fix($sanitize): don't allow svg animation tags #11290
Conversation
|
/cc @sirdarckcat |
| "desc,ellipse,font-face,font-face-name,font-face-src,g,glyph,hkern,image,linearGradient," + | ||
| "line,marker,metadata,missing-glyph,mpath,path,polygon,polyline,radialGradient,rect,set," + | ||
| "stop,svg,switch,text,title,tspan,use"); | ||
| var svgElements = makeMap("circle,defs,desc,ellipse,font-face,font-face-name,font-face-src,g,glyph," + |
There was a problem hiding this comment.
can you add a comment that the animation related elements are intentionally omitted?
|
also the fix commit contains a breaking change that should be documented per our conventions. otherwise this looks good for master branch. for 1.3 we should just revert the other fix that adds case-sensitivity support. |
|
Do we need to block If we did this, then we would not have a breaking change, since previously we were lowercasing those attributes, which was effectively blocking them anyway... |
|
+1 to @petebacondarwin solution |
|
From my research the only way to animate something is using the So blocking I personally believe blocking the element is better than blocking the attribute. It's easier to "debug" for a developer imo. I didn't mark it as a breaking change because animation were never possible in SVG before #11124, which has yet to be released in a version. Adding the breaking change will just make it appear in the ChangeLog and our migration guide, and it will be "useless" because there is no prior angular version that allows SVG animations. |
rodyhaddad
force-pushed
the
fix/security-sanitize-svg
branch
2 times, most recently
from
3f6f561
to
91fd8b2
Compare
After angular#11124 got merged, a security vulnerability got introduced. Animation in SVG became tolerated by the sanitizer. Exploit Example: ``` <svg> <a xmlns:xlink="http://www.w3.org/1999/xlink" xlink:href="?"> <circle r="400"></circle> <animate attributeName="xlink:href" begin="0" from="javascript:alert(1)" to="&" /> </a> </svg> ``` Here we are animating an anchor's href, starting from a value that's a javascript URI, allowing the executing of arbitrary javascript in the process. Preventing only the animation of links is tricky, as SVG is weird and namespaces aren't predictable. We've decided to have the sanitizer filter out svg animation tags instead. Considering the sanitizer is commonly used to sanitize untrusted HTML code, this shouldn't affect many apps in the wild. Also, no release has been with angular#11124 in it, but not this fix.
rodyhaddad
force-pushed
the
fix/security-sanitize-svg
branch
from
91fd8b2
to
2e39153
Compare
|
For now I've removed the following elements: And the following attributes, because they're useless with the above tags removed: |
|
I agree, Sources: |
|
LGTM |
|
I landed this on master and added the commit with the warning messages to 1.3.x. I didn't land the security fix since we never seemed to have landed the original mixed case fix in the first place there. |
|
Just one small note: We have not yet managed to identify any attack surface coming from Unless (of course) you have attack examples that also work in these, I would go and say they are safe. Well, two of them. Note that |
|
To stay on the safe side I would prefer to wait for people to request that these elements are white listed and look at this again, then. |
|
@petebacondarwin Agreed, makes perfect sense! |
After angular#11124 got merged, a security vulnerability got introduced. Animation in SVG became tolerated by the sanitizer. Exploit Example: ``` <svg> <a xmlns:xlink="http://www.w3.org/1999/xlink" xlink:href="?"> <circle r="400"></circle> <animate attributeName="xlink:href" begin="0" from="javascript:alert(1)" to="&" /> </a> </svg> ``` Here we are animating an anchor's href, starting from a value that's a javascript URI, allowing the executing of arbitrary javascript in the process. Preventing only the animation of links is tricky, as SVG is weird and namespaces aren't predictable. We've decided to have the sanitizer filter out svg animation tags instead. Considering the sanitizer is commonly used to sanitize untrusted HTML code, this shouldn't affect many apps in the wild. Also, no release has been with angular#11124 in it, but not this fix. Closes angular#11290
…6 with the mentioned vulnerability believed to be patched in Angular 1.5. https://snyk.io/vuln/npm:angular:20150310 angular/angular.js#11290
After #11124 got merged, a security vulnerability got introduced.
Animation in SVG became tolerated by the sanitizer.
Exploit Example:
Here we are animating an anchor's href, starting from a value that's a javascript URI,
allowing the executing of arbitrary javascript in the process.
Preventing only the animation of links is tricky, as SVG is weird and namespaces aren't predictable.
We've decided to have the sanitizer filter out SVG animation tags instead.
Considering the sanitizer is commonly used to sanitize untrusted HTML code, this shouldn't affect
many apps in the wild. Also, no release has been with #11124 in it, but not this fix.