sanitize urls: svg/xlink href, formaction, and data: on iframe/object#21442
sanitize urls: svg/xlink href, formaction, and data: on iframe/object#21442rootvector2 wants to merge 5 commits into
Conversation
simplify checkURI to inline the tag normalization, and bring in the other open sanitization gaps so they live behind the same tag/attribute matching: - formaction on button/input - data: protocol on iframe[src] and object[data] - strip ascii tab/newline/cr before the fastboot url protocol check
rootvector2
changed the title
|
Folded the Click the box and on a released Glimmer it fires; with this PR the href comes back as |
|
|
||
| function checkURI(tagName: Nullable<string>, attribute: string): boolean { | ||
| return (tagName === null || has(badTags, tagName)) && has(badAttributes, attribute); | ||
| // SVG element tagNames are lowercase (e.g. `a`), so they never match the |
There was a problem hiding this comment.
nitpick for the comment wording: SVG tagNames are case-preserved (e.g. linearGradient, clipPath, foreignObject),
– just comment wording, does not affect logic/correctness, as a just happens to be lowercase, and a is the only SVG element in badTags
There was a problem hiding this comment.
good catch, reworded it. a is the only one in the list and it happens to be lowercase, but the comment shouldn't imply that's true of svg tagNames in general.
|
@NullVoxPopuli any update |
|
yes! sorry, I'm pulling over the changes to #21458 for rebase thank you!! |
|
Ok |
3 participants
Consolidates the open URL-sanitizer fixes into one PR (per review). Each change closes a way an attacker-controlled value can reach a dangerous protocol that the sanitizer currently misses.
checkURI/checkDataURImatchedelement.tagNameagainst the uppercasebadTagslist, but SVG tagNames come through lowercase (a), so<a href={{value}}>inside an<svg>skipped thejavascript:/vbscript:check. Normalization now happens insidecheckURI/checkDataURIso it is single-sourced. Also addedxlink:hrefto the attribute list, since that is the SVG href alias and was not covered at all.button[formaction]andinput[formaction]submit to their URL, so ajavascript:value there executes. AddedBUTTON/INPUTtobadTagsandformactionto the attribute list.data:URL in these loads as a nested document and can run script. Added adata:-protocol check foriframe/object.java\nscript:runs asjavascript:. The fastbooturl.parsepath kept those chars and reported a null protocol, slipping past the check. Strip them there to match the WHATWGURLparser used on the browser path.Tests added for each case except the tab/newline strip, which only runs on the fastboot
url.parsepath (the browserURLparser already strips those chars, so no integration path exercises it).Reproductions on limber for each case are in the comment below.