Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Prevent Object Navigation Outside of the Lock Screen #13328

Merged
merged 10 commits into from
Feb 11, 2022

Conversation

seanbudd
Copy link
Member

Link to issue number:

None, follow up on #5269

Summary of the issue:

On earlier Windows 10 builds, the top-level Window (Role.WINDOW) of the lock screen cannot directly navigate to the system with object navigation, but its parent can. This was fixed in a commit addressing #5269.

On Windows 11 and newer Windows 10 builds, the top-level Window can directly navigate to the system with object navigation.

STR:

  1. Press Windows+L
  2. press containing object (NVDA+numpad8/NVDA+shift+upArrow),
  3. then you can use next object (NVDA+numpad6/NVDA+shift+rightArrow) to navigate the system.

On Windows 10 and 11, using "Navigate to the object under the mouse" (NVDA+numpadMultiply/NVDA+shift+n), you can navigate outside to the system from the lock screen.

Microsoft is aware of this issue.

Description of how this pull request fixes the issue:

This PR adds a function which checks if the lockapp is the foreground window, and if so, if a given object is outside of the lockapp.
To prevent focus objects being set or used for navigation, this function is utilised in various api methods.

An overlay class is also added which prevents navigation and announcement of content outside of the lockapp.

This PR also adds GlobalCommands.script_navigatorObject_devInfo to the allowed commands on the lockscreen to aid with debugging.
This command should be safe as:

  1. The command only logs objects it can navigate to
  2. The log viewer cannot be accessed from the lockscreen

Testing strategy:

Manual testing on Windows 11, Windows 10 21H2, Windows 10 1809

  • Attempt to navigate outside the top level window of the lock screen using object navigation using STR
  • Ensure the lock screen can still be navigated with object navigation

Known issues with pull request:

Performing 2 windows windll at every attempt to object navigate might add latency to object navigation.
This is mitigated by checking first if the lockapp appModule is running, however the lockapp process stays alive for sometime and cannot be used by itself.

There is no function you can call to determine whether the workstation is locked.
https://docs.microsoft.com/en-gb/windows/win32/api/winuser/nf-winuser-lockworkstation
https://stackoverflow.com/questions/34514644/in-python-3-how-can-i-tell-if-windows-is-locked

An advisory is required to be sent out for earlier NVDA versions.

Change log entries:

Bug fixes

- Security fix: Prevent object navigation outside of the lockscreen on Windows 10 and Windows 11.

Code Review Checklist:

  • Pull Request description:
    • description is up to date
    • change log entries
  • Testing:
    • Unit tests
    • System (end to end) tests
    • Manual testing
  • API is compatible with existing add-ons.
  • Documentation:
    • User Documentation
    • Developer / Technical Documentation
    • Context sensitive help for GUI changes
  • UX of all users considered:
    • Speech
    • Braille
    • Low Vision
    • Different web browsers
    • Localization in other languages / culture than English

@seanbudd seanbudd merged commit c29fa56 into master Feb 11, 2022
@seanbudd seanbudd deleted the preventObjNavOutsideLockScreen branch February 11, 2022 01:07
@nvaccessAuto nvaccessAuto added this to the 2022.1 milestone Feb 11, 2022
seanbudd added a commit that referenced this pull request Feb 18, 2022
Link to issue number:
None, follow up on #5269

Summary of the issue:
On earlier Windows 10 builds, the top-level Window (Role.WINDOW) of the lock screen cannot directly navigate to the system with object navigation, but its parent can. This was fixed in a commit addressing #5269.

On Windows 11 and newer Windows 10 builds, the top-level Window can directly navigate to the system with object navigation.

STR:

1. Press Windows+L
1. press containing object (NVDA+numpad8/NVDA+shift+upArrow),
1. then you can use next object (NVDA+numpad6/NVDA+shift+rightArrow) to navigate the system.
1. On Windows 10 and 11, using "Navigate to the object under the mouse" (NVDA+numpadMultiply/NVDA+shift+n), you can navigate outside to the system from the lock screen.

Microsoft is aware of this issue.

Description of how this pull request fixes the issue:
This PR adds a function which checks if the lockapp is the foreground window, and if so, if a given object is outside of the lockapp.
To prevent focus objects being set or used for navigation, this function is utilised in various api methods.

An overlay class is also added which prevents navigation and announcement of content outside of the lockapp.

This PR also adds `GlobalCommands.script_navigatorObject_devInfo` to the allowed commands on the lockscreen to aid with debugging.

This command should be safe as:
- The command only logs objects it can navigate to
- The log viewer cannot be accessed from the lockscreen

Testing strategy:
Manual testing on Windows 11, Windows 10 21H2, Windows 10 1809
- Attempt to navigate outside the top level window of the lock screen using object navigation using STR
- Ensure the lock screen can still be navigated with object navigation

An advisory is required to be sent out for earlier NVDA versions.
seanbudd added a commit that referenced this pull request Feb 21, 2022
Link to issue number:
None, follow up on #5269

Summary of the issue:
On earlier Windows 10 builds, the top-level Window (Role.WINDOW) of the lock screen cannot directly navigate to the system with object navigation, but its parent can. This was fixed in a commit addressing #5269.

On Windows 11 and newer Windows 10 builds, the top-level Window can directly navigate to the system with object navigation.

STR:

1. Press Windows+L
1. press containing object (NVDA+numpad8/NVDA+shift+upArrow),
1. then you can use next object (NVDA+numpad6/NVDA+shift+rightArrow) to navigate the system.
1. On Windows 10 and 11, using "Navigate to the object under the mouse" (NVDA+numpadMultiply/NVDA+shift+n), you can navigate outside to the system from the lock screen.

Microsoft is aware of this issue.

Description of how this pull request fixes the issue:
This PR adds a function which checks if the lockapp is the foreground window, and if so, if a given object is outside of the lockapp.
To prevent focus objects being set or used for navigation, this function is utilised in various api methods.

An overlay class is also added which prevents navigation and announcement of content outside of the lockapp.

This PR also adds `GlobalCommands.script_navigatorObject_devInfo` to the allowed commands on the lockscreen to aid with debugging.

This command should be safe as:
- The command only logs objects it can navigate to
- The log viewer cannot be accessed from the lockscreen

Testing strategy:
Manual testing on Windows 11, Windows 10 21H2, Windows 10 1809
- Attempt to navigate outside the top level window of the lock screen using object navigation using STR
- Ensure the lock screen can still be navigated with object navigation

An advisory is required to be sent out for earlier NVDA versions.
feerrenrut pushed a commit that referenced this pull request Sep 21, 2022
Addresses GHSA-585m-rpvv-93qg

Summary of the issue:
NVDA introduced the report dev info script as a safe script for the lock screen in 2021.3.2 via #13328.
This was under the assumption that the log viewer never shows up on the lock screen.

However, using certain steps, the log viewer can be interacted with on the lock screen.
Further steps allow opening the NVDA python console, allowing arbitrary code execution.

Description of user facing changes
The devInfo script (open the log viewer and report navigator object information) is no longer available on the lock screen.

Description of development approach
Remove devInfo from safe scripts

Review the security of other scripts in safe scripts.

Added additional security protection to ScreenExplorer used by touch interaction, as well as setting the review position with api.setReviewPosition.

Testing strategy:
Test with a self-signed build the STR in GHSA-585m-rpvv-93qg
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants