Mercurial > kallithea
view .hgtags @ 6532:33b71a130b16
templates: properly escape inline JavaScript values
TLDR: Kallithea has issues with escaping values for use in inline JS.
Despite judicious poking of the code, no actual security vulnerabilities
have been found, just lots of corner-case bugs. This patch fixes those,
and hardens the code against actual security issues.
The long version:
To embed a Python value (typically a 'unicode' plain-text value) in a
larger file, it must be escaped in a context specific manner. Example:
>>> s = u'<script>alert("It\'s a trap!");</script>'
1) Escaped for insertion into HTML element context
>>> print cgi.escape(s)
<script>alert("It's a trap!");</script>
2) Escaped for insertion into HTML element or attribute context
>>> print h.escape(s)
<script>alert("It's a trap!");</script>
This is the default Mako escaping, as usually used by Kallithea.
3) Encoded as JSON
>>> print json.dumps(s)
"<script>alert(\"It's a trap!\");</script>"
4) Escaped for insertion into a JavaScript file
>>> print '(' + json.dumps(s) + ')'
("<script>alert(\"It's a trap!\");</script>")
The parentheses are not actually required for strings, but may be needed
to avoid syntax errors if the value is a number or dict (object).
5) Escaped for insertion into a HTML inline <script> element
>>> print h.js(s)
("\x3cscript\x3ealert(\"It's a trap!\");\x3c/script\x3e")
Here, we need to combine JS and HTML escaping, further complicated by
the fact that "<script>" tag contents can either be parsed in XHTML mode
(in which case '<', '>' and '&' must additionally be XML escaped) or
HTML mode (in which case '</script>' must be escaped, but not using HTML
escaping, which is not available in HTML "<script>" tags). Therefore,
the XML special characters (which can only occur in string literals) are
escaped using JavaScript string literal escape sequences.
(This, incidentally, is why modern web security best practices ban all
use of inline JavaScript...)
Unsurprisingly, Kallithea does not do (5) correctly. In most cases,
Kallithea might slap a pair of single quotes around the HTML escaped
Python value. A typical benign example:
$('#child_link').html('${_('No revisions')}');
This works in English, but if a localized version of the string contains
an apostrophe, the result will be broken JavaScript. In the more severe
cases, where the text is user controllable, it leaves the door open to
injections. In this example, the script inserts the string as HTML, so
Mako's implicit HTML escaping makes sense; but in many other cases, HTML
escaping is actually an error, because the value is not used by the
script in an HTML context.
The good news is that the HTML escaping thwarts attempts at XSS, since
it's impossible to inject syntactically valid JavaScript of any useful
complexity. It does allow JavaScript errors and gibberish to appear on
the page, though.
In these cases, the escaping has been fixed to use either the new 'h.js'
helper, which does JavaScript escaping (but not HTML escaping), OR the
new 'h.jshtml' helper (which does both), in those cases where it was
unclear if the value might be used (by the script) in an HTML context.
Some of these can probably be "relaxed" from h.jshtml to h.js later, but
for now, using h.jshtml fixes escaping and doesn't introduce new errors.
In a few places, Kallithea JSON encodes values in the controller, then
inserts the JSON (without any further escaping) into <script> tags. This
is also wrong, and carries actual risk of XSS vulnerabilities. However,
in all cases, security vulnerabilities were narrowly avoided due to other
filtering in Kallithea. (E.g. many special characters are banned from
appearing in usernames.) In these cases, the escaping has been fixed
and moved to the template, making it immediately visible that proper
escaping has been performed.
Mini-FAQ (frequently anticipated questions):
Q: Why do everything in one big, hard to review patch?
Q: Why add escaping in specific case FOO, it doesn't seem needed?
Because the goal here is to have "escape everywhere" as the default
policy, rather than identifying individual bugs and fixing them one
by one by adding escaping where needed. As such, this patch surely
introduces a lot of needless escaping. This is no different from
how Mako/Pylons HTML escape everything by default, even when not
needed: it's errs on the side of needless work, to prevent erring
on the side of skipping required (and security critical) work.
