ETH-01-cure fixes #1414
ETH-01-cure fixes #1414
Conversation
|
@frozeman, thanks for your PR! By analyzing the history of the files in this pull request, we identified @alexvandesande and @evertonfraga to be potential reviewers. |
frozeman
force-pushed
the
ETH-01-cure
branch
from
2a2199c
to
611d370
Compare
frozeman
force-pushed
the
ETH-01-cure
branch
from
eb4d5d7
to
669051b
Compare
| url = url.replace(/^(javascript:)?(data:)?\/\//i, 'http:'); | ||
| } | ||
|
|
||
| return url; |
There was a problem hiding this comment.
blacklist is not sufficient. javaScript:// is also valid, and maybe special characters such as %0A .
Also, why only handle strings?
If you expect anything other than strings, such as location-objects, you should filter them. If you expect string input, then cast the url to string and do the sanitation unconditionally. Otherwise, something like /javascript/ (regexp) or ["javascript://foo"] (array) or random object can be used to bypass this (depending on where the input comes from)
There was a problem hiding this comment.
Sorry, I missed the /i . But javascript can still be broken up with tab or %0A. I'd rather see:
- Robust URL parsing, either using DOM anchor element to parse URL (example: https://gist.github.com/jlong/2428561) or a proper URL parsing library (example: https://nodejs.org/api/url.html) .
- Whitelist, only allowing the protocols we want to allow, instead of blacklisting a few.
There was a problem hiding this comment.
I will look into a proper JS library. Currently the URL is never a location object, but i can add checks for them too.
Whitelisting would make sense if we fully know what people will use and currently we don't want to restrict unknown URIs. E.g. ftp, etc.
As it looks only JavaScript is semi-dangerous as it can spawn ui actions, but this js has also not added privileges than the webpage itself.
So removing JavaScript seems to be the most dangerous one, can you think of any other?
There was a problem hiding this comment.
@holiman i changed it now to use the parser object form your gist, but concerning the whitelisting im not yet convinced if we are not blocking uses cases. This current sanatizer should prevent spoofing. We can discuss in the future if we want to add more
|
Testing
|
| parser = url; | ||
| } | ||
|
|
||
| parser.protocol = parser.protocol.replace(/^(javascript:)?(data:)?(:)?/i, 'http:'); |
There was a problem hiding this comment.
See playground example. The code as it is written function will replace "https://" urls with "http://"
This is (I think) because the matches all, due to there only being optional capture groups. See here for a more robust example.
And I still think that any input not explicitly supported, should be coerced into a string. Otherwise it does not get filtered.
There was a problem hiding this comment.
Here's an example which is even more robust, although I'd still prefer whitelisting protos instead of blacklisting
There was a problem hiding this comment.
I tested you version and they didn't cover everything.
I found the best way which is:
sanatizeUrl = function(url){
// make sure location objects are string too
url = String(url);
// remove whitespaces and tabs
url = url.replace(/[\t\n\r\s]+/g, '');
// replace javascript:// data:// and //
url = url.replace(/^((?:javascript)?(?:data)?[:\/\/]{1,3})/i, 'http://');
return url;
};There was a problem hiding this comment.
What specifically did not work with the DOM-anchor method ?
I like that you now force it to be a string, but dislike that it's gone back to regexp. URL parsing is by no means trivial, so I'd still advocate a proper URL parsing library if the DOM is insufficient.
| url = String(url); | ||
|
|
||
| url = url.replace(/[\t\n\r\s]+/g, ''); | ||
| url = url.replace(/^((?:javascript)?(?:data)?[:\/\/]{1,3})/i, 'http://'); |
There was a problem hiding this comment.
Shouldn't we do the opposite? Have only some allowed prefixes and remove all the rest?
There was a problem hiding this comment.
There was a discussion above already. My point is that there are a lot of URI types and we don't want to restrict use cases. "Javascript:" is the most dangerous one. But even this cannot do any harm, besides annoy people or mislead them with alert windows.
| @method sanatizeUrl | ||
| @param {String} url | ||
| **/ | ||
| Helpers.sanatizeUrl = function(url){ |
| var titleFull = webview.getTitle(), | ||
| title; | ||
|
|
||
| if(titleFull && titleFull.length > 40) { |
There was a problem hiding this comment.
Why are you cropping it on javascript? This could be accomplished with css, using overflow:hidden; text-overflow: ellipsis; white-space:nowrap;. Word width is not the same as character count.
There was a problem hiding this comment.
Because this text is used in a lot of places and it fixes: https://github.com/ethereum/security-issues/issues/14
There was a problem hiding this comment.
The point is we don't want to add the tex overflow on any element where we use that.
Titles more than 40 characters are uncommon and for that i added the property "nameFull"
| @@ -5,7 +5,7 @@ | |||
| require('./include/common')('mist'); | |||
| const { ipcRenderer: ipc, remote, webFrame } = require('electron'); | |||
| const { Menu, MenuItem } = remote; | |||
| const syncDb = require('../syncDb.js'); | |||
| const dbSync = require('../dbSync.js'); | |||
There was a problem hiding this comment.
what's the difference between syncDB and dbSync?
There was a problem hiding this comment.
Its just a name refactor. The reason is that now the files db.js and dbSync.js are next to each other, which helps with mental grouping.
Also we calle the nodeSync: nodeSync ;) so consistency.
This has actually northie todo with the vu.
| @@ -337,14 +337,14 @@ class IpcProviderBackend { | |||
| }) | |||
| .catch((err) => { | |||
|
|
|||
| err = this._makeErrorResponsePayload(payload || {}, { | |||
| var returnErr = this._makeErrorResponsePayload(payload || {}, { | |||
There was a problem hiding this comment.
But thats actually part of another PR: #1421 i will change it there
| url = String(url); | ||
|
|
||
| url = url.replace(/[\t\n\r\s]+/g, ''); | ||
| url = url.replace(/^((?:javascript)?(?:data)?[:\/\/]{1,3})/i, 'http://'); |
There was a problem hiding this comment.
As I've said, I dislike using naive regexps for parsing URLs. I don't have a bypass, but here's a simple false positive:
sanitizeUrl("javascript/jquery.js"); -> http://jquery.js
So if it's ever used to filter/sanitize relative URLs, it will fail if for data and javascript folders.
|
This thread has been automatically locked because it has not had recent activity. Please open a new issue for related bugs and link to relevant comments in this thread. |
Fixes currently:
Questions here:
The question is do we want to avoid
data://URIs and what threat do they bring.Note that these URIs are only prevent in the browserbar and as a possible full page load. Not as assets in a webpage