@ -81,12 +91,15 @@ marked.setOptions({
   silent: NODE_ENV === 'test',
 });
 
+const limitedMarked = (text: string, options: MarkedOptions = {}) =>
+  sanitizedMarked(text, {...options, renderer: new LimitedRenderer()});
+
 const sanitizedMarked = (src: string, options?: MarkedOptions) => {
   return dompurify.sanitize(marked(src, options));
 };
 
 const singleLineRenderer = (text: string, options: MarkedOptions = {}) =>
   sanitizedMarked(text, {...options, renderer: new NoParagraphRenderer()});
 
-export {singleLineRenderer};
+export {singleLineRenderer, limitedMarked};
 export default sanitizedMarked;
