fix: Hardened the depth tracking code against prototype pollution

cure53 · May 8, 2024 · 1e52026 · 1e52026
1 parent 8df72f1
commit 1e52026
Show file tree

Hide file tree

Showing 11 changed files with 59 additions and 117 deletions.
diff --git a/dist/purify.cjs.js b/dist/purify.cjs.js
diff --git a/dist/purify.cjs.js.map b/dist/purify.cjs.js.map
diff --git a/dist/purify.es.mjs b/dist/purify.es.mjs
@@ -48,6 +48,7 @@ const stringTrim = unapply(String.prototype.trim);
 const objectHasOwnProperty = unapply(Object.prototype.hasOwnProperty);
 const regExpTest = unapply(RegExp.prototype.test);
 const typeErrorCreate = unconstruct(TypeError);
+const numberIsNaN = unapply(Number.isNaN);
 
 /**
  * Creates a new function that calls the given function with a specified thisArg and arguments.
@@ -1307,8 +1308,11 @@ function createDOMPurify() {
         }
       }
 
-      /* Remove an element if nested too deeply to avoid mXSS */
-      if (shadowNode.__depth >= MAX_NESTING_DEPTH) {
+      /*
+       * Remove an element if nested too deeply to avoid mXSS
+       * or if the __depth might have been tampered with
+       */
+      if (shadowNode.__depth >= MAX_NESTING_DEPTH || numberIsNaN(shadowNode.__depth)) {
         _forceRemove(shadowNode);
       }
 
@@ -1445,8 +1449,11 @@ function createDOMPurify() {
         }
       }
 
-      /* Remove an element if nested too deeply to avoid mXSS */
-      if (currentNode.__depth >= MAX_NESTING_DEPTH) {
+      /*
+       * Remove an element if nested too deeply to avoid mXSS
+       * or if the __depth might have been tampered with
+       */
+      if (currentNode.__depth >= MAX_NESTING_DEPTH || numberIsNaN(currentNode.__depth)) {
         _forceRemove(currentNode);
       }
 

diff --git a/dist/purify.es.mjs.map b/dist/purify.es.mjs.map
diff --git a/dist/purify.js b/dist/purify.js
diff --git a/dist/purify.js.map b/dist/purify.js.map
diff --git a/dist/purify.min.js b/dist/purify.min.js
diff --git a/dist/purify.min.js.map b/dist/purify.min.js.map
diff --git a/src/purify.js b/src/purify.js
@@ -15,6 +15,7 @@ import {
   stringToString,
   stringIndexOf,
   stringTrim,
+  numberIsNaN,
   regExpTest,
   typeErrorCreate,
   lookupGetter,
@@ -1426,8 +1427,14 @@ function createDOMPurify(window = getGlobal()) {
         }
       }
 
-      /* Remove an element if nested too deeply to avoid mXSS */
-      if (shadowNode.__depth >= MAX_NESTING_DEPTH) {
+      /*
+       * Remove an element if nested too deeply to avoid mXSS
+       * or if the __depth might have been tampered with
+       */
+      if (
+        shadowNode.__depth >= MAX_NESTING_DEPTH ||
+        numberIsNaN(shadowNode.__depth)
+      ) {
         _forceRemove(shadowNode);
       }
 
@@ -1577,8 +1584,14 @@ function createDOMPurify(window = getGlobal()) {
         }
       }
 
-      /* Remove an element if nested too deeply to avoid mXSS */
-      if (currentNode.__depth >= MAX_NESTING_DEPTH) {
+      /*
+       * Remove an element if nested too deeply to avoid mXSS
+       * or if the __depth might have been tampered with
+       */
+      if (
+        currentNode.__depth >= MAX_NESTING_DEPTH ||
+        numberIsNaN(currentNode.__depth)
+      ) {
         _forceRemove(currentNode);
       }
 

diff --git a/src/utils.js b/src/utils.js
@@ -52,6 +52,8 @@ const regExpTest = unapply(RegExp.prototype.test);
 
 const typeErrorCreate = unconstruct(TypeError);
 