As for reviewability, the most important thing to notice is not where
escaping has been introduced, but any places where it might have been
missed (or where h.jshtml is needed, but h.js is used).
Q: The added escaping is kinda verbose/ugly.
That is not a question, but yes, I agree. Hopefully it'll encourage us
to move away from inline JavaScript altogether. That's a significantly
larger job, though; with luck this patch will keep us safe and secure
until such a time as we can implement the real fix.
Q: Why not use Mako filter syntax ("${val|h.js}")?
Because of long-standing Mako bug #140, preventing use of 'h' in
filters.
Q: Why not work around bug #140, or even use straight "${val|js}"?
Because Mako still applies the default h.escape filter before the
explicitly specified filters.
Q: Where do we go from here?
Longer term, we should stop doing variable expansions in script blocks,
and instead pass data to JS via e.g. data attributes, or asynchronously
using AJAX calls. Once we've done that, we can remove inline JavaScript
altogether in favor of separate script files, and set a strict Content
Security Policy explicitly blocking inline scripting, and thus also the
most common kind of cross-site scripting attack.
| author | Søren Løvborg <sorenl@unity3d.com> |
|---|---|
| date | Tue, 28 Feb 2017 17:19:00 +0100 |
| parents | f40905c3257c |
| children | 9b9258f5e2b2 |
line wrap: on
line source
c097458480a5972dd75d5695b61e855fd0ab371e rhodecode-0.0.0.7.0 8bdec09436cb7e4a764bd2ba50b84060e30eb34f rhodecode-0.0.0.7.1 1a18994cdc3bdd156ee93c7c0fb8d94a88f1f640 rhodecode-0.0.0.7.2 a3a7c3e03b76ee264a828cb1087970bb98bbffcd rhodecode-0.0.0.7.3 58b46f9194c347641bfc9a26697ef413a4761971 rhodecode-0.0.0.7.4 710e7a75bb6b8346cee3bd0ddda67592e4790268 rhodecode-0.0.0.7.5 ca80f8c0056211dad33483a50b913593516d7a6c rhodecode-0.0.0.7.6 0cf49c29c846fefeb4e1a222e4b1850e9e3eaa62 rhodecode-0.0.0.7.7 702c7e565c56a49c89414e81f28571c8e5b67408 rhodecode-0.0.0.7.8 c12f4d19c95065f313eefcd45eac9ef507f5fa55 rhodecode-0.0.0.7.9 558eb7c5028f24a90b5466ed16be13b213ba1fc2 rhodecode-0.0.0.8.0 a9814a642e11092b243ca01721254a04633a0ffc rhodecode-0.0.0.8.1 ccbe729908844884aea89d00fb14a6cb92e10c06 rhodecode-0.0.0.8.2 ca41d544dbdfd2f81bd0304168492a26276aadb6 rhodecode-0.0.0.8.3 2fa16ec5822da0c6fade3dd1ed9b6c0655e5dbbf rhodecode-0.0.0.8.4 16ba57d8fe2317c49dbd422afd07ab497687aa02 rhodecode-0.0.0.8.5 53128b6b9a4ddb6ee9554cbb83a082a6d1316b42 rhodecode-0.0.1.0.0rc4 afd98d1f817e6a6b52172735c22160239e615a6b rhodecode-0.0.1.0.0 bee56f209c40a6880f2f633b02227b5ee1f8ff5a rhodecode-0.0.1.0.1 d85b0948e53925ebbbc49e9f7967013a04f866e9 rhodecode-0.0.1.0.2 d9c8dddb96af521e346f05b88d515c536eef3d17 