Merge pull request from GHSA-ggrq-h43f-3w7m

This fixes a CVE (currently https://github.com/nim-lang/Nim/security/advisories/GHSA-ggrq-h43f-3w7m) (cherry picked from commit cb894c7094)
2026-04-23 15:55:23 +00:00 · 2022-01-29 13:03:01 +00:00
parent 9746d46009
commit b6024fe861
3 changed files with 58 additions and 11 deletions
--- a/lib/packages/docutils/rst.nim
+++ b/lib/packages/docutils/rst.nim
@@ -210,6 +210,12 @@ type
                              ## to Markdown) -- implies `roSupportMarkdown`
    roNimFile                 ## set for Nim files where default interpreted
                              ## text role should be :nim:
+    roSandboxDisabled         ## this option enables certain options
+                              ## (e.g. raw, include)
+                              ## which are disabled by default as they can
+                              ## enable users to read arbitrary data and
+                              ## perform XSS if the parser is used in a web
+                              ## app.

  RstParseOptions* = set[RstParseOption]

@@ -234,7 +240,8 @@ type
    mwBrokenLink = "broken link '$1'",
    mwUnsupportedLanguage = "language '$1' not supported",
    mwUnsupportedField = "field '$1' not supported",
-    mwRstStyle = "RST style: $1"
+    mwRstStyle = "RST style: $1",
+    meSandboxedDirective = "disabled directive: '$1'",

  MsgHandler* = proc (filename: string, line, col: int, msgKind: MsgKind,
                       arg: string) {.closure, gcsafe.} ## what to do in case of an error
@@ -289,6 +296,7 @@ const
    ":geek:": "icon_e_geek",
    ":ugeek:": "icon_e_ugeek"
  }
+  SandboxDirAllowlist = ["image", "code", "code-block"]

 type
  TokType = enum
@@ -2668,10 +2676,14 @@ proc dirCodeBlock(p: var RstParser, nimExtension = false): PRstNode =
  ##
  ## As an extension this proc will process the ``file`` extension field and if
  ## present will replace the code block with the contents of the referenced
-  ## file.
+  ## file. This behaviour is disabled in sandboxed mode and can be re-enabled
+  ## with the `roSandboxDisabled` flag.
  result = parseDirective(p, rnCodeBlock, {hasArg, hasOptions}, parseLiteralBlock)
  var filename = strip(getFieldValue(result, "file"))
  if filename != "":
+    if roSandboxDisabled notin p.s.options:
+      let tok = p.tok[p.idx-2]
+      rstMessage(p, meSandboxedDirective, "file", tok.line, tok.col)
    var path = p.findRelativeFile(filename)
    if path == "": rstMessage(p, meCannotOpenFile, filename)
    var n = newRstNode(rnLiteralBlock)
@@ -2767,6 +2779,11 @@ proc dirRaw(p: var RstParser): PRstNode =

 proc selectDir(p: var RstParser, d: string): PRstNode =
  result = nil
+  let tok = p.tok[p.idx-2] # report on directive in ".. directive::"
+  if roSandboxDisabled notin p.s.options:
+    if d notin SandboxDirAllowlist:
+      rstMessage(p, meSandboxedDirective, d, tok.line, tok.col)
+
  case d
  of "admonition", "attention", "caution": result = dirAdmonition(p, d)
  of "code": result = dirCodeBlock(p)
@@ -2793,7 +2810,6 @@ proc selectDir(p: var RstParser, d: string): PRstNode =
  of "title": result = dirTitle(p)
  of "warning": result = dirAdmonition(p, d)
  else:
-    let tok = p.tok[p.idx-2]  # report on directive in ".. directive::"
    rstMessage(p, meInvalidDirective, d, tok.line, tok.col)

 proc prefix(ftnType: FootnoteType): string =