make markdown slightly safer without the nohtml volflag
by running dompurify after marked.parse if plugins are not enabled; adds no protection against the more practical approach of just putting a malicious <script> in an html file and uploading that, but one footgun less is one less footgun
This commit is contained in:
		
							parent
							
								
									c5a6ac8417
								
							
						
					
					
						commit
						9f8edb7f32
					
				| @ -1599,6 +1599,7 @@ some notes on hardening | |||||||
| * set `--rproxy 0` if your copyparty is directly facing the internet (not through a reverse-proxy) | * set `--rproxy 0` if your copyparty is directly facing the internet (not through a reverse-proxy) | ||||||
|   * cors doesn't work right otherwise |   * cors doesn't work right otherwise | ||||||
| * if you allow anonymous uploads or otherwise don't trust the contents of a volume, you can prevent XSS with volflag `nohtml` | * if you allow anonymous uploads or otherwise don't trust the contents of a volume, you can prevent XSS with volflag `nohtml` | ||||||
|  |   * this returns html documents as plaintext, and also disables markdown rendering | ||||||
| 
 | 
 | ||||||
| safety profiles: | safety profiles: | ||||||
| 
 | 
 | ||||||
|  | |||||||
| @ -7123,7 +7123,12 @@ function show_md(md, name, div, url, depth) { | |||||||
| 
 | 
 | ||||||
| 	try { | 	try { | ||||||
| 		clmod(div, 'mdo', 1); | 		clmod(div, 'mdo', 1); | ||||||
| 		if (sandbox(div, sb_md, 'mdo', marked.parse(md, marked_opts))) | 
 | ||||||
|  | 		var md_html = marked.parse(md, marked_opts); | ||||||
|  | 		if (!have_emp) | ||||||
|  | 			md_html = DOMPurify.sanitize(md_html); | ||||||
|  | 
 | ||||||
|  | 		if (sandbox(div, sb_md, 'mdo', md_html)) | ||||||
| 			return; | 			return; | ||||||
| 
 | 
 | ||||||
| 		ext = md_plug.post; | 		ext = md_plug.post; | ||||||
|  | |||||||
| @ -212,6 +212,8 @@ function convert_markdown(md_text, dest_dom) { | |||||||
| 
 | 
 | ||||||
|     try { |     try { | ||||||
|         var md_html = marked.parse(md_text, marked_opts); |         var md_html = marked.parse(md_text, marked_opts); | ||||||
|  |         if (!have_emp) | ||||||
|  |             md_html = DOMPurify.sanitize(md_html); | ||||||
|     } |     } | ||||||
|     catch (ex) { |     catch (ex) { | ||||||
|         if (ext) |         if (ext) | ||||||
|  | |||||||
| @ -3,6 +3,7 @@ WORKDIR /z | |||||||
| ENV     ver_asmcrypto=c72492f4a66e17a0e5dd8ad7874de354f3ccdaa5 \ | ENV     ver_asmcrypto=c72492f4a66e17a0e5dd8ad7874de354f3ccdaa5 \ | ||||||
|         ver_hashwasm=4.9.0 \ |         ver_hashwasm=4.9.0 \ | ||||||
|         ver_marked=4.3.0 \ |         ver_marked=4.3.0 \ | ||||||
|  |         ver_dompf=3.0.5 \ | ||||||
|         ver_mde=2.18.0 \ |         ver_mde=2.18.0 \ | ||||||
|         ver_codemirror=5.65.12 \ |         ver_codemirror=5.65.12 \ | ||||||
|         ver_fontawesome=5.13.0 \ |         ver_fontawesome=5.13.0 \ | ||||||
| @ -13,6 +14,7 @@ ENV     ver_asmcrypto=c72492f4a66e17a0e5dd8ad7874de354f3ccdaa5 \ | |||||||
| # https://github.com/markedjs/marked/releases | # https://github.com/markedjs/marked/releases | ||||||
| # https://github.com/Ionaru/easy-markdown-editor/tags | # https://github.com/Ionaru/easy-markdown-editor/tags | ||||||
| # https://github.com/codemirror/codemirror5/releases | # https://github.com/codemirror/codemirror5/releases | ||||||