+const numberIsNaN = unapply(Number.isNaN);
+
 /**
  * Creates a new function that calls the given function with a specified thisArg and arguments.
  *
@@ -215,6 +217,8 @@ export {
   stringToLowerCase,
   stringToString,
   stringTrim,
+  // Number
+  numberIsNaN,
   // Errors
   typeErrorCreate,
   // Other

diff --git a/test/test-suite.js b/test/test-suite.js
@@ -2104,101 +2104,5 @@
       let clean = DOMPurify.sanitize(dirty, config);
       assert.contains(clean, expected);
     });
-
-    QUnit.test('Test proper handling of nesting-based mXSS 1/3', function (assert) {
-
-      let dirty = `${`<div>`.repeat(250)}${`</div>`.repeat(250)}<img>`;
-      let expected = `${`<div>`.repeat(250)}${`</div>`.repeat(250)}<img>`;
-      let clean = DOMPurify.sanitize(dirty);
-      assert.contains(clean, expected);
-
-      dirty = `${`<div>`.repeat(255)}${`</div>`.repeat(255)}<img>`;
-      expected = `${`<div>`.repeat(253)}${`</div>`.repeat(253)}<img>`;
-      clean = DOMPurify.sanitize(dirty);
-      assert.contains(clean, expected);
-
-      dirty = `${`<div>`.repeat(257)}${`</div>`.repeat(257)}<img>`;
-      expected = `${`<div>`.repeat(253)}${`</div>`.repeat(253)}<img>`;
-      clean = DOMPurify.sanitize(dirty);
-      assert.contains(clean, expected);
-
-      dirty = `<div><template>${`<div>`.repeat(257)}${`</div>`.repeat(257)}<img>`;
-      expected = `<div><template>${`<div>`.repeat(251)}${`</div>`.repeat(251)}<img></template></div>`;
-      clean = DOMPurify.sanitize(dirty);
-      assert.contains(clean, expected);
-
-      dirty = `<div><template>${`<r>`.repeat(255)}<img>${`</r>`.repeat(
-        255
-      )}</template></div><img>`;
-      expected = `<div><template></template></div><img>`;
-      clean = DOMPurify.sanitize(dirty);
-      assert.contains(clean, expected);
-
-    });
-
-    QUnit.test('Test proper handling of nesting-based mXSS 2/3', function (assert) {
-
-      let dirty = `<form><input name="__depth">${`<div>`.repeat(500)}${`</div>`.repeat(500)}<img>`;
-      let expected = [
-          ``,
-          `<form><input>${`<div>`.repeat(252)}${`</div>`.repeat(252)}<img></form>`,
-      ];
-      let clean = DOMPurify.sanitize(dirty);
-      assert.contains(clean, expected);
-
-      dirty = `<form><input name="__depth"></form>${`<div>`.repeat(500)}${`</div>`.repeat(500)}<img>`;
-      expected = [
-          `${`<div>`.repeat(253)}${`</div>`.repeat(253)}<img>`,
-          `<form><input></form>${`<div>`.repeat(253)}${`</div>`.repeat(253)}<img>`
-      ];
-      clean = DOMPurify.sanitize(dirty);
-      assert.contains(clean, expected);
-
-      dirty = `<form><input name="__removalCount">${`<div>`.repeat(
-        500
-      )}${`</div>`.repeat(500)}<img>`;
-      expected = [
-        ``,
-        `<form><input>${`<div>`.repeat(
-          252
-        )}${`</div>`.repeat(252)}<img></form>`,
-      ];
-      clean = DOMPurify.sanitize(dirty);
-      assert.contains(clean, expected);
-
-      dirty = `<form><input name="__removalCount"></form>${`<div>`.repeat(
-        500
-      )}${`</div>`.repeat(500)}<img>`;
-      expected = [
-        `${`<div>`.repeat(253)}${`</div>`.repeat(253)}<img>`,
-        `<form><input></form>${`<div>`.repeat(
-          253
-        )}${`</div>`.repeat(253)}<img>`,
-      ];
-      clean = DOMPurify.sanitize(dirty);
-      assert.contains(clean, expected);
-
-      dirty = `<form><input name="parentNode"></form>${`<div>`.repeat(
-        500
-      )}${`</div>`.repeat(500)}<img>`;
-      expected = [
-        `<form><input></form>${`<div>`.repeat(253)}${`</div>`.repeat(253)}<img>`
-      ];
-      clean = DOMPurify.sanitize(dirty);
-      assert.contains(clean, expected);
-    });
-
-    QUnit.test('Test proper handling of nesting-based mXSS 3/3', function (assert) {
-
-      let dirty = `<form><input name="__depth">`;
-      let expected = [``, `<form><input></form>`];
-      let clean = DOMPurify.sanitize(dirty);
-      assert.contains(clean, expected);
-
-      dirty = `<form><input name="__removalCount">`;
-      expected = [``, `<form><input></form>`];
-      clean = DOMPurify.sanitize(dirty);
-      assert.contains(clean, expected);
-    });
   };
 });