Skip to content

Commit

Permalink
Merge branch 'h1-2519936-mglyph-foster-parenting' into flavorjones-20…
Browse files Browse the repository at this point in the history
…24-security-fixes

* h1-2519936-mglyph-foster-parenting:
  fix: disallow 'mglyph' and 'malignmark' from safe lists
  • Loading branch information
flavorjones committed Dec 1, 2024
2 parents 3fe22a8 + a0a3e8b commit 65fb72f
Show file tree
Hide file tree
Showing 3 changed files with 93 additions and 0 deletions.
13 changes: 13 additions & 0 deletions lib/rails/html/scrubbers.rb
Original file line number Diff line number Diff line change
Expand Up @@ -138,6 +138,19 @@ def validate!(var, name)
if var && !var.is_a?(Enumerable)
raise ArgumentError, "You should pass :#{name} as an Enumerable"
end

if var && name == :tags
if var.include?("mglyph")
warn("WARNING: 'mglyph' tags cannot be allowed by the PermitScrubber and will be scrubbed")
var.delete("mglyph")
end

if var.include?("malignmark")
warn("WARNING: 'malignmark' tags cannot be allowed by the PermitScrubber and will be scrubbed")
var.delete("malignmark")
end
end

var
end

Expand Down
72 changes: 72 additions & 0 deletions test/sanitizer_test.rb
Original file line number Diff line number Diff line change
Expand Up @@ -1096,6 +1096,46 @@ def test_should_sanitize_across_newlines
assert_equal "", sanitize_css(raw)
end

def test_should_prune_mglyph
# https://hackerone.com/reports/2519936
input = "<math><mtext><table><mglyph><style><img src=: onerror=alert(1)>"
tags = %w(math mtext table mglyph style)

actual = nil
assert_output(nil, /WARNING: 'mglyph' tags cannot be allowed by the PermitScrubber/) do
actual = safe_list_sanitize(input, tags: tags)
end

acceptable_results = [
# libxml2
"<math><mtext><table><style>&lt;img src=: onerror=alert(1)&gt;</style></table></mtext></math>",
# libgumbo
"<math><mtext><style><img src=: onerror=alert(1)></style><table></table></mtext></math>",
]

assert_includes(acceptable_results, actual)
end

def test_should_prune_malignmark
# https://hackerone.com/reports/2519936
input = "<math><mtext><table><malignmark><style><img src=: onerror=alert(1)>"
tags = %w(math mtext table malignmark style)

actual = nil
assert_output(nil, /WARNING: 'malignmark' tags cannot be allowed by the PermitScrubber/) do
actual = safe_list_sanitize(input, tags: tags)
end

acceptable_results = [
# libxml2
"<math><mtext><table><style>&lt;img src=: onerror=alert(1)&gt;</style></table></mtext></math>",
# libgumbo
"<math><mtext><style><img src=: onerror=alert(1)></style><table></table></mtext></math>",
]

assert_includes(acceptable_results, actual)
end

protected
def safe_list_sanitize(input, options = {})
module_under_test::SafeListSanitizer.new.sanitize(input, options)
Expand Down Expand Up @@ -1175,5 +1215,37 @@ def test_should_not_be_vulnerable_to_ns_confusion_2519941

assert_nil(xss)
end

def test_should_not_be_vulnerable_to_mglyph_namespace_confusion
# https://hackerone.com/reports/2519936
input = "<math><mtext><table><mglyph><style><img src=: onerror=alert(1)>"
tags = %w(math mtext table mglyph style)

result = nil
assert_output(nil, /WARNING/) do
result = safe_list_sanitize(input, tags: tags)
end

browser = Nokogiri::HTML5::Document.parse(result)
xss = browser.at_xpath("//img/@onerror")

assert_nil(xss)
end

def test_should_not_be_vulnerable_to_malignmark_namespace_confusion
# https://hackerone.com/reports/2519936
input = "<math><mtext><table><malignmark><style><img src=: onerror=alert(1)>"
tags = %w(math mtext table malignmark style)

result = nil
assert_output(nil, /WARNING/) do
result = safe_list_sanitize(input, tags: tags)
end

browser = Nokogiri::HTML5::Document.parse(result)
xss = browser.at_xpath("//img/@onerror")

assert_nil(xss)
end
end if loofah_html5_support?
end
8 changes: 8 additions & 0 deletions test/scrubbers_test.rb
Original file line number Diff line number Diff line change
Expand Up @@ -121,6 +121,14 @@ def test_leaves_only_supplied_tags_and_attributes
assert_scrubbed html, '<tag></tag><tag cooler=""></tag>'
end

def test_does_not_allow_safelisted_mglyph
# https://hackerone.com/reports/2519936
assert_output(nil, /WARNING: 'mglyph' tags cannot be allowed by the PermitScrubber/) do
@scrubber.tags = ["div", "mglyph", "span"]
end
assert_equal(["div", "span"], @scrubber.tags)
end

def test_leaves_text
assert_scrubbed("some text")
end
Expand Down

0 comments on commit 65fb72f

Please sign in to comment.