fix(jqLite): prevent possible XSS due to regex-based HTML replacement

[mgol]

AngularJS is in LTS mode

We are no longer accepting changes that are not critical bug fixes into this project.
See https://blog.angular.io/stable-angularjs-and-long-term-support-7e077635ee9c for more detail.

Does this PR fix a regression since 1.7.0, a security flaw, or a problem caused by a new browser version?

Yes

What is the current behavior? (You can also link to an open issue here)

1. The regex-based input HTML replacement may turn sanitized code into unsanitized one. An analogous jQuery advisory: GHSA-gxr4-xjj5-5px2
2. Wrapping <option> elements in <select> ones changes parsing behavior, leading to possibly unsanitizing sanitized code. An analogous jQuery advisory: GHSA-jpcq-cgw6-v4j6

What is the new behavior (if this is a feature change)?

The issues are fixed. The second one is a breaking change so a new method restoring legacy insecure behavior:

angular.UNSAFE_restoreLegacyJqLiteXHTMLReplacement()

was added.

Does this PR introduce a breaking change?

Yes

Please check if the PR fulfills these requirements

• The commit message follows our guidelines
• Fix/Feature: Docs have been added/updated
• Fix/Feature: Tests have been added; existing tests pass

Other information:

[koto]

I'm not sure if you actually need the wrapping at all in modern browsers. At least in Chrome appending the elements directly works, even if, say, td is not under tbody or table.

In any case, while the current patch fixes the security bug we currently know about, a better way would be to avoid concatenating HTML strings whatsoever. If, for example, you need wrapping, use document.createElement and appendChild and append to the newly created one.

[mgol]

I'm not sure if you actually need the wrapping at all in modern browsers.

You do. See https://jsbin.com/cibiwet/edit?html,js,console, it doesn't actually append the element, either in Firefox or in Chrome.

I'm curious how it worked for you, my test case is pretty basic.

If, for example, you need wrapping, use document.createElement and appendChild and append to the newly created one.

That would work.

[koto]

Heh, my bad. I would've sworn this worked last week (I was debugging jqLite, so all calls were inside a fragment too), but indeed it does not (only <option> works), sorry for the confusion.

[petebacondarwin]

Is it possible to get a false-positive (i.e. an anti-flake)?
If the timeout completes before the async changes have occurred, it is possible that the test could have failed if the timeout were longer.

I guess that the onerror handler is always called async?

Could we avoid relying upon the timeout being long enough. Perhaps create an additional "real" error that will call a different onerror handler? Then assume that if this second handler is called but the xss one is not called then we are good... Then we could make the it async and only call done() once the second real error handler has been called.

[mgol]

Feel free to experiment. I've tried a few things when I prepared a similar patch for jQuery & I wasn't able to achieve something that would not have the delay and that wouldn't suffer from race conditions. Maybe there's something but it might require extensive testing - we definitely don't want to miss the error just because it fired too late.

[koto]

You could get rid of _default, e.g. like this:

wrap = wrapMap[tag]
finalHTML = ...
tmp.innerHTML = wrap ? wrap[1] + finalHtml + wrap[2]  : finalHtml;
i = wrap ? wrap[0] : 0;
while (i--) { //...

That's a no-op for the security fix, but is shorter - and lets you pipe through the data without any string concatenation (e.g. letting through TrustedHTML objects that DOMPurify might return).

[mgol]

Sound sensible. That said, this would technically be a new feature and we're at the point where we mostly care about security fixes so I wouldn't want to spend too much time on tweaking this code.

[mgol]

OK, apparently we have a few days to finish the PR; in that case, I can have a look early next week.

[gkalpak]

I think that the following test cases were useful for jQuery (which used a slightly different regex) but not for jqLite's XHTML_TAG_REGEXP (i.e. they would pass without the changes in this PR, so they don't add much value):

• '<img alt="<x" title="/><img src=url404 onerror=xss(0)>">'
• '<img alt="\n<x" title="/>\n<img src=url404 onerror=xss(1)>">'
• '<foo" alt="" title="/><img src=url404 onerror=xss(8)>">'
• '<img alt="<x" title="" src="/><img src=url404 onerror=xss(9)>">'

(That is because jQuery's tegex would match " as part of the tag name, while jqLite won't.)

[mgol]

We’re testing Angular with jQuery as well here. I’d leave them all; the purpose is not to match only what was broken but to prevent future regressions here.

[mgol]

@koto I refactored the whole thing to not rely on passing strings to innerHTML at all except in IE 9 where it's unavoidable - IE 9 doesn't let you to assign '<td></td>' to a tr element even if it lies in a correct table structure; it needs the whole HTML up front.

This makes the PR increase the minified size by 407 bytes (before gzip) due to duplication but at least it should be more secure in modern browsers.

Please take a look.

[petebacondarwin]

On master the angular.min.js file is 176333 bytes.
This PR appears to make it 176724 (391 byte increase over master).
My two suggestions appear to make it 176544 (211 byte increase over master).

[mgol]

@petebacondarwin PR updated.

[petebacondarwin]

We should see if @koto has any more feedback before we merge, yes?

[koto]

It looks good (thanks!), but I have a small suggestion (and I realise this is not about fixing the bug, but rather adding support for passing TrustedHTML objects to jqLite).

