From 8af96f585f83ff5c0000f0395dab52b02517abe3 Mon Sep 17 00:00:00 2001 From: KN4CK3R Date: Tue, 18 Jul 2023 17:18:37 +0200 Subject: [PATCH] Disallow dangerous url schemes (#25960) Regression: https://github.com/go-gitea/gitea/pull/24805 Closes: #25945 - Disallow `javascript`, `vbscript` and `data` (data uri images still work) url schemes even if all other schemes are allowed - Fixed older `cbthunderlink` tests --------- Co-authored-by: delvh --- go.mod | 2 +- go.sum | 4 ++-- modules/markup/sanitizer.go | 9 +++++++++ modules/markup/sanitizer_test.go | 9 +++++++-- 4 files changed, 19 insertions(+), 5 deletions(-) diff --git a/go.mod b/go.mod index 99b25a26194..9ba54ed1854 100644 --- a/go.mod +++ b/go.mod @@ -76,7 +76,7 @@ require ( github.com/mattn/go-sqlite3 v1.14.17 github.com/meilisearch/meilisearch-go v0.25.0 github.com/mholt/archiver/v3 v3.5.1 - github.com/microcosm-cc/bluemonday v1.0.24 + github.com/microcosm-cc/bluemonday v1.0.25 github.com/minio/minio-go/v7 v7.0.60 github.com/minio/sha256-simd v1.0.1 github.com/msteinert/pam v1.1.0 diff --git a/go.sum b/go.sum index a2568460f10..5f2704fddbd 100644 --- a/go.sum +++ b/go.sum @@ -865,8 +865,8 @@ github.com/mholt/acmez v1.2.0 h1:1hhLxSgY5FvH5HCnGUuwbKY2VQVo8IU7rxXKSnZ7F30= github.com/mholt/acmez v1.2.0/go.mod h1:VT9YwH1xgNX1kmYY89gY8xPJC84BFAisjo8Egigt4kE= github.com/mholt/archiver/v3 v3.5.1 h1:rDjOBX9JSF5BvoJGvjqK479aL70qh9DIpZCl+k7Clwo= github.com/mholt/archiver/v3 v3.5.1/go.mod h1:e3dqJ7H78uzsRSEACH1joayhuSyhnonssnDhppzS1L4= -github.com/microcosm-cc/bluemonday v1.0.24 h1:NGQoPtwGVcbGkKfvyYk1yRqknzBuoMiUrO6R7uFTPlw= -github.com/microcosm-cc/bluemonday v1.0.24/go.mod h1:ArQySAMps0790cHSkdPEJ7bGkF2VePWH773hsJNSHf8= +github.com/microcosm-cc/bluemonday v1.0.25 h1:4NEwSfiJ+Wva0VxN5B8OwMicaJvD8r9tlJWm9rtloEg= +github.com/microcosm-cc/bluemonday v1.0.25/go.mod h1:ZIOjCQp1OrzBBPIJmfX4qDYFuhU02nx4bn030ixfHLE= github.com/miekg/dns v1.0.14/go.mod h1:W1PPwlIAgtquWBMBEV9nkV9Cazfe8ScdGz/Lj7v3Nrg= github.com/miekg/dns v1.1.55 h1:GoQ4hpsj0nFLYe+bWiCToyrBEJXkQfOOIvFGFy0lEgo= github.com/miekg/dns v1.1.55/go.mod h1:uInx36IzPl7FYnDcMeVWxj9byh7DutNykX4G9Sj60FY= diff --git a/modules/markup/sanitizer.go b/modules/markup/sanitizer.go index 59cde61a681..9f97f1d5b13 100644 --- a/modules/markup/sanitizer.go +++ b/modules/markup/sanitizer.go @@ -6,6 +6,7 @@ package markup import ( "io" + "net/url" "regexp" "sync" @@ -79,6 +80,14 @@ func createDefaultPolicy() *bluemonday.Policy { policy.AllowURLSchemes(setting.Markdown.CustomURLSchemes...) } else { policy.AllowURLSchemesMatching(allowAllRegex) + + // Even if every scheme is allowed, these three are blocked for security reasons + disallowScheme := func(*url.URL) bool { + return false + } + policy.AllowURLSchemeWithCustomPolicy("javascript", disallowScheme) + policy.AllowURLSchemeWithCustomPolicy("vbscript", disallowScheme) + policy.AllowURLSchemeWithCustomPolicy("data", disallowScheme) } // Allow classes for anchors diff --git a/modules/markup/sanitizer_test.go b/modules/markup/sanitizer_test.go index 0c22ce3ba0e..4d85cbf9f30 100644 --- a/modules/markup/sanitizer_test.go +++ b/modules/markup/sanitizer_test.go @@ -54,8 +54,13 @@ func Test_Sanitizer(t *testing.T) { `Hello World`, `Hello World`, // URLs - `[my custom URL scheme](cbthunderlink://somebase64string)`, `[my custom URL scheme](cbthunderlink://somebase64string)`, - `[my custom URL scheme](matrix:roomid/psumPMeAfzgAeQpXMG:feneas.org?action=join)`, `[my custom URL scheme](matrix:roomid/psumPMeAfzgAeQpXMG:feneas.org?action=join)`, + `my custom URL scheme`, `my custom URL scheme`, + `my custom URL scheme`, `my custom URL scheme`, + + // Disallow dangerous url schemes + `bad`, `bad`, + `bad`, `bad`, + `bad`, `bad`, } for i := 0; i < len(testCases); i += 2 {