Merge branch 'security/fix-html-class-scrubbing' into 'develop'

html: lock down allowed class attributes to only those related to microformats

See merge request 
This commit is contained in:
kaniini 2019-04-23 23:07:56 +00:00
commit 030a7876b4
2 changed files with 96 additions and 4 deletions
lib/pleroma
test

View file

@ -106,7 +106,14 @@ defmodule Pleroma.HTML.Scrubber.TwitterText do
# links
Meta.allow_tag_with_uri_attributes("a", ["href", "data-user", "data-tag"], @valid_schemes)
Meta.allow_tag_with_these_attributes("a", ["name", "title", "class"])
Meta.allow_tag_with_this_attribute_values("a", "class", [
"hashtag",
"u-url",
"mention",
"u-url mention",
"mention u-url"
])
Meta.allow_tag_with_this_attribute_values("a", "rel", [
"tag",
@ -115,12 +122,15 @@ defmodule Pleroma.HTML.Scrubber.TwitterText do
"noreferrer"
])
Meta.allow_tag_with_these_attributes("a", ["name", "title"])
# paragraphs and linebreaks
Meta.allow_tag_with_these_attributes("br", [])
Meta.allow_tag_with_these_attributes("p", [])
# microformats
Meta.allow_tag_with_these_attributes("span", ["class"])
Meta.allow_tag_with_this_attribute_values("span", "class", ["h-card"])
Meta.allow_tag_with_these_attributes("span", [])
# allow inline images for custom emoji
@allow_inline_images Keyword.get(@markup, :allow_inline_images)
@ -155,7 +165,14 @@ defmodule Pleroma.HTML.Scrubber.Default do
Meta.strip_comments()
Meta.allow_tag_with_uri_attributes("a", ["href", "data-user", "data-tag"], @valid_schemes)
Meta.allow_tag_with_these_attributes("a", ["name", "title", "class"])
Meta.allow_tag_with_this_attribute_values("a", "class", [
"hashtag",
"u-url",
"mention",
"u-url mention",
"mention u-url"
])
Meta.allow_tag_with_this_attribute_values("a", "rel", [
"tag",
@ -164,6 +181,8 @@ defmodule Pleroma.HTML.Scrubber.Default do
"noreferrer"
])
Meta.allow_tag_with_these_attributes("a", ["name", "title"])
Meta.allow_tag_with_these_attributes("abbr", ["title"])
Meta.allow_tag_with_these_attributes("b", [])
@ -177,11 +196,13 @@ defmodule Pleroma.HTML.Scrubber.Default do
Meta.allow_tag_with_these_attributes("ol", [])
Meta.allow_tag_with_these_attributes("p", [])
Meta.allow_tag_with_these_attributes("pre", [])
Meta.allow_tag_with_these_attributes("span", ["class"])
Meta.allow_tag_with_these_attributes("strong", [])
Meta.allow_tag_with_these_attributes("u", [])
Meta.allow_tag_with_these_attributes("ul", [])
Meta.allow_tag_with_this_attribute_values("span", "class", ["h-card"])
Meta.allow_tag_with_these_attributes("span", [])
@allow_inline_images Keyword.get(@markup, :allow_inline_images)
if @allow_inline_images do

View file

@ -20,6 +20,18 @@ defmodule Pleroma.HTMLTest do
<img src="http://example.com/image.jpg" onerror="alert('hacked')">
"""
@html_span_class_sample """
<span class="animate-spin">hi</span>
"""
@html_span_microformats_sample """
<span class="h-card"><a class="u-url mention">@<span>foo</span></a></span>
"""
@html_span_invalid_microformats_sample """
<span class="h-card"><a class="u-url mention animate-spin">@<span>foo</span></a></span>
"""
describe "StripTags scrubber" do
test "works as expected" do
expected = """
@ -64,6 +76,36 @@ test "does not allow attribute-based XSS" do
assert expected == HTML.filter_tags(@html_onerror_sample, Pleroma.HTML.Scrubber.TwitterText)
end
test "does not allow spans with invalid classes" do
expected = """
<span>hi</span>
"""
assert expected ==
HTML.filter_tags(@html_span_class_sample, Pleroma.HTML.Scrubber.TwitterText)
end
test "does allow microformats" do
expected = """
<span class="h-card"><a class="u-url mention">@<span>foo</span></a></span>
"""
assert expected ==
HTML.filter_tags(@html_span_microformats_sample, Pleroma.HTML.Scrubber.TwitterText)
end
test "filters invalid microformats markup" do
expected = """
<span class="h-card"><a>@<span>foo</span></a></span>
"""
assert expected ==
HTML.filter_tags(
@html_span_invalid_microformats_sample,
Pleroma.HTML.Scrubber.TwitterText
)
end
end
describe "default scrubber" do
@ -88,5 +130,34 @@ test "does not allow attribute-based XSS" do
assert expected == HTML.filter_tags(@html_onerror_sample, Pleroma.HTML.Scrubber.Default)
end
test "does not allow spans with invalid classes" do
expected = """
<span>hi</span>
"""
assert expected == HTML.filter_tags(@html_span_class_sample, Pleroma.HTML.Scrubber.Default)
end
test "does allow microformats" do
expected = """
<span class="h-card"><a class="u-url mention">@<span>foo</span></a></span>
"""
assert expected ==
HTML.filter_tags(@html_span_microformats_sample, Pleroma.HTML.Scrubber.Default)
end
test "filters invalid microformats markup" do
expected = """
<span class="h-card"><a>@<span>foo</span></a></span>
"""
assert expected ==
HTML.filter_tags(
@html_span_invalid_microformats_sample,
Pleroma.HTML.Scrubber.Default
)
end
end
end