Merge branch 'security/fix-html-class-scrubbing' into 'develop'

html: lock down allowed class attributes to only those related to microformats See merge request pleroma/pleroma!1090
2019-04-23 23:07:56 +00:00 · 2019-04-23 23:07:56 +00:00 · 030a7876b4
commit 030a7876b4
parent 3789945784 f5535e5743
2 changed files with 96 additions and 4 deletions
--- a/lib/pleroma/html.ex
+++ b/lib/pleroma/html.ex
@ -106,7 +106,14 @@ defmodule Pleroma.HTML.Scrubber.TwitterText do

  # links
  Meta.allow_tag_with_uri_attributes("a", ["href", "data-user", "data-tag"], @valid_schemes)
-  Meta.allow_tag_with_these_attributes("a", ["name", "title", "class"])
+
+  Meta.allow_tag_with_this_attribute_values("a", "class", [
+    "hashtag",
+    "u-url",
+    "mention",
+    "u-url mention",
+    "mention u-url"
+  ])

  Meta.allow_tag_with_this_attribute_values("a", "rel", [
    "tag",
@ -115,12 +122,15 @@ defmodule Pleroma.HTML.Scrubber.TwitterText do
    "noreferrer"
  ])

+  Meta.allow_tag_with_these_attributes("a", ["name", "title"])
+
  # paragraphs and linebreaks
  Meta.allow_tag_with_these_attributes("br", [])
  Meta.allow_tag_with_these_attributes("p", [])

  # microformats
-  Meta.allow_tag_with_these_attributes("span", ["class"])
+  Meta.allow_tag_with_this_attribute_values("span", "class", ["h-card"])
+  Meta.allow_tag_with_these_attributes("span", [])

  # allow inline images for custom emoji
  @allow_inline_images Keyword.get(@markup, :allow_inline_images)
@ -155,7 +165,14 @@ defmodule Pleroma.HTML.Scrubber.Default do
  Meta.strip_comments()

  Meta.allow_tag_with_uri_attributes("a", ["href", "data-user", "data-tag"], @valid_schemes)
-  Meta.allow_tag_with_these_attributes("a", ["name", "title", "class"])
+
+  Meta.allow_tag_with_this_attribute_values("a", "class", [
+    "hashtag",
+    "u-url",
+    "mention",
+    "u-url mention",
+    "mention u-url"
+  ])

  Meta.allow_tag_with_this_attribute_values("a", "rel", [
    "tag",
@ -164,6 +181,8 @@ defmodule Pleroma.HTML.Scrubber.Default do
    "noreferrer"
  ])

+  Meta.allow_tag_with_these_attributes("a", ["name", "title"])
+
  Meta.allow_tag_with_these_attributes("abbr", ["title"])

  Meta.allow_tag_with_these_attributes("b", [])
@ -177,11 +196,13 @@ defmodule Pleroma.HTML.Scrubber.Default do
  Meta.allow_tag_with_these_attributes("ol", [])
  Meta.allow_tag_with_these_attributes("p", [])
  Meta.allow_tag_with_these_attributes("pre", [])
-  Meta.allow_tag_with_these_attributes("span", ["class"])
  Meta.allow_tag_with_these_attributes("strong", [])
  Meta.allow_tag_with_these_attributes("u", [])
  Meta.allow_tag_with_these_attributes("ul", [])

+  Meta.allow_tag_with_this_attribute_values("span", "class", ["h-card"])
+  Meta.allow_tag_with_these_attributes("span", [])
+
  @allow_inline_images Keyword.get(@markup, :allow_inline_images)

  if @allow_inline_images do
--- a/test/html_test.exs
+++ b/test/html_test.exs
@ -20,6 +20,18 @@ defmodule Pleroma.HTMLTest do
    <img src="http://example.com/image.jpg" onerror="alert('hacked')">
  """

+  @html_span_class_sample """
+    <span class="animate-spin">hi</span>
+  """
+
+  @html_span_microformats_sample """
+    <span class="h-card"><a class="u-url mention">@<span>foo</span></a></span>
+  """
+
+  @html_span_invalid_microformats_sample """
+    <span class="h-card"><a class="u-url mention animate-spin">@<span>foo</span></a></span>
+  """
+
  describe "StripTags scrubber" do
    test "works as expected" do
      expected = """
@ -64,6 +76,36 @@ test "does not allow attribute-based XSS" do

      assert expected == HTML.filter_tags(@html_onerror_sample, Pleroma.HTML.Scrubber.TwitterText)
    end
+
+    test "does not allow spans with invalid classes" do
+      expected = """
+      <span>hi</span>
+      """
+
+      assert expected ==
+               HTML.filter_tags(@html_span_class_sample, Pleroma.HTML.Scrubber.TwitterText)
+    end
+
+    test "does allow microformats" do
+      expected = """
+      <span class="h-card"><a class="u-url mention">@<span>foo</span></a></span>
+      """
+
+      assert expected ==
+               HTML.filter_tags(@html_span_microformats_sample, Pleroma.HTML.Scrubber.TwitterText)
+    end
+
+    test "filters invalid microformats markup" do
+      expected = """
+      <span class="h-card"><a>@<span>foo</span></a></span>
+      """
+
+      assert expected ==
+               HTML.filter_tags(
+                 @html_span_invalid_microformats_sample,
+                 Pleroma.HTML.Scrubber.TwitterText
+               )
+    end
  end

  describe "default scrubber" do
@ -88,5 +130,34 @@ test "does not allow attribute-based XSS" do

      assert expected == HTML.filter_tags(@html_onerror_sample, Pleroma.HTML.Scrubber.Default)
    end
+
+    test "does not allow spans with invalid classes" do
+      expected = """
+      <span>hi</span>
+      """
+
+      assert expected == HTML.filter_tags(@html_span_class_sample, Pleroma.HTML.Scrubber.Default)
+    end
+
+    test "does allow microformats" do
+      expected = """
+      <span class="h-card"><a class="u-url mention">@<span>foo</span></a></span>
+      """
+
+      assert expected ==
+               HTML.filter_tags(@html_span_microformats_sample, Pleroma.HTML.Scrubber.Default)
+    end
+
+    test "filters invalid microformats markup" do
+      expected = """
+      <span class="h-card"><a>@<span>foo</span></a></span>
+      """
+
+      assert expected ==
+               HTML.filter_tags(
+                 @html_span_invalid_microformats_sample,
+                 Pleroma.HTML.Scrubber.Default
+               )
+    end
  end
 end