From a5bd819f3ef13d5d4595106557c26169df2ef3a0 Mon Sep 17 00:00:00 2001 From: Mike Dalessio Date: Wed, 9 Oct 2019 15:35:06 -0400 Subject: [PATCH 1/3] rufo formatting --- lib/loofah/html5/safelist.rb | 3 +-- test/integration/test_ad_hoc.rb | 36 ++++++++++++++++----------------- 2 files changed, 18 insertions(+), 21 deletions(-) diff --git a/lib/loofah/html5/safelist.rb b/lib/loofah/html5/safelist.rb index f7d38f26..8abd922e 100644 --- a/lib/loofah/html5/safelist.rb +++ b/lib/loofah/html5/safelist.rb @@ -1,4 +1,4 @@ -require 'set' +require "set" module Loofah module HTML5 # :nodoc: @@ -45,7 +45,6 @@ module HTML5 # :nodoc: # # module SafeList - ACCEPTABLE_ELEMENTS = Set.new([ "a", "abbr", diff --git a/test/integration/test_ad_hoc.rb b/test/integration/test_ad_hoc.rb index ac1e28cc..16fccbbf 100644 --- a/test/integration/test_ad_hoc.rb +++ b/test/integration/test_ad_hoc.rb @@ -1,7 +1,6 @@ require "helper" class IntegrationTestAdHoc < Loofah::TestCase - context "blank input string" do context "fragment" do it "return a blank string" do @@ -33,9 +32,9 @@ def test_removal_of_illegal_attribute html = "

" sane = Nokogiri::HTML(Loofah.scrub_fragment(html, :escape).to_xml) node = sane.xpath("//p").first - assert node.attributes['class'] - assert node.attributes['abbr'] - assert_nil node.attributes['foo'] + assert node.attributes["class"] + assert node.attributes["abbr"] + assert_nil node.attributes["foo"] end def test_removal_of_illegal_url_in_href @@ -45,14 +44,14 @@ def test_removal_of_illegal_url_in_href HTML sane = Nokogiri::HTML(Loofah.scrub_fragment(html, :escape).to_xml) nodes = sane.xpath("//a") - assert_nil nodes.first.attributes['href'] - assert nodes.last.attributes['href'] + assert_nil nodes.first.attributes["href"] + assert nodes.last.attributes["href"] end def test_css_sanitization html = "

" sane = Nokogiri::HTML(Loofah.scrub_fragment(html, :escape).to_xml) - assert_match %r/#000/, sane.inner_html + assert_match %r/#000/, sane.inner_html refute_match %r/foo\.com/, sane.inner_html end @@ -75,7 +74,7 @@ def test_fragment_with_text_nodes_leading_and_trailing def test_whitewash_on_fragment html = "safe description" whitewashed = Loofah.scrub_document(html, :whitewash).xpath("/html/body/*").to_s - assert_equal "

safe

description", whitewashed.gsub("\n","") + assert_equal "

safe

description", whitewashed.gsub("\n", "") end def test_fragment_whitewash_on_microsofty_markup @@ -86,11 +85,11 @@ def test_fragment_whitewash_on_microsofty_markup def test_document_whitewash_on_microsofty_markup whitewashed = Loofah.document(MSWORD_HTML).scrub!(:whitewash) assert_match %r(

Foo BOLD

), whitewashed.to_s - assert_equal "

Foo BOLD

", whitewashed.xpath("/html/body/*").to_s + assert_equal "

