vikunja/pkg/modules/migration
kolaente 0f3730d045 fix(notifications): escape markdown in user-controlled strings in email lines
Task titles, project titles, team names, doer/assignee names, and API
token titles were interpolated raw into Line(...) calls whose content is
rendered to HTML by goldmark and then sanitized with bluemonday UGCPolicy.
UGCPolicy intentionally allows safe <a href> and <img src> with
http/https URLs, so a title containing Markdown link or image syntax
would survive sanitization as a working phishing link or tracking pixel
in a legitimate Vikunja email.

Introduce notifications.EscapeMarkdown, which prefixes every CommonMark
§2.4 backslash-escapable ASCII punctuation character — including '<' so
autolinks like `<https://evil.com>` are neutralized before reaching
goldmark — with a backslash. Apply it to every user-controlled argument
of every Line(...) call in pkg/models that feeds into an i18n template,
and to the hand-built "* [title](url) (project)" Markdown link in the
overdue-tasks digest notification.

Also escape the migration error string in MigrationFailedNotification,
an additional sink not listed in the advisory (error messages can carry
user-controlled content from the external migration source).

Subject(...), Greeting(...), and CreateConversationalHeader(...) are
left unchanged: Subject is passed directly to the mail library and is
not markdown-rendered, Greeting is rendered via html/template's built-in
HTML escaping without markdown, and the conversational header is
sanitized as raw HTML by bluemonday in mail_render.go.

Fixes GHSA-45q4-x4r9-8fqj.
2026-04-09 15:44:04 +00:00
..
csv feat(migration): flatten project hierarchy for single-project imports 2026-04-07 15:20:06 +00:00
handler fix(notifications): escape markdown in user-controlled strings in email lines 2026-04-09 15:44:04 +00:00
microsoft-todo chore(lint): suppress gosec false positives on SSRF-safe HTTP client calls 2026-03-23 16:34:22 +00:00
ticktick fix(migration): correct TickTick swagger annotation to PUT 2026-04-07 12:05:47 +00:00
todoist refactor: remove environment variable requirements for go test 2026-02-17 18:01:05 +01:00
trello refactor: remove environment variable requirements for go test 2026-02-17 18:01:05 +01:00
vikunja-file fix: detect and fail on oversized zip entries instead of silent truncation 2026-02-25 13:01:00 +01:00
wekan test(migration): add WeKan migration tests and fixture 2026-04-07 12:05:47 +00:00
create_from_structure.go fix(migration): delete all default buckets when migration provides its own 2026-04-07 12:05:47 +00:00
create_from_structure_test.go fix: correct license header references (#882) 2025-06-10 12:18:38 +02:00
db.go feat: register Vikunja tables with db package at init 2026-03-04 15:37:54 +01:00
errors.go feat(migration): add generic CSV import with column mapping 2026-04-07 15:20:06 +00:00
helpers.go chore(lint): suppress gosec false positives on SSRF-safe HTTP client calls 2026-03-23 16:34:22 +00:00
helpers_test.go feat(cli): reorganize repair commands under unified 'vikunja repair' parent (#2300) 2026-02-25 11:50:09 +00:00
main_test.go fix: prevent SSRF via migration file attachment URLs (GHSA-g66v-54v9-52pr) 2026-03-23 16:34:22 +00:00
migration_status.go fix: add missing Commit() to write callers 2026-02-25 11:03:02 +01:00
migrator.go fix: correct license header references (#882) 2025-06-10 12:18:38 +02:00
testimage.jpg feat(migrators): remove wunderlist (#1346) 2022-12-29 17:12:39 +00:00