rhodecode-0.0.1.1.0 344f748517814ed0408a49e392dc625f4cc37fdc rhodecode-0.0.1.1.1 6c01c12eafb8cc72d4c4cbd121400fad755b2862 rhodecode-0.0.1.1.2 4fa80e0484ef5c33feaa9c39fc66916f410ba353 rhodecode-0.0.1.1.3 cb77867d69d3c5931712aac486c980a42ee90745 rhodecode-0.0.1.1.5 cb77867d69d3c5931712aac486c980a42ee90745 rhodecode-0.0.1.1.5 008bdfdd95c8bd31ae6d89f76c75c1f49cbcd0bc rhodecode-0.0.1.1.5 c5af1d3c861fb36b156224e75c2f55a97f54657d rhodecode-0.0.1.1.6 7327a0d1584cf28d33e738048af1f6809d499451 rhodecode-0.0.1.1.7 bd102f45950f779995a1beae42b6eb099cdd27b3 rhodecode-0.0.1.1.7 c8974135732aa0ceb841cee6df66e29f089b4963 rhodecode-0.0.1.1.8 c252049af24cd98eef5f4143fa3abbff3c912e29 rhodecode-0.0.1.2.0 0b8fba8ab90b01f811a50e6e7384989cced21d38 rhodecode-0.0.1.2.1 22273bec00ba2fd860c60a9277d3d7229e288e18 rhodecode-0.0.1.2.2 1ff606a7858dbd8a5f70b3da5cc89524bd0d84f9 rhodecode-0.0.1.2.3 a7a282a902b207ce34e830d643c79b7ab52e3b35 rhodecode-0.0.1.2.4 b6b611e7722e754abebaae6e265cbb4c823d344d rhodecode-0.0.1.2.5 dbc82e3362a25d2aece42060089824c4342efd17 rhodecode-0.0.1.3.0 79a95f338fd0115b2cdb77118f39e17d22ff505c rhodecode-0.0.1.3.1 9ab21c5ddb84935bea5c743b4e147ed5a398b30c rhodecode-0.0.1.3.2 934906f028b582a254e0028ba25e5d20dd32b9cd rhodecode-0.0.1.3.3 af21362474e3ab5aa0e2fbb1c872356f2c16c4f3 rhodecode-0.0.1.3.4 0e2792e04bd316fe64335cbe6a476031ac60b29b rhodecode-0.0.1.3.5 edfff9f37916389144d3a3644d0a7d7adfd79b11 rhodecode-0.0.1.3.6 9ae95fdeca184f2404205645f06c6597b74ef2db rhodecode-0.0.1.4.0 909143a4dde53c46d4f24abb426ec870471c7de1 rhodecode-0.0.1.4.1 d998cc84cf726798486a438763053f0e1dc1b646 rhodecode-0.0.1.4.2 3f5d40b9dd99ccb009ea2211ee2d4b594c634946 rhodecode-0.0.1.4.3 3148c08cf86f1849917e2d50f7ab7766c1550b0a rhodecode-0.0.1.4.4 a5f0bc867edc88be23eb808693e5393a97d4c54a rhodecode-0.0.1.5.0 3259dc7caea48687eab018ee646ae6ad7e7ef377 rhodecode-0.0.1.5.1 efe23d6c178c11d575a0214181276a3452776e48 rhodecode-0.0.1.5.2 1a498b11f1540f5b94b6f6009298f5dc3eaad9e9 rhodecode-0.0.1.5.3 3447862ad8c9ceba85857774c526e39fde3a2281 rhodecode-0.0.1.5.4 c15d7b336af58df9f1bbc8f8957464e7ea618d4c rhodecode-0.0.1.6.0rc1 78b53ee0d247f90d51b028307ff5717851b6c265 rhodecode-0.0.1.6.0 351ad34d56321349ff5bd38f537bd768b8efef2e rhodecode-0.0.1.7.0 1f71ef689d2a3c9978cea6591a1f4e9107a5ca83 rhodecode-0.0.1.7.1 cc48c1541c7e2e84114bf92a0f9cd4b8b1341545 0.0 d17e88a1a88a29f6fac948c94498129e405a40d3 0.1 ad0ce803b40cb17fc3988373052943e041030b02 0.2 c6e32714336345403adf76abb6ebf9b8116fcdc7 0.2.1 14f488a5dc4ca6647bc6acf12534fd137e968aa8 0.2.2 9b3e9e242f5c97cc0c7657e5ac93dce7de61ca16 0.3 9bf8eb837e785b6856ccfac264e977ce3ebe1535 0.3.1 a84d40e9481fcea4dafadee86b03f0dd401527d6 0.3.2