Foo BOLD

", whitewashed.xpath("/html/body/*").to_s end def test_return_empty_string_when_nothing_left - assert_equal "", Loofah.scrub_document('', :prune).text + assert_equal "", Loofah.scrub_document("", :prune).text end def test_nested_script_cdata_tags_should_be_scrubbed @@ -145,21 +144,20 @@ def test_dont_remove_whitespace_between_tags # # https://git.gnome.org/browse/libxml2/tree/HTMLtree.c?h=v2.9.2#n714 # - {tag: "a", attr: "href"}, - {tag: "div", attr: "href"}, - {tag: "a", attr: "action"}, - {tag: "div", attr: "action"}, - {tag: "a", attr: "src"}, - {tag: "div", attr: "src"}, - {tag: "a", attr: "name"}, + { tag: "a", attr: "href" }, + { tag: "div", attr: "href" }, + { tag: "a", attr: "action" }, + { tag: "div", attr: "action" }, + { tag: "a", attr: "src" }, + { tag: "div", attr: "src" }, + { tag: "a", attr: "name" }, # # note that div+name is _not_ affected by the libxml2 issue. # but we test it anyway to ensure our logic isn't modifying # attributes that don't need modifying. # - {tag: "div", attr: "name", unescaped: true}, + { tag: "div", attr: "name", unescaped: true }, ].each do |config| - define_method "test_uri_escaping_of_#{config[:attr]}_attr_in_#{config[:tag]}_tag" do html = %{<#{config[:tag]} #{config[:attr]}='example.com'>test} From 0c6617af440879ce97440f6eb6c58636456dc8ec Mon Sep 17 00:00:00 2001 From: Mike Dalessio Date: Wed, 9 Oct 2019 15:36:32 -0400 Subject: [PATCH 2/3] mitigate XSS vulnerability in SVG animate attributes this addresses CVE-2019-15587 see #171 for more information https://github.com/flavorjones/loofah/issues/171 --- lib/loofah/html5/safelist.rb | 3 --- test/integration/test_ad_hoc.rb | 30 ++++++++++++++++++++++++------ 2 files changed, 24 insertions(+), 9 deletions(-) diff --git a/lib/loofah/html5/safelist.rb b/lib/loofah/html5/safelist.rb index 8abd922e..4b2b6dd4 100644 --- a/lib/loofah/html5/safelist.rb +++ b/lib/loofah/html5/safelist.rb @@ -360,7 +360,6 @@ module SafeList "baseProfile", "bbox", "begin", - "by", "calcMode", "cap-height", "class", @@ -467,7 +466,6 @@ module SafeList "systemLanguage", "target", "text-anchor", - "to", "transform", "type", "u1", @@ -477,7 +475,6 @@ module SafeList "unicode", "unicode-range", "units-per-em", - "values", "version", "viewBox", "visibility", diff --git a/test/integration/test_ad_hoc.rb b/test/integration/test_ad_hoc.rb index 16fccbbf..cc6fc652 100644 --- a/test/integration/test_ad_hoc.rb +++ b/test/integration/test_ad_hoc.rb @@ -188,14 +188,32 @@ def test_dont_remove_whitespace_between_tags end end - # see: - # - https://github.com/flavorjones/loofah/issues/154 - # - https://hackerone.com/reports/429267 - context "xss protection from svg xmlns:xlink animate attribute" do - it "sanitizes appropriate attributes" do - html = %Q{} + context "xss protection from svg animate attributes" do + # see recommendation from https://html5sec.org/#137 + # to sanitize "to", "from", "values", and "by" attributes + + it "sanitizes 'from', 'to', and 'by' attributes" do + # for CVE-2018-16468 + # see: + # - https://github.com/flavorjones/loofah/issues/154 + # - https://hackerone.com/reports/429267 + html = %Q{} + sanitized = Loofah.scrub_fragment(html, :escape) assert_nil sanitized.at_css("animate")["from"] + assert_nil sanitized.at_css("animate")["to"] + assert_nil sanitized.at_css("animate")["by"] + end + + it "sanitizes 'values' attribute" do + # for CVE-2019-15587 + # see: + # - https://github.com/flavorjones/loofah/issues/171 + # - https://hackerone.com/reports/709009 + html = %Q{ } + + sanitized = Loofah.scrub_fragment(html, :escape) + assert_nil sanitized.at_css("animate")["values"] end end end From 1d81f919bd29458a3b80966f9b6870b74b839dc9 Mon Sep 17 00:00:00 2001 From: Mike Dalessio Date: Tue, 22 Oct 2019 08:56:01 -0400 Subject: [PATCH 3/3] update CHANGELOG --- CHANGELOG.md | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index e6afc04b..1b176b63 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,5 +1,14 @@ # Changelog +## 2.3.1 / 2019-10-22 + +### Security + +Address CVE-2019-15587: Unsanitized JavaScript may occur in sanitized output when a crafted SVG element is republished. + +This CVE's public notice is at https://github.com/flavorjones/loofah/issues/171 + + ## 2.3.0 / 2019-09-28 ### Features