Skip to content

Render GFM Mermaid diagrams in a sandboxed iframe

Dheeraj Joshi requested to merge djadmin-sandbox-mermaid into master

Related issues: #342208 (closed), #345592 (closed)

What does this MR do and why?

This MR moves rendering of mermaid diagrams in GFM within a sandboxed environment by using iframe's sandbox attribute. This should help in minimizing the impact from XSS vulnerabilities caused by Mermaid, and possibly with other 3rd party libraries in the future.

Details:

  1. Each mermaid diagram is rendered in a separate iframe (https://<gitlab-instance>/-/sandbox/mermaid)
  2. The iframe gets loaded in a cross-origin sandboxed environment
  3. The iframe gets the diagram source via postMessage once it's loaded
  4. The iframe draws the diagram and sends a postMessage to parent window communicated the rendered diagram size
  5. Parent window receives the postMessage and adjusts the iframe size.
  6. Act natural and say goodbye to Found a new mermaid XSS vulnerability emails

Note: The changes are behind a new feature flag sandboxed_mermaid.

Screenshots or screen recordings

how a blocked XSS attack looks like image

^ An example to illustrate that

  1. the mermaid diagram still gets rendered correctly
  2. the xss payloads taken from #345452 (closed) & #345035 (closed) did not trigger any cross-site script executions within the gitlab context.

Live Demo (Internal)

A live demo blocking an XSS vector was shared internally in this Slack thread.

Other screenshots

Multiple mermaid diagrams image
Single big diagram image
Dark mode image
DOS protection (no changes) image

Follow-up issues

Notes for maintainer

How to set up and validate locally

  1. Checkout the branch djadmin-sandbox-mermaid
  2. Enable sandboxed_mermaid feature flag
  3. Update a README.md for any project
  4. Preview the markdown
  5. Check the console for any errors when XSS payloads are used

MR acceptance checklist

This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.

Edited by Dheeraj Joshi

Merge request reports