-
Notifications
You must be signed in to change notification settings - Fork 77
Fix/xss rich text and statusmessage bypass #736
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
base: main
Are you sure you want to change the base?
Changes from all commits
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,7 +1,7 @@ | ||
| import { defineEventHandler, createError, getQuery, readBody, readMultipartFormData } from 'h3' | ||
| import { FilterXSS, type IFilterXSSOptions } from 'xss' | ||
| import { type IFilterXSSOptions } from 'xss' | ||
| import { resolveSecurityRules } from '../../nitro/context' | ||
| import type { HTTPMethod } from '../../../types/middlewares' | ||
| import { hasMaliciousPayload } from '../utils/xssPayload' | ||
|
|
||
| export default defineEventHandler(async(event) => { | ||
| const rules = resolveSecurityRules(event) | ||
|
|
@@ -11,38 +11,19 @@ export default defineEventHandler(async(event) => { | |
| ...rules.xssValidator, | ||
| escapeHtml: undefined | ||
| } | ||
| if (rules.xssValidator.escapeHtml === false) { | ||
| // No html escaping (by default "<" is replaced by "<" and ">" by ">") | ||
| filterOpt.escapeHtml = (value: string) => value | ||
| } | ||
| const xssValidator = new FilterXSS(filterOpt) | ||
|
|
||
| if (event.node.req.socket.readyState !== 'readOnly') { | ||
| if ( | ||
| rules.xssValidator.methods && | ||
| rules.xssValidator.methods.includes( | ||
| event.node.req.method! as HTTPMethod | ||
| ) | ||
| ) { | ||
| const method = event.node.req.method | ||
| if (method && (rules.xssValidator.methods as readonly string[]).includes(method)) { | ||
| const valueToFilter = | ||
| event.node.req.method === 'GET' | ||
| method === 'GET' | ||
| ? getQuery(event) | ||
| : event.node.req.headers['content-type']?.includes( | ||
| 'multipart/form-data' | ||
| ) | ||
| ? await readMultipartFormData(event) | ||
| : await readBody(event) | ||
| // Fix for problems when one middleware is returning an error and it is catched in the next | ||
| if (valueToFilter && Object.keys(valueToFilter).length) { | ||
| // Only skip XSS filtering if statusMessage === 'Bad Request' (for error propagation) | ||
| if (valueToFilter.statusMessage === 'Bad Request') { | ||
| return | ||
| } | ||
|
Comment on lines
-37
to
-40
Contributor
Author
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Removed this check because If middleware-to-middleware signaling is needed here, |
||
| const stringifiedValue = JSON.stringify(valueToFilter) | ||
| const processedValue = xssValidator.process( | ||
| JSON.stringify(valueToFilter) | ||
| ) | ||
| if (processedValue !== stringifiedValue) { | ||
| if (hasMaliciousPayload(valueToFilter, filterOpt)) { | ||
| const badRequestError = { | ||
| statusCode: 400, | ||
| statusMessage: 'Bad Request' | ||
|
|
||
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,71 @@ | ||
| import { FilterXSS, type IFilterXSSOptions } from 'xss' | ||
|
|
||
| const DANGEROUS_URL_ATTRS = new Set(['href', 'src', 'background', 'style']) | ||
| const DANGEROUS_PROTOCOLS = /^\s*(?:javascript|vbscript|data\s*:\s*(?!image\/(?!svg)))/i | ||
| const MAX_DEPTH = 20 | ||
|
Contributor
Author
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Depth limit here prevents stack overflow on maliciously nested payloads. Returns |
||
|
|
||
| function createMaliciousHtmlDetector (baseOptions: IFilterXSSOptions) { | ||
| let isMalicious = false | ||
|
|
||
| const detector = new FilterXSS({ | ||
| ...baseOptions, | ||
| onIgnoreTag (tag, html, options) { | ||
| if (!options.isClosing) { | ||
| isMalicious = true | ||
| } | ||
| return baseOptions.onIgnoreTag?.(tag, html, options) | ||
| }, | ||
| onIgnoreTagAttr (tag, name, attrValue, isWhiteAttr) { | ||
| if (name.startsWith('on')) { | ||
| isMalicious = true | ||
| } | ||
| return baseOptions.onIgnoreTagAttr?.(tag, name, attrValue, isWhiteAttr) | ||
| }, | ||
| safeAttrValue (tag, name, attrValue, cssFilter) { | ||
| if (DANGEROUS_URL_ATTRS.has(name) && DANGEROUS_PROTOCOLS.test(attrValue)) { | ||
| isMalicious = true | ||
| } | ||
| if (baseOptions.safeAttrValue) { | ||
| return baseOptions.safeAttrValue(tag, name, attrValue, cssFilter) | ||
| } | ||
| return attrValue | ||
| } | ||
| }) | ||
|
|
||
| return (value: string): boolean => { | ||
| isMalicious = false | ||
| detector.process(value) | ||
| return isMalicious | ||
| } | ||
| } | ||
|
|
||
| function isRecord (value: unknown): value is Record<string, unknown> { | ||
| return !!value && typeof value === 'object' && !Array.isArray(value) | ||
| } | ||
|
|
||
| export function hasMaliciousPayload (value: unknown, options: IFilterXSSOptions): boolean { | ||
| const isMaliciousHtml = createMaliciousHtmlDetector(options) | ||
|
|
||
| const inspect = (current: unknown, depth = 0): boolean => { | ||
| if (depth > MAX_DEPTH) { | ||
| return true | ||
| } | ||
|
|
||
| if (typeof current === 'string') { | ||
| return isMaliciousHtml(current) | ||
| } | ||
|
|
||
| if (Array.isArray(current)) { | ||
| return current.some(item => inspect(item, depth + 1)) | ||
| } | ||
|
|
||
| if (isRecord(current)) { | ||
| return Object.values(current) | ||
| .some(item => inspect(item, depth + 1)) | ||
| } | ||
|
|
||
| return false | ||
| } | ||
|
|
||
| return inspect(value) | ||
| } | ||
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,5 @@ | ||
| <template> | ||
| <div> | ||
| <NuxtPage /> | ||
| </div> | ||
| </template> |
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,8 @@ | ||
| export default defineNuxtConfig({ | ||
| modules: ['../../../src/module'], | ||
| security: { | ||
| xssValidator: { | ||
| methods: ['POST'], | ||
| }, | ||
| }, | ||
| }) |
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,10 @@ | ||
| import { defineEventHandler, readRawBody } from 'h3' | ||
|
|
||
| export default defineEventHandler(async (event) => { | ||
| const body = await readRawBody(event, 'utf8') | ||
|
|
||
| return { | ||
| ok: true, | ||
| body, | ||
| } | ||
| }) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
escapeHtmldoesn't affect our detection, but theXssValidatorconfig type has it asboolean | undefinedwhileIFilterXSSOptionsexpects a function type. Explicitly overriding toundefinedkeeps TypeScript happy without an assertion.