You don't modify the payload in jqLiteBuildFragment anymore for most cases, but TrustedHTML would still not be able to be passed there, as it fails the argIsString check in JQLite function, TrustedHTMLs are objects - typeof trustedTypes.emptyHTML == 'object'.

How about changing it to :

  if (argIsString || (typeof TrustedHTML == "function" && element instanceof TrustedHTML)) {
      jqLiteAddNodes(this, jqLiteParseHTML(element));
  } // ...

that would pipe the TrustedHTML objects to jqLiteBuildFragment.

For testing, one can create TrustedHTML objects like so:

if (window.trustedTypes) {
  var policy = trustedTypes.createPolicy('jqlitetests', {createHTML: function(s) { return s }});
  var trustedHTML = policy.createHTML('<div><img src=x></div>');
}

[mgol]

@koto

  if (argIsString || (typeof TrustedHTML == "function" && element instanceof TrustedHTML)) {
      jqLiteAddNodes(this, jqLiteParseHTML(element));
  } // ...

This won't work cross-frame, will it? I'm not sure if that's an important or even supported use case for AngularJS, I know this would be a big roadblock for jQuery.

In any case, this is getting a bit far from the original purpose of this PR. I may not have much more time to spend on this PR and if we want to add explicit support for trusted types, we should carefully look at all existing jqLite APIs like after and make sure they work as well by adding tests for them all. Can we merge this PR as-is and then handle remaining issues with trusted types in a separate one? This would also be clearer in the Git log.

A small offtop: as I'm involved in jQuery as well, I've been thinking about including similar improvements to jQuery. AngularJS has included code specific to APIs not available cross-browser like Chrome apps and now possibly trusted types but jQuery has historically avoided such things. Avoiding innerHTML for wrapping like done in this PR would work but we wouldn't want to mention the TrustedHTML constructor explicitly as long as it's a Blink-only feature. Do you think there's any other way to support this use case without mentioning any trusted types API explicitly? I'm asking here as if it's possible maybe the same technique could be applied here. If you prefer to continue this part of the discussion on the jQuery side, there's an open issue about trusted types support: jquery/jquery#4409.

[Splaktar]

LGTM

[petebacondarwin]

@koto - thanks for your review.

Regarding the suggestion of handling passing TrustedHTML objects to jqLite. I think it is a good idea, but given the current status of the AngularJS project, I am loathe for us to make any more changes than necessary to the code. Any change we make is a potential opportunity to open up issues for projects that are already out there in the wild. This would make more work for us, and potentially lead to yet more changes in the project.

As I understand it, the suggestion is not an essential fix to help with security, right? If so, then we should leave the PR as it is here, get it merged and release AngularJS to mitigate the current security concern. Does that sounds reasonable or am I missing something?

[koto]

@koto

  if (argIsString || (typeof TrustedHTML == "function" && element instanceof TrustedHTML)) {
      jqLiteAddNodes(this, jqLiteParseHTML(element));
  } // ...

This won't work cross-frame, will it?

Correct. Trusted Types don't work if passed to different realms (i.e. DOM would reject them if Types are enforced), so it makes sense that TT would not be recognised as special values in jqLite as well (instanceof check would fail). But that doesn't break the application, unless it already opted into enforcing Trusted Types via CSP. In such case there's no way out of refactoring the application into creating a trusted type locally.

I'm not sure if that's an important or even supported use case for AngularJS, I know this would be a big roadblock for jQuery.

I'd like to understand this more. jQuery would be a TT consumer, the intention of a potential PR is not to make all applications using jQuery compliant with TT restrictions, but only to make apps that already create types able to use jQuery without losing them. Some refactoring is needed at the application side (to create types in the first place, but also to possibly change insecure patterns) But this is off-topic here, let's discuss in jQuery or separate bugs.

In any case, this is getting a bit far from the original purpose of this PR. I may not have much more time to spend on this PR and if we want to add explicit support for trusted types, we should carefully look at all existing jqLite APIs like after and make sure they work as well by adding tests for them all. Can we merge this PR as-is and then handle remaining issues with trusted types in a separate one? This would also be clearer in the Git log.

Fully agreed.

A small offtop: as I'm involved in jQuery as well, I've been thinking about including similar improvements to jQuery. AngularJS has included code specific to APIs not available cross-browser like Chrome apps and now possibly trusted types but jQuery has historically avoided such things. Avoiding innerHTML for wrapping like done in this PR would work but we wouldn't want to mention the TrustedHTML constructor explicitly as long as it's a Blink-only feature. Do you think there's any other way to support this use case without mentioning any trusted types API explicitly? I'm asking here as if it's possible maybe the same technique could be applied here. If you prefer to continue this part of the discussion on the jQuery side, there's an open issue about trusted types support: jquery/jquery#4409.

Let's move this to jQuery. Thanks Michał and all for the fix!

[zelivans]

It appears CVE-2020-7676 was assigned in association with this PR.
The CVE description mentions the the two problems fixed here so it is currently confusing. Not sure if it should be split, up to the maintainers.

[mgol]

@zelivans The two issues are caused by code in the same area and they're quite similar so it was decided to use one only. Equivalent jQuery issues had two CVEs created.

I think it's fine both ways.