Skip to content

Remove math rendering exception for wikis

Brett Walker requested to merge bw-cascade-honor-math-rendering-limits into master

What does this MR do and why?

Related to Client-side DoS via AsciiDoc math feature (#424271 - closed) and Allow configuration of math expression renderin... (#214530 - closed)

Wikis and repositories are no longer allow unlimited math rendering. It is now controlled by the math_rendering_limits_enabled instance and group setting.

The new group level setting is being added by Make math_rendering_limits_enabled a cascading ... (!143256 - merged). I've cherry-picked its commit here (it's the first commit) in order to finish building this.

By disabling the math_rendering_limits_enabled, math can be rendered without limits, in issues, MRs, wikis, repository, etc. When limits are enabled (the default), math rendering will be limited in all places, including wikis and repositories.

MR acceptance checklist

Please evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.

How to set up and validate locally

Test markdown:

$`a^2+b^2=c^2`$ + $`a^2+b^2=c^2`$ + $`a^2+b^2=c^2`$ + $`a^2+b^2=c^2`$ + $`a^2+b^2=c^2`$ + $`a^2+b^2=c^2`$ + $`a^2+b^2=c^2`$ + $`a^2+b^2=c^2`$ + $`a^2+b^2=c^2`$ + $`a^2+b^2=c^2`$ + $`a^2+b^2=c^2`$ + $`a^2+b^2=c^2`$ + $`a^2+b^2=c^2`$ + $`a^2+b^2=c^2`$
$`a^2+b^2=c^2`$ + $`a^2+b^2=c^2`$ + $`a^2+b^2=c^2`$ + $`a^2+b^2=c^2`$ + $`a^2+b^2=c^2`$ + $`a^2+b^2=c^2`$ + $`a^2+b^2=c^2`$ + $`a^2+b^2=c^2`$ + $`a^2+b^2=c^2`$ + $`a^2+b^2=c^2`$ + $`a^2+b^2=c^2`$ + $`a^2+b^2=c^2`$ + $`a^2+b^2=c^2`$ + $`a^2+b^2=c^2`$
$`a^2+b^2=c^2`$ + $`a^2+b^2=c^2`$ + $`a^2+b^2=c^2`$ + $`a^2+b^2=c^2`$ + $`a^2+b^2=c^2`$ + $`a^2+b^2=c^2`$ + $`a^2+b^2=c^2`$ + $`a^2+b^2=c^2`$ + $`a^2+b^2=c^2`$ + $`a^2+b^2=c^2`$ + $`a^2+b^2=c^2`$ + $`a^2+b^2=c^2`$ + $`a^2+b^2=c^2`$ + $`a^2+b^2=c^2`$
$`a^2+b^2=c^2`$ + $`a^2+b^2=c^2`$ + $`a^2+b^2=c^2`$ + $`a^2+b^2=c^2`$ + $`a^2+b^2=c^2`$ + $`a^2+b^2=c^2`$ + $`a^2+b^2=c^2`$ + $`a^2+b^2=c^2`$ + $`a^2+b^2=c^2`$ + $`a^2+b^2=c^2`$ + $`a^2+b^2=c^2`$ + $`a^2+b^2=c^2`$ + $`a^2+b^2=c^2`$ + $`a^2+b^2=c^2`$
$`a^2+b^2=c^2`$ + $`a^2+b^2=c^2`$ + $`a^2+b^2=c^2`$ + $`a^2+b^2=c^2`$ + $`a^2+b^2=c^2`$ + $`a^2+b^2=c^2`$ + $`a^2+b^2=c^2`$ + $`a^2+b^2=c^2`$ + $`a^2+b^2=c^2`$ + $`a^2+b^2=c^2`$ + $`a^2+b^2=c^2`$ + $`a^2+b^2=c^2`$ + $`a^2+b^2=c^2`$ + $`a^2+b^2=c^2`$
  1. Verify that in wikis and repositories math is being limited, by pasting the above markdown and previewing/saving.
  2. Disable math limits by either using the GraphQL instructions in !143256 (merged), or by doing ApplicationSetting.update(math_rendering_limits_enabled: false) from the Rails console.
  3. Verify that math is now unlimited in wikis, repositories, issues, etc.
Edited by Brett Walker

Merge request reports

Loading