Skip to content

Commit

Permalink
[FileExplorer][SVG]Increase security (#19941)
Browse files Browse the repository at this point in the history 
* [FileExplorer][SVG]Increase security

* fix spellchecker

* Use 403 instead of 404
  • Loading branch information
@jaimecbernardo
jaimecbernardo committed Aug 18, 2022
1 parent 4e3c965 commit de13017
Show file tree
Hide file tree
Showing 3 changed files with 62 additions and 8 deletions.
2 changes: 2 additions & 0 deletions .github/actions/spell-check/expect.txt
View file
Expand Up @@ -119,11 +119,13 @@ Aut
Authenticode
AUTHN
AUTHZ
Autofill
autogenerate
autogenerated
AUTOHIDE
AUTOMATIONPROPERTIES
Autorun
Autosave
Autostart
AUTOUPDATE
AValid
Expand Down
36 changes: 32 additions & 4 deletions src/modules/previewpane/SvgPreviewHandler/SvgPreviewControl.cs
View file
Expand Up @@ -38,6 +38,11 @@ public class SvgPreviewControl : FormHandlerControl
/// </summary>
private const string VirtualHostName = "PowerToysLocalSvg";

/// <summary>
/// URI of the local file saved with the contents
/// </summary>
private Uri _localFileURI;

/// <summary>
/// Gets the path of the current assembly.
/// </summary>
Expand Down Expand Up @@ -162,6 +167,16 @@ private void FormResized(object sender, EventArgs e)
}
}

// Disable loading resources.
private void CoreWebView2_BlockExternalResources(object sender, CoreWebView2WebResourceRequestedEventArgs e)
{
// Show local file we've saved with the svg contents. Block all else.
if (new Uri(e.Request.Uri) != _localFileURI)
{
e.Response = _browser.CoreWebView2.Environment.CreateWebResourceResponse(null, 403, "Forbidden", null);
}
}

/// <summary>
/// Adds a WebView2 Control to Control Collection.
/// </summary>
Expand All @@ -171,9 +186,11 @@ private void AddWebViewControl(string svgData)
_browser = new WebView2();
_browser.Dock = DockStyle.Fill;

// Prevent new windows from being opened.
var webView2Options = new CoreWebView2EnvironmentOptions("--block-new-web-contents");
ConfiguredTaskAwaitable<CoreWebView2Environment>.ConfiguredTaskAwaiter
webView2EnvironmentAwaiter = CoreWebView2Environment
.CreateAsync(userDataFolder: _webView2UserDataFolder)
.CreateAsync(userDataFolder: _webView2UserDataFolder, options: webView2Options)
.ConfigureAwait(true).GetAwaiter();
webView2EnvironmentAwaiter.OnCompleted(() =>
{
Expand All @@ -183,9 +200,19 @@ private void AddWebViewControl(string svgData)
{
_webView2Environment = webView2EnvironmentAwaiter.GetResult();
await _browser.EnsureCoreWebView2Async(_webView2Environment).ConfigureAwait(true);
await _browser.CoreWebView2.AddScriptToExecuteOnDocumentCreatedAsync("window.addEventListener('contextmenu', window => {window.preventDefault();});");
_browser.CoreWebView2.SetVirtualHostNameToFolderMapping(VirtualHostName, AssemblyDirectory, CoreWebView2HostResourceAccessKind.Allow);
_browser.CoreWebView2.SetVirtualHostNameToFolderMapping(VirtualHostName, AssemblyDirectory, CoreWebView2HostResourceAccessKind.Deny);
_browser.CoreWebView2.Settings.AreDefaultScriptDialogsEnabled = false;
_browser.CoreWebView2.Settings.AreDefaultContextMenusEnabled = false;
_browser.CoreWebView2.Settings.AreDevToolsEnabled = false;
_browser.CoreWebView2.Settings.AreHostObjectsAllowed = false;
_browser.CoreWebView2.Settings.IsGeneralAutofillEnabled = false;
_browser.CoreWebView2.Settings.IsPasswordAutosaveEnabled = false;
_browser.CoreWebView2.Settings.IsScriptEnabled = false;
_browser.CoreWebView2.Settings.IsWebMessageEnabled = false;
// Don't load any resources.
_browser.CoreWebView2.AddWebResourceRequestedFilter("*", CoreWebView2WebResourceContext.All);
_browser.CoreWebView2.WebResourceRequested += CoreWebView2_BlockExternalResources;
// WebView2.NavigateToString() limitation
// See https://docs.microsoft.com/en-us/dotnet/api/microsoft.web.webview2.core.corewebview2.navigatetostring?view=webview2-dotnet-1.0.864.35#remarks
Expand All @@ -194,7 +221,8 @@ private void AddWebViewControl(string svgData)
{
string filename = _webView2UserDataFolder + "\\" + Guid.NewGuid().ToString() + ".html";
File.WriteAllText(filename, svgData);
_browser.Source = new Uri(filename);
_localFileURI = new Uri(filename);
_browser.Source = _localFileURI;
}
else
{
Expand Down
32 changes: 28 additions & 4 deletions src/modules/previewpane/SvgThumbnailProvider/SvgThumbnailProvider.cs
View file
Expand Up @@ -51,6 +51,11 @@ public class SvgThumbnailProvider : IInitializeWithStream, IThumbnailProvider, I
/// </summary>
private const string VirtualHostName = "PowerToysLocalSvgThumbnail";

