From 6c8d48b0f6faac5d5b832a70d0245941a912f78b Mon Sep 17 00:00:00 2001 From: Lukas Reschke Date: Thu, 16 Mar 2017 13:47:27 +0100 Subject: [PATCH] Harden t() with DOMPurify This mitigates issues where developers pass untrusted user-input through t() which may lead to XSS issues. Signed-off-by: Lukas Reschke --- core/js/core.json | 3 ++- core/js/l10n.js | 10 +++++----- core/js/tests/specs/l10nSpec.js | 5 +++++ core/js/tests/specs/setupchecksSpec.js | 22 +++++++++++----------- settings/templates/apps.php | 1 - 5 files changed, 23 insertions(+), 18 deletions(-) diff --git a/core/js/core.json b/core/js/core.json index d589208c82..4d1d068500 100644 --- a/core/js/core.json +++ b/core/js/core.json @@ -12,7 +12,8 @@ "es6-promise/dist/es6-promise.js", "davclient.js/lib/client.js", "clipboard/dist/clipboard.js", - "autosize/dist/autosize.js" + "autosize/dist/autosize.js", + "DOMPurify/dist/purify.min.js" ], "libraries": [ "jquery-showpassword.js", diff --git a/core/js/l10n.js b/core/js/l10n.js index 43cfc7e820..77f771a20b 100644 --- a/core/js/l10n.js +++ b/core/js/l10n.js @@ -155,12 +155,12 @@ OC.L10N = { var r = vars[b]; if(typeof r === 'string' || typeof r === 'number') { if(allOptions.escape) { - return escapeHTML(r); + return DOMPurify.sanitize(escapeHTML(r)); } else { - return r; + return DOMPurify.sanitize(r); } } else { - return a; + return DOMPurify.sanitize(a); } } ); @@ -173,9 +173,9 @@ OC.L10N = { } if(typeof vars === 'object' || count !== undefined ) { - return _build(translation, vars, count); + return DOMPurify.sanitize(_build(translation, vars, count)); } else { - return translation; + return DOMPurify.sanitize(translation); } }, diff --git a/core/js/tests/specs/l10nSpec.js b/core/js/tests/specs/l10nSpec.js index 064b27aa34..3dd1fa268e 100644 --- a/core/js/tests/specs/l10nSpec.js +++ b/core/js/tests/specs/l10nSpec.js @@ -53,6 +53,11 @@ describe('OC.L10N tests', function() { t(TEST_APP, 'Hello {name}', {name: 'Steve'}, null, {escape: false}) ).toEqual('Hello Steve'); }); + it('uses DOMPurify to escape the text', function() { + expect( + t(TEST_APP, 'These are your search results', null, {escape: false}) + ).toEqual('These are your search results'); + }); it('keeps old texts when registering existing bundle', function() { OC.L10N.register(TEST_APP, { 'sunny': 'sonnig', diff --git a/core/js/tests/specs/setupchecksSpec.js b/core/js/tests/specs/setupchecksSpec.js index e18db4b7e5..937084aaa2 100644 --- a/core/js/tests/specs/setupchecksSpec.js +++ b/core/js/tests/specs/setupchecksSpec.js @@ -68,7 +68,7 @@ describe('OC.SetupChecks tests', function() { async.done(function( data, s, x ){ expect(data).toEqual([{ - msg: 'Your web server is not set up properly to resolve "/.well-known/caldav/". Further information can be found in our documentation.', + msg: 'Your web server is not set up properly to resolve "/.well-known/caldav/". Further information can be found in our documentation.', type: OC.SetupChecks.MESSAGE_TYPE_INFO }]); done(); @@ -166,7 +166,7 @@ describe('OC.SetupChecks tests', function() { msg: 'This server has no working Internet connection: Multiple endpoints could not be reached. This means that some of the features like mounting external storage, notifications about updates or installation of third-party apps will not work. Accessing files remotely and sending of notification emails might not work, either. We suggest to enable Internet connection for this server if you want to have all features.', type: OC.SetupChecks.MESSAGE_TYPE_WARNING }, { - msg: 'No memory cache has been configured. To enhance your performance please configure a memcache if available. Further information can be found in our documentation.', + msg: 'No memory cache has been configured. To enhance your performance please configure a memcache if available. Further information can be found in our documentation.', type: OC.SetupChecks.MESSAGE_TYPE_INFO }]); done(); @@ -200,7 +200,7 @@ describe('OC.SetupChecks tests', function() { type: OC.SetupChecks.MESSAGE_TYPE_WARNING }, { - msg: 'No memory cache has been configured. To enhance your performance please configure a memcache if available. Further information can be found in our documentation.', + msg: 'No memory cache has been configured. To enhance your performance please configure a memcache if available. Further information can be found in our documentation.', type: OC.SetupChecks.MESSAGE_TYPE_INFO }]); done(); @@ -261,7 +261,7 @@ describe('OC.SetupChecks tests', function() { async.done(function( data, s, x ){ expect(data).toEqual([{ - msg: '/dev/urandom is not readable by PHP which is highly discouraged for security reasons. Further information can be found in our documentation.', + msg: '/dev/urandom is not readable by PHP which is highly discouraged for security reasons. Further information can be found in our documentation.', type: OC.SetupChecks.MESSAGE_TYPE_WARNING }]); done(); @@ -291,7 +291,7 @@ describe('OC.SetupChecks tests', function() { async.done(function( data, s, x ){ expect(data).toEqual([{ - msg: 'Memcached is configured as distributed cache, but the wrong PHP module "memcache" is installed. \\OC\\Memcache\\Memcached only supports "memcached" and not "memcache". See the memcached wiki about both modules.', + msg: 'Memcached is configured as distributed cache, but the wrong PHP module "memcache" is installed. \\OC\\Memcache\\Memcached only supports "memcached" and not "memcache". See the memcached wiki about both modules.', type: OC.SetupChecks.MESSAGE_TYPE_WARNING }]); done(); @@ -321,7 +321,7 @@ describe('OC.SetupChecks tests', function() { async.done(function( data, s, x ){ expect(data).toEqual([{ - msg: 'The reverse proxy headers configuration is incorrect, or you are accessing Nextcloud from a trusted proxy. If you are not accessing Nextcloud from a trusted proxy, this is a security issue and can allow an attacker to spoof their IP address as visible to Nextcloud. Further information can be found in our documentation.', + msg: 'The reverse proxy headers configuration is incorrect, or you are accessing Nextcloud from a trusted proxy. If you are not accessing Nextcloud from a trusted proxy, this is a security issue and can allow an attacker to spoof their IP address as visible to Nextcloud. Further information can be found in our documentation.', type: OC.SetupChecks.MESSAGE_TYPE_WARNING }]); done(); @@ -402,7 +402,7 @@ describe('OC.SetupChecks tests', function() { async.done(function( data, s, x ){ expect(data).toEqual([{ - msg: 'You are currently running PHP 5.4.0. We encourage you to upgrade your PHP version to take advantage of performance and security updates provided by the PHP Group as soon as your distribution supports it.', + msg: 'You are currently running PHP 5.4.0. We encourage you to upgrade your PHP version to take advantage of performance and security updates provided by the PHP Group as soon as your distribution supports it.', type: OC.SetupChecks.MESSAGE_TYPE_INFO }]); done(); @@ -433,7 +433,7 @@ describe('OC.SetupChecks tests', function() { async.done(function( data, s, x ){ expect(data).toEqual([{ - msg: 'The PHP Opcache is not properly configured. For better performance we recommend ↗ to use following settings in the php.ini:' + "
opcache.enable=On\nopcache.enable_cli=1\nopcache.interned_strings_buffer=8\nopcache.max_accelerated_files=10000\nopcache.memory_consumption=128\nopcache.save_comments=1\nopcache.revalidate_freq=1
", + msg: 'The PHP Opcache is not properly configured. For better performance we recommend ↗ to use following settings in the php.ini:' + "
opcache.enable=On\nopcache.enable_cli=1\nopcache.interned_strings_buffer=8\nopcache.max_accelerated_files=10000\nopcache.memory_consumption=128\nopcache.save_comments=1\nopcache.revalidate_freq=1
", type: OC.SetupChecks.MESSAGE_TYPE_INFO }]); done(); @@ -617,7 +617,7 @@ describe('OC.SetupChecks tests', function() { async.done(function( data, s, x ){ expect(data).toEqual([{ - msg: 'The "Strict-Transport-Security" HTTP header is not configured to at least "15552000" seconds. For enhanced security we recommend enabling HSTS as described in our security tips.', + msg: 'The "Strict-Transport-Security" HTTP header is not configured to at least "15552000" seconds. For enhanced security we recommend enabling HSTS as described in our security tips.', type: OC.SetupChecks.MESSAGE_TYPE_WARNING }]); done(); @@ -642,7 +642,7 @@ describe('OC.SetupChecks tests', function() { async.done(function( data, s, x ){ expect(data).toEqual([{ - msg: 'The "Strict-Transport-Security" HTTP header is not configured to at least "15552000" seconds. For enhanced security we recommend enabling HSTS as described in our security tips.', + msg: 'The "Strict-Transport-Security" HTTP header is not configured to at least "15552000" seconds. For enhanced security we recommend enabling HSTS as described in our security tips.', type: OC.SetupChecks.MESSAGE_TYPE_WARNING }]); done(); @@ -667,7 +667,7 @@ describe('OC.SetupChecks tests', function() { async.done(function( data, s, x ){ expect(data).toEqual([{ - msg: 'The "Strict-Transport-Security" HTTP header is not configured to at least "15552000" seconds. For enhanced security we recommend enabling HSTS as described in our security tips.', + msg: 'The "Strict-Transport-Security" HTTP header is not configured to at least "15552000" seconds. For enhanced security we recommend enabling HSTS as described in our security tips.', type: OC.SetupChecks.MESSAGE_TYPE_WARNING }]); done(); diff --git a/settings/templates/apps.php b/settings/templates/apps.php index 80689237e6..99d648c628 100644 --- a/settings/templates/apps.php +++ b/settings/templates/apps.php @@ -5,7 +5,6 @@ vendor_script( [ 'handlebars/handlebars', 'marked/marked.min', - 'DOMPurify/dist/purify.min', ] ); script(