Skip to content

Protect users from gallery.cnf #308

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
oparoz merged 5 commits into from
Sep 24, 2015
Merged

Protect users from gallery.cnf #308

oparoz merged 5 commits into from
Sep 24, 2015

Conversation

@oparoz
Copy link
Contributor

@oparoz oparoz commented Sep 8, 2015

Fixes #295

  • Enabled the sanitizing option of marked
  • Added DOMPurify
  • Added custom rules to DOMPurify

@LukasReschke

@oparoz oparoz added this to the 8.2-current milestone Sep 8, 2015
@oparoz oparoz self-assigned this Sep 8, 2015
@oparoz
Copy link
Contributor Author

oparoz commented Sep 10, 2015

So, @LukasReschke. Is this working for you?
I tested with your example and a few others, but you probably have better tools :)

@oparoz oparoz force-pushed the protect-users-from-gallery.cnf branch from 8ddaa3d to f8556b1 Compare September 13, 2015 09:14
@oparoz
Copy link
Contributor Author

oparoz commented Sep 13, 2015

Rebased

@oparoz oparoz mentioned this pull request Sep 13, 2015
Closed
@oparoz oparoz force-pushed the protect-users-from-gallery.cnf branch from f8556b1 to 1315619 Compare September 15, 2015 14:14
@oparoz
Copy link
Contributor Author

oparoz commented Sep 15, 2015

@karlitschek @DeepDiver1975 Needs to be reviewed today. Feel free to delegate to someone who can.

@karlitschek
Copy link

karlitschek commented Sep 15, 2015

@LukasReschke @PVince81 @schiesbn can you help to review?

@LukasReschke
Copy link
Member

LukasReschke commented Sep 15, 2015

👎 - the sanitize function of marked is not secure enough please use commonmark.js as advised at #295 (comment)

Try something like:

---
# Gallery configuration file
information:
  description: This <script>alert(1)</script>is an **album description** which is only shown if there is no `description_link`
  copyright: Copyright 2003-2015 [URL](javascript&#58document;alert&#40;1&#41;)
  inherit: yes
sorting:
  type: date
  order: des
  inherit: yes
features:
  external_shares: yes
  native_svg: yes

Note that DOMPurify does just nothing in IE 8 :-)

@LukasReschke
Copy link
Member

LukasReschke commented Sep 15, 2015

Or even more secure remove the feature 🙊 🙈 🙉 runs away and hides ;-)

@oparoz
Copy link
Contributor Author

oparoz commented Sep 15, 2015

The example you gave is neutralized. The first part is converted to text and the second one is completely removed.

In the link you gave, to the list of PRs, there is only one which is relevant, but which is caught by DOMpurify:
markedjs/marked#592

I'll check commonmark to see if there are no rendering issues. There is also mardown-it, which also cares about security. They've all made good progress recently regarding speed.

Looking at DOMPurify's doc, I can confirm that I need to remove Gallery configuration support for IE8-9. Not a big deal.

@LukasReschke
Copy link
Member

LukasReschke commented Sep 15, 2015

No. DOMPurify is not a proper solution. The Markdown parser on it's own should be secure as well. It's like relying on an AV to make your PC more secure. It might be nice to have but it is in no way a proper defense in depth.

I'll check commonmark to see if there are no rendering issues.

👍

There is also markdown-it, which also cares about security. They've all made good progress recently regarding speed.

googles for markdown-it

@oparoz
Copy link
Contributor Author

oparoz commented Sep 15, 2015

OK!

@oparoz oparoz force-pushed the protect-users-from-gallery.cnf branch from 1315619 to 1da9917 Compare September 18, 2015 22:33
@oparoz
Copy link
Contributor Author

oparoz commented Sep 18, 2015

Done. No problem with speed with the type of content being displayed.

@LukasReschke Let me know if that now meets your requirements.

@oparoz oparoz force-pushed the protect-users-from-gallery.cnf branch 2 times, most recently from b9388ac to e40f0ec Compare September 20, 2015 17:46
@oparoz oparoz force-pushed the protect-users-from-gallery.cnf branch from e40f0ec to 8c5ea89 Compare September 24, 2015 08:29
@oparoz oparoz mentioned this pull request Sep 24, 2015
Merged
@LukasReschke
Copy link
Member

LukasReschke commented Sep 24, 2015

Can we use DOMPurity 0.6.7 (or directly 0.7.0) as it fixes a bypass?

Ref https://github.com/cure53/DOMPurify/releases/tag/0.6.7

@oparoz
Copy link
Contributor Author

oparoz commented Sep 24, 2015

Of course. Can me merge this and I then update all bower and composer packages?

@LukasReschke
Copy link
Member

LukasReschke commented Sep 24, 2015

Yup. Let's do it that way.

oparoz added a commit that referenced this pull request Sep 24, 2015
@oparoz
Merge pull request #308 from owncloud/protect-users-from-gallery.cnf
b1c88d3 
Protect users from gallery.cnf
@oparoz oparoz merged commit b1c88d3 into master Sep 24, 2015
@oparoz oparoz deleted the protect-users-from-gallery.cnf branch September 24, 2015 13:52
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

@oparoz oparoz

Labels

bug enhancement security

Projects

None yet

Milestone

8.2

Development

Successfully merging this pull request may close these issues.

4 participants

@oparoz @karlitschek @LukasReschke