|  | # https://github.com/cure53/DOMPurify/releases | ||||||
| # https://github.com/Daninet/hash-wasm/releases | # https://github.com/Daninet/hash-wasm/releases | ||||||
| # https://github.com/openpgpjs/asmcrypto.js | # https://github.com/openpgpjs/asmcrypto.js | ||||||
| # https://github.com/google/zopfli/tags | # https://github.com/google/zopfli/tags | ||||||
| @ -27,6 +29,7 @@ RUN     mkdir -p /z/dist/no-pk \ | |||||||
|         && wget https://github.com/markedjs/marked/archive/v$ver_marked.tar.gz -O marked.tgz \ |         && wget https://github.com/markedjs/marked/archive/v$ver_marked.tar.gz -O marked.tgz \ | ||||||
|         && wget https://github.com/Ionaru/easy-markdown-editor/archive/$ver_mde.tar.gz -O mde.tgz \ |         && wget https://github.com/Ionaru/easy-markdown-editor/archive/$ver_mde.tar.gz -O mde.tgz \ | ||||||
|         && wget https://github.com/codemirror/codemirror5/archive/$ver_codemirror.tar.gz -O codemirror.tgz \ |         && wget https://github.com/codemirror/codemirror5/archive/$ver_codemirror.tar.gz -O codemirror.tgz \ | ||||||
|  |         && wget https://github.com/cure53/DOMPurify/archive/refs/tags/$ver_dompf.tar.gz -O dompurify.tgz \ | ||||||
|         && wget https://github.com/FortAwesome/Font-Awesome/releases/download/$ver_fontawesome/fontawesome-free-$ver_fontawesome-web.zip -O fontawesome.zip \ |         && wget https://github.com/FortAwesome/Font-Awesome/releases/download/$ver_fontawesome/fontawesome-free-$ver_fontawesome-web.zip -O fontawesome.zip \ | ||||||
|         && wget https://github.com/google/zopfli/archive/zopfli-$ver_zopfli.tar.gz -O zopfli.tgz \ |         && wget https://github.com/google/zopfli/archive/zopfli-$ver_zopfli.tar.gz -O zopfli.tgz \ | ||||||
|         && wget https://github.com/Daninet/hash-wasm/releases/download/v$ver_hashwasm/hash-wasm@$ver_hashwasm.zip -O hash-wasm.zip \ |         && wget https://github.com/Daninet/hash-wasm/releases/download/v$ver_hashwasm/hash-wasm@$ver_hashwasm.zip -O hash-wasm.zip \ | ||||||
| @ -48,6 +51,7 @@ RUN     mkdir -p /z/dist/no-pk \ | |||||||
|             && cd easy-markdown-editor* \ |             && cd easy-markdown-editor* \ | ||||||
|             && npm install \ |             && npm install \ | ||||||
|             && npm i gulp-cli -g ) \ |             && npm i gulp-cli -g ) \ | ||||||
|  |         && tar -xf dompurify.tgz \ | ||||||
|         && tar -xf prism.tgz \ |         && tar -xf prism.tgz \ | ||||||
|         && unzip fontawesome.zip \ |         && unzip fontawesome.zip \ | ||||||
|         && tar -xf zopfli.tgz |         && tar -xf zopfli.tgz | ||||||
| @ -120,6 +124,10 @@ RUN     cd easy-markdown-editor-$ver_mde \ | |||||||
|         && cp -pv dist/easymde.min.js /z/dist/easymde.js |         && cp -pv dist/easymde.min.js /z/dist/easymde.js | ||||||
| 
 | 
 | ||||||
| 
 | 
 | ||||||
|  | # build dompurify | ||||||
|  | RUN     (echo; cat DOMPurify-$ver_dompf/dist/purify.min.js) >> /z/dist/marked.js | ||||||
|  | 
 | ||||||
|  | 
 | ||||||
| # build fontawesome and scp | # build fontawesome and scp | ||||||
| COPY    mini-fa.sh /z | COPY    mini-fa.sh /z | ||||||
| COPY    mini-fa.css /z | COPY    mini-fa.css /z | ||||||
|  | |||||||
		Loading…
	
		Reference in New Issue
	
	Block a user
	 ed
						ed