/// <summary>
/// URI of the local file saved with the contents
/// </summary>
private Uri _localFileURI;

/// <summary>
/// Gets the path of the current assembly.
/// </summary>
Expand Down Expand Up @@ -126,19 +131,37 @@ public Bitmap GetThumbnail(string content, uint cx)
thumbnailDone = true;
};

var webView2Options = new CoreWebView2EnvironmentOptions("--block-new-web-contents");
ConfiguredTaskAwaitable<CoreWebView2Environment>.ConfiguredTaskAwaiter
webView2EnvironmentAwaiter = CoreWebView2Environment
.CreateAsync(userDataFolder: _webView2UserDataFolder)
.CreateAsync(userDataFolder: _webView2UserDataFolder, options: webView2Options)
.ConfigureAwait(true).GetAwaiter();
webView2EnvironmentAwaiter.OnCompleted(async () =>
{
try
{
_webView2Environment = webView2EnvironmentAwaiter.GetResult();
await _browser.EnsureCoreWebView2Async(_webView2Environment).ConfigureAwait(true);
await _browser.CoreWebView2.AddScriptToExecuteOnDocumentCreatedAsync("window.addEventListener('contextmenu', window => {window.preventDefault();});");
_browser.CoreWebView2.SetVirtualHostNameToFolderMapping(VirtualHostName, AssemblyDirectory, CoreWebView2HostResourceAccessKind.Allow);
_browser.CoreWebView2.SetVirtualHostNameToFolderMapping(VirtualHostName, AssemblyDirectory, CoreWebView2HostResourceAccessKind.Deny);
_browser.CoreWebView2.Settings.AreDefaultScriptDialogsEnabled = false;
_browser.CoreWebView2.Settings.AreDefaultContextMenusEnabled = false;
_browser.CoreWebView2.Settings.AreDevToolsEnabled = false;
_browser.CoreWebView2.Settings.AreHostObjectsAllowed = false;
_browser.CoreWebView2.Settings.IsGeneralAutofillEnabled = false;
_browser.CoreWebView2.Settings.IsPasswordAutosaveEnabled = false;
_browser.CoreWebView2.Settings.IsScriptEnabled = false;
_browser.CoreWebView2.Settings.IsWebMessageEnabled = false;
// Don't load any resources.
_browser.CoreWebView2.AddWebResourceRequestedFilter("*", CoreWebView2WebResourceContext.All);
_browser.CoreWebView2.WebResourceRequested += (object sender, CoreWebView2WebResourceRequestedEventArgs e) =>
{
// Show local file we've saved with the svg contents. Block all else.
if (new Uri(e.Request.Uri) != _localFileURI)
{
e.Response = _browser.CoreWebView2.Environment.CreateWebResourceResponse(null, 403, "Forbidden", null);
}
};
// WebView2.NavigateToString() limitation
// See https://docs.microsoft.com/en-us/dotnet/api/microsoft.web.webview2.core.corewebview2.navigatetostring?view=webview2-dotnet-1.0.864.35#remarks
Expand All @@ -147,7 +170,8 @@ public Bitmap GetThumbnail(string content, uint cx)
{
string filename = _webView2UserDataFolder + "\\" + Guid.NewGuid().ToString() + ".html";
File.WriteAllText(filename, wrappedContent);
_browser.Source = new Uri(filename);
_localFileURI = new Uri(filename);
_browser.Source = _localFileURI;
}
else
{
Expand Down

0 comments on commit de13017

Please sign in to comment.