New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
SsKaTeX robustness improvements #471
Conversation
The security issues regarding user-specified Javascript (locations) are bothering me. Until recently, I figured that there is no reasonable way for kramdown to know what parts of its configuration input are trusted, so the responsibility for securing the configuration has to be passed upwards anyway. But there may be better ways to do this. What about this:
I'd prefer to make rejection of tainted |
There are some problems with the above concept:
Still trying to come up with something practical and reasonable. Ideas? |
Thanks again for you changes! I think the easy solution for the security issues would be to add an option to disable the application of the 'options' extensions. Then it is not possible for a user to change anything. Another way would be to document the issue and explain how to overcome it, i.e. by separating the parsing and converting phases and applying the correct options in between: doc = Kramdown::Document.new(content)
doc.options[:math_engine_opts] = ...
doc.to_html What do you think? |
I thought about that. However:
Ideally, we'd have an opt-in mechanism so that simply upgrading kramdown should not open JS code execution possibilities, whereas enabling SsKaTeX (or its JS configuration bits) should require a bit of affirmative administrator action. There is a sensible solution but it would take effort that I have shied away from so far:
Costs:
It hurts me writing this, but the separate-gem approach currently seems to be the truly best way of doing things. Thoughts? Suggestions? |
Encouraging news:
|
This branch seems to be ready for merging now. Further work is supposed to focus on the external SsKaTeX gem without touching those parts of its API that are used by kramdown. |
@ccorn This looks great - once you rebase and squash your commits into one, I will incorporate the commit and release a new kramdown version (all other tasks for this release are now finally done...). |
* Rakefile, test/test_files.rb: test for actual KaTeX output. * SsKaTeX math engine options renamed more sytematically * Factored out the SsKaTeX backend to a separate gem * Added security note to SsKaTeX documentation
OK, rebased and squashed. |
Thanks @ccorn - merged and done! |
These commits address some shortcomings of the commit resulting from #455:
dev:test_katexjs
was not good enough (and therefore not accepted). It only tested for presence ofkatex/katex.min.js
and therefore could not catch many engine-related errors or compatibility issues. The replacementdev:test_sskatex_deps
now makes an actual SsKaTeX test run and tests whether the output is KaTeX. The test forkatex/katex.min.js
has been retained for nicer diagnostics.KATEX_AVAILABLE
intest/test_files.rb
now indicates that successful SsKaTeX compilations can be done.js
in their name are admin stuff and should not be left to unknown users unless the service using kramdown runs in a properly isolated environment.May need some final tuning. Give this a day to settle down.