fix(xss): regression in uri sanitizer (#65)

fixes #64
adobe · May 27, 2019 · ca9ea37 · ca9ea37
1 parent b8875c6
commit ca9ea37
Show file tree

Hide file tree

Showing 6 changed files with 23 additions and 17 deletions.
diff --git a/src/runtime/xss_api.js b/src/runtime/xss_api.js
@@ -72,15 +72,15 @@ const DEC_OCTET = '(?:\\p{N}|[\\x31-\\x39]\\p{N}|1\\p{N}{2}|2[\\x30-\\x34]\\p{N}
 const H16 = `${HEX_DIGIT}{1,4}`;
 const IPV4_ADDRESS = `${DEC_OCTET}\\.${DEC_OCTET}\\.${DEC_OCTET}\\.${DEC_OCTET}`;
 const LS32 = `(?:${H16}:${H16})|${IPV4_ADDRESS}`;
-const IPV6_ADDRESS = `(?:(?:(?:${H16}:){6}(?:${LS32}))|" +
-        "(?:::(?:${H16}:){5}(?:${LS32}))|" +
-        "(?:(?:${H16}){0,1}::(?:${H16}:){4}(?:${LS32}))|" +
-        "(?:(?:(?:${H16}:){0,1}${H16})?::(?:${H16}:){3}(?:${LS32}))|" +
-        "(?:(?:(?:${H16}:){0,2}${H16})?::(?:${H16}:){2}(?:${LS32}))|" +
-        "(?:(?:(?:${H16}:){0,3}${H16})?::(?:${H16}:){1}(?:${LS32}))|" +
-        "(?:(?:(?:${H16}:){0,4}${H16})?::(?:${LS32}))|" +
-        "(?:(?:(?:${H16}:){0,5}${H16})?::(?:${H16}))|" +
-        "(?:(?:(?:${H16}:){0,6}${H16})?::))`;
+const IPV6_ADDRESS = `(?:(?:(?:${H16}:){6}(?:${LS32}))|`
+        + `(?:::(?:${H16}:){5}(?:${LS32}))|`
+        + `(?:(?:${H16}){0,1}::(?:${H16}:){4}(?:${LS32}))|`
+        + `(?:(?:(?:${H16}:){0,1}${H16})?::(?:${H16}:){3}(?:${LS32}))|`
+        + `(?:(?:(?:${H16}:){0,2}${H16})?::(?:${H16}:){2}(?:${LS32}))|`
+        + `(?:(?:(?:${H16}:){0,3}${H16})?::(?:${H16}:){1}(?:${LS32}))|`
+        + `(?:(?:(?:${H16}:){0,4}${H16})?::(?:${LS32}))|`
+        + `(?:(?:(?:${H16}:){0,5}${H16})?::(?:${H16}))|`
+        + `(?:(?:(?:${H16}:){0,6}${H16})?::))`;
 const IP_LITERAL = `\\[${IPV6_ADDRESS}]`;
 const PORT = '[0-9]+';
 const HOST = `(?:${IP_LITERAL}|${IPV4_ADDRESS}|${REG_NAME})`;
@@ -96,13 +96,8 @@ const PATH_ABSOLUTE = `\\/(?:${SEGMENT_NZ}${PATH_ABEMPTY})?`;
 const PATH_NOSCHEME = `${SEGMENT_NZ_NC}(?:\\/|(\\/${SEGMENT_NZ})*)`;
 const PATH_ROOTLESS = `${SEGMENT_NZ}(?:\\/|(\\/${SEGMENT_NZ})*)`;
 const PATH_EMPTY = '(?:^$)';
-const RELATIVE_PART = `(?:(?:\\/\\/${AUTHORITY}${PATH_ABEMPTY})|
-        (?:${PATH_ABSOLUTE})|
-        (?:${PATH_ROOTLESS}))`;
-const HIER_PART = `(?:(?:\\/\\/${AUTHORITY}${PATH_ABEMPTY})|
-        (?:${PATH_ABSOLUTE})|
-        (?:${PATH_NOSCHEME})|
-        ${PATH_EMPTY})`;
+const RELATIVE_PART = `(?:(?:\\/\\/${AUTHORITY}${PATH_ABEMPTY})|(?:${PATH_ABSOLUTE})|(?:${PATH_ROOTLESS}))`;
+const HIER_PART = `(?:(?:\\/\\/${AUTHORITY}${PATH_ABEMPTY})|(?:${PATH_ABSOLUTE})|(?:${PATH_NOSCHEME})|${PATH_EMPTY})`;
 
 const RELATIVE_REF = `^(?!\\s*javascript(?::|&colon;))${RELATIVE_PART}?(?:\\?${QUERY})?(?:#${FRAGMENT})?$`;
 const URI = `^${SCHEME_PATTERN}:${HIER_PART}(?:\\?${QUERY})?(?:#${FRAGMENT})?$`;

diff --git a/test/runtime_test.js b/test/runtime_test.js
@@ -53,6 +53,7 @@ const GLOBALS = {
     url2: 'javascript://%0Dalert(0)', // js comment & return char
     url3: 'javascript:/*--><script>alert(0);</script>', // js comment & break out of html tag
     url4: 'javascript:alert(String.fromCharCode(48))', // avoiding quotes
+    url5: '/foo', // rel part
     breakAttr: '"><script>alert(0);</script>', // break out of html tag
     eventHandler: 'alert(0)',
     imgTag1: '<img src="javascript:alert(0)"/>',

diff --git a/test/specs/context_spec.js b/test/specs/context_spec.js
@@ -13,6 +13,6 @@ module.exports = {
   properties: {
     title: 'HTML & Things <b>are bold</b> or Single \' or double " quoted.<script>alert("hello");</script>',
     attvalue: '" onload="alert()" "',
-
+    nav: '/SUMMARY',
   },
 };
diff --git a/test/specs/context_spec.txt b/test/specs/context_spec.txt
@@ -56,6 +56,14 @@ ${properties.title @ context='uri'}
 ^^^
     $.out(var_0);
 #
+### path prefix
+#
+${properties.nav}
+<esi:include src="${properties.nav}.nav.html" />
+===
+/SUMMARY
+<esi:include src="/SUMMARY.nav.html"/>
+#
 ### scriptToken
 #
 ${'foo' @ context='scriptToken'}

diff --git a/test/templates/xss.htl b/test/templates/xss.htl
@@ -37,5 +37,6 @@
   <form action="${xss.breakAttr}" onsubmit="${xss.eventHandler}">
     <input name="test" value="${xss.breakAttr}"/>
   </form>
+  <img src="${xss.url5}/bla.jpg" />
 </body>
 </html>
diff --git a/test/templates/xss.html b/test/templates/xss.html
@@ -37,5 +37,6 @@
   <form action="&quot;&gt;&lt;script&gt;alert&#x28;0&#x29;&#x3b;&lt;&#x2f;script&gt;" onsubmit="alert&#x28;0&#x29;">
     <input name="test" value="&quot;&gt;&lt;script&gt;alert&#x28;0&#x29;&#x3b;&lt;&#x2f;script&gt;"/>
   </form>
+  <img src="/foo/bla.jpg"/>
 </body>
 </html>