make markdown slightly safer without the nohtml volflag
by running dompurify after marked.parse if plugins are not enabled; adds no protection against the more practical approach of just putting a malicious <script> in an html file and uploading that, but one footgun less is one less footgun
This commit is contained in:
		
							parent
							
								
									c5a6ac8417
								
							
						
					
					
						commit
						9f8edb7f32
					
				| @ -1599,6 +1599,7 @@ some notes on hardening | ||||
| * set `--rproxy 0` if your copyparty is directly facing the internet (not through a reverse-proxy) | ||||
|   * cors doesn't work right otherwise | ||||
| * if you allow anonymous uploads or otherwise don't trust the contents of a volume, you can prevent XSS with volflag `nohtml` | ||||
|   * this returns html documents as plaintext, and also disables markdown rendering | ||||
| 
 | ||||
| safety profiles: | ||||
| 
 | ||||
|  | ||||
| @ -7123,7 +7123,12 @@ function show_md(md, name, div, url, depth) { | ||||
| 
 | ||||
| 	try { | ||||
| 		clmod(div, 'mdo', 1); | ||||
| 		if (sandbox(div, sb_md, 'mdo', marked.parse(md, marked_opts))) | ||||
| 
 | ||||
| 		var md_html = marked.parse(md, marked_opts); | ||||
| 		if (!have_emp) | ||||
| 			md_html = DOMPurify.sanitize(md_html); | ||||
| 
 | ||||
| 		if (sandbox(div, sb_md, 'mdo', md_html)) | ||||
| 			return; | ||||
| 
 | ||||
| 		ext = md_plug.post; | ||||
|  | ||||
| @ -212,6 +212,8 @@ function convert_markdown(md_text, dest_dom) { | ||||
| 
 | ||||
|     try { | ||||
|         var md_html = marked.parse(md_text, marked_opts); | ||||
|         if (!have_emp) | ||||
|             md_html = DOMPurify.sanitize(md_html); | ||||
|     } | ||||
|     catch (ex) { | ||||
|         if (ext) | ||||
|  | ||||
| @ -3,6 +3,7 @@ WORKDIR /z | ||||
| ENV     ver_asmcrypto=c72492f4a66e17a0e5dd8ad7874de354f3ccdaa5 \ | ||||
|         ver_hashwasm=4.9.0 \ | ||||
|         ver_marked=4.3.0 \ | ||||
|         ver_dompf=3.0.5 \ | ||||
|         ver_mde=2.18.0 \ | ||||
|         ver_codemirror=5.65.12 \ | ||||
|         ver_fontawesome=5.13.0 \ | ||||
| @ -13,6 +14,7 @@ ENV     ver_asmcrypto=c72492f4a66e17a0e5dd8ad7874de354f3ccdaa5 \ | ||||
| # https://github.com/markedjs/marked/releases | ||||
| # https://github.com/Ionaru/easy-markdown-editor/tags | ||||
| # https://github.com/codemirror/codemirror5/releases | ||||
| # https://github.com/cure53/DOMPurify/releases | ||||
| # https://github.com/Daninet/hash-wasm/releases | ||||
| # https://github.com/openpgpjs/asmcrypto.js | ||||
| # https://github.com/google/zopfli/tags | ||||
| @ -27,6 +29,7 @@ RUN     mkdir -p /z/dist/no-pk \ | ||||
|         && wget https://github.com/markedjs/marked/archive/v$ver_marked.tar.gz -O marked.tgz \ | ||||
|         && wget https://github.com/Ionaru/easy-markdown-editor/archive/$ver_mde.tar.gz -O mde.tgz \ | ||||
|         && wget https://github.com/codemirror/codemirror5/archive/$ver_codemirror.tar.gz -O codemirror.tgz \ | ||||
|         && wget https://github.com/cure53/DOMPurify/archive/refs/tags/$ver_dompf.tar.gz -O dompurify.tgz \ | ||||
|         && wget https://github.com/FortAwesome/Font-Awesome/releases/download/$ver_fontawesome/fontawesome-free-$ver_fontawesome-web.zip -O fontawesome.zip \ | ||||
|         && wget https://github.com/google/zopfli/archive/zopfli-$ver_zopfli.tar.gz -O zopfli.tgz \ | ||||
|         && wget https://github.com/Daninet/hash-wasm/releases/download/v$ver_hashwasm/hash-wasm@$ver_hashwasm.zip -O hash-wasm.zip \ | ||||
| @ -48,6 +51,7 @@ RUN     mkdir -p /z/dist/no-pk \ | ||||
|             && cd easy-markdown-editor* \ | ||||
|             && npm install \ | ||||
|             && npm i gulp-cli -g ) \ | ||||
|         && tar -xf dompurify.tgz \ | ||||
|         && tar -xf prism.tgz \ | ||||
|         && unzip fontawesome.zip \ | ||||
|         && tar -xf zopfli.tgz | ||||
| @ -120,6 +124,10 @@ RUN     cd easy-markdown-editor-$ver_mde \ | ||||
|         && cp -pv dist/easymde.min.js /z/dist/easymde.js | ||||
| 
 | ||||
| 
 | ||||
| # build dompurify | ||||
| RUN     (echo; cat DOMPurify-$ver_dompf/dist/purify.min.js) >> /z/dist/marked.js | ||||
| 
 | ||||
| 
 | ||||
| # build fontawesome and scp | ||||
| COPY    mini-fa.sh /z | ||||
| COPY    mini-fa.css /z | ||||
|  | ||||
		Loading…
	
		Reference in New Issue
	
	Block a user
	 ed
						ed