Fix potential XSS in the preview button of FileWidget #4065
Conversation
packages/utils/src/dataURItoBlob.ts
Outdated
| } | ||
| // Create the blob object | ||
| const blob = new window.Blob([new Uint8Array(array)], { type }); | ||
|
|
||
| return { blob, name }; | ||
| } catch (error) { | ||
| return { blob: { size: 0, type: (error as Error).message }, name: dataURI }; | ||
| throw new Error('File is invalid: failed to decode base64'); |
There was a problem hiding this comment.
Why not just treat all of the errors to return a blob like these?
There was a problem hiding this comment.
The original code treated the invalid file as zero-sized file. Of course, the invalid file is different from the zero-sized valid file. Invalid files should have been taken care of by the callee, but actually it was not.
This behavior also allowed javascript: schema.
I fixed this by handling these errors correctly.
|
@yuki-js your build in |
|
@heath-freenome Thank you for your review. |
to pass the coverage test
| }, | ||
| ]; | ||
| } catch (e) { | ||
| // Invalid dataURI, so just ignore it. |
There was a problem hiding this comment.
Maybe we want to report the exception to the user? Or make the file upload report it so that they don't wonder why their file disappeared
There was a problem hiding this comment.
Possibility of Exception: When the ordinary user uploads files in ordinary way, the exception should never happen, since the data URL is always returned, and Base64 encoding/decoding always be successful. Therefore the data should not disappear in an unintuitive way.
Error notification: If the caller injects the malformed string into formData, validator rejects it with .files.0 must match format "data-url", but it would be an issue on the side of the caller.
Although I could also change it by adding error flag in FileInfoType, I decided not to notify the explicit error for this reason.
Co-authored-by: Heath C <51679588+heath-freenome@users.noreply.github.com>
Co-authored-by: Heath C <51679588+heath-freenome@users.noreply.github.com> Co-authored-by: Abdallah Al-Soqatri <abdallah.al-soqatri@aspentech.com> Co-authored-by: Kevin Burnett <18027+burnettk@users.noreply.github.com> Co-authored-by: Marek Bodinger <marek.bodinger@gmail.com> Co-authored-by: Mehdi Salem <mehdi.salem@qt.io> Co-authored-by: Jonasz Wiącek <jonaszwiacek@gmail.com> Co-authored-by: Bogdan Savluk <savluk.bogdan@gmail.com> Co-authored-by: Christian Wendt <54559756+cwendtxealth@users.noreply.github.com> Co-authored-by: Ben Lambert <ben@blam.sh> Co-authored-by: David R. Bild <david@davidbild.org> Co-authored-by: Ariqun <38001928+Ariqun@users.noreply.github.com> Co-authored-by: Shivam Anand Murmu <35562703+Rozamo@users.noreply.github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Shubham Biswas <46351104+Shubhcoder@users.noreply.github.com> Co-authored-by: popmanhe <neo_temp@hotmail.com> Co-authored-by: Yuki Aoki <me@aoki.app> Co-authored-by: Xiangcheng Kuo <37873394+orange-guo@users.noreply.github.com> Co-authored-by: Bart van Andel <bavanandel@gmail.com> Co-authored-by: Laurent Direr <laurent.direr@gmail.com> Co-authored-by: Vegard Stenvik <42935080+vstenvik@users.noreply.github.com> Co-authored-by: Appie <abdallarko@hotmail.com> Co-authored-by: Oren Forer <oforer@gmail.com> Co-authored-by: Marcus Penn <11893741+mpenndev@users.noreply.github.com> Co-authored-by: joachimhagheim <47362824+joachimhagheim@users.noreply.github.com> Co-authored-by: MarekBodingerBA <104828482+MarekBodingerBA@users.noreply.github.com> Co-authored-by: momesana <momesana@gmail.com> Co-authored-by: Martti Roitto <MarttiR@users.noreply.github.com> fix(utils): direct lodash function import to improve bundling on library client side (#3976) fix: #3961 resolve all recurse list for object properties (#3981) fix gap in outline when label is hidden (#3984) Fix: Expose the internal `ajv` variable in the validator implementation classes (#3991) Fixes: #3972 indirectly by exposing the `ajv` variable for use in the issue Fix: Change FormHelperText usage with @mui/material to render divs (#4032) Fixes #4031 by switching the render component for `FormHelperText` to be `div` fix: Added support for anyOf/oneOf in uiSchema (#4055) Fixes #4039 by updating `MultiSchemaField` to properly support `anyOf`/`oneOf` arrays in the `uiSchema` Fix checkbox with 0 as a value was unselectable in antd (#4068) Fixed #4067 by properly dealing with enums that have 0 as a value Fix potential XSS in the preview button of FileWidget (#4065) Fix: Make 'ui:rows' option work with chakra-ui for textarea elements #4070 (#4078) Fix typo in ErrorsListTemplate example (#4087) Fix #4080 by moving `base64` encoder/decoder from `@rjsf/utils` to playground (#4093) Fix: Error state not resetting when schema changes (#4079) (#4103) Fix noImplicitAny error (#4106) Fixes: [WARNING] Duplicate key "include" in object literal [duplicate-object-key] (#4114) Fixes: Warning: validateDOMNesting(...): <p> cannot appear as a descendant of <p>. (#4117) Fix documentation to add missing Form imports (#4131) Fix #4127 to add missing `Form` import in documentation Fix: filename should be bold (#4125) Fix: use correct ConfigProvider context by using named imports (#4132) Fix 4134 by filtering out bad DOM props (#4140) Fixes: #4134 by updating the spreading of props onto the `TextField` to remove bad DOM fields Fixed Programmatic submit not working properly in Firefox (#4150) Fix Maximum call stack size exceeded in findSchemaDefinition (#4123)
Reasons for making this change
fixes #4057
The value prop in FileWidget parses the data URL inappropriately, which also permits the use of
javascript:schema.When the
javascript:schema is set, andui:filePreviewistrue, and when the user clicksPreviewbutton, the JavaScript code is evaluated, and then allows XSS attack.I fixed it by:
Errorwhen the URL is invalidChecklist
npm run test:updateto update snapshots, if needed.