SECURITY: ERB execution in custom Email Style

2020-05-21 14:26:03 -04:00 · 2020-05-21 14:26:03 -04:00 · d11c462104
parent 5a71c51ddd
commit d11c462104
3 changed files with 113 additions and 103 deletions
--- a/app/helpers/email_helper.rb
+++ b/app/helpers/email_helper.rb
@ -25,12 +25,8 @@ module EmailHelper
    raw "<a href='#{Discourse.base_url}#{url}' style='color: ##{@anchor_color}'>#{title}</a>"
  end

-  def email_html_template(binding_arg)
-    template = EmailStyle.new.html.sub(
-      '%{email_content}',
-      '<%= yield %><% if defined?(html_body) %><%= html_body %><% end %>'
-    )
-    ERB.new(template).result(binding_arg)
+  def email_html_template
+    EmailStyle.new.html.sub('%{email_content}', yield).html_safe
  end

  protected
--- a/app/views/layouts/email_template.html.erb
+++ b/app/views/layouts/email_template.html.erb
@ -2,5 +2,8 @@
  <%= yield %>
  <% if defined?(html_body) %><%= html_body %><% end %>
 <% else %>
-  <%= email_html_template(binding).html_safe %>
+  <%= email_html_template do %>
+    <%= yield %>
+    <% if defined?(html_body) %><%= html_body %><% end %>
+  <% end %>
 <% end %>
--- a/spec/integration/email_style_spec.rb
+++ b/spec/integration/email_style_spec.rb
@ -3,6 +3,16 @@
 require "rails_helper"

 describe EmailStyle do
+
+  context "ERB evaluation" do
+    it "does not evaluate ERB outside of the email itself" do
+      SiteSetting.email_custom_template = "<div>%{email_content}</div><%= (111 * 333) %>"
+      html = Email::Renderer.new(UserNotifications.signup(Fabricate(:user))).html
+      expect(html).not_to match("36963")
+    end
+  end
+
+  context "with a custom template" do
    before do
      SiteSetting.email_custom_template = "<body><h1>FOR YOU</h1><div>%{email_content}</div></body>"
      SiteSetting.email_custom_css = 'h1 { color: red; } div.body { color: #FAB; }'
@ -128,3 +138,4 @@ describe EmailStyle do
      end
    end
  end
+end