Merge branch 'flavorjones-allowlist-changes'

flavorjones · Oct 28, 2018 · 717655a · 717655a
2 parents 3556e2b + ef30cfd
commit 717655a
Show file tree

Hide file tree

Showing 7 changed files with 810 additions and 181 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,5 +1,14 @@
 # Changelog
 
+## 2.3.0 / unreleased
+
+Features:
+
+* Expand set of allowed protocols to include `tel:` and `line:`. [#104, #147]
+* Expand set of allowed CSS functions. [related to #122]
+* Allow greater precision in shorthand CSS values. [#149] (Thanks, @danfstucky!)
+
+
 ## Meta / 2018-10-27
 
 The mailing list is now on Google Groups [#146](https://github.com/flavorjones/loofah/issues/146):

diff --git a/lib/loofah/html5/scrub.rb b/lib/loofah/html5/scrub.rb
@@ -6,7 +6,7 @@ module HTML5 # :nodoc:
     module Scrub
 
       CONTROL_CHARACTERS = /[`\u0000-\u0020\u007f\u0080-\u0101]/
-      CSS_KEYWORDISH = /\A(#[0-9a-f]+|rgb\(\d+%?,\d*%?,?\d*%?\)?|-?\d{0,2}\.?\d{0,2}(cm|em|ex|in|mm|pc|pt|px|%|,|\))?)\z/
+      CSS_KEYWORDISH = /\A(#[0-9a-f]+|rgb\(\d+%?,\d*%?,?\d*%?\)?|-?\d{0,3}\.?\d{0,10}(cm|em|ex|in|mm|pc|pt|px|%|,|\))?)\z/
       CRASS_SEMICOLON = {:node => :semicolon, :raw => ";"}
 
       class << self

diff --git a/lib/loofah/html5/whitelist.rb b/lib/loofah/html5/whitelist.rb
diff --git a/tasks/dompurify-to-json b/tasks/dompurify-to-json
@@ -0,0 +1,15 @@
+#! /usr/bin/env node
+
+require('babel-register')({
+    presets: [ 'env' ]
+})
+
+const dir = "../../DOMPurify" ;
+// const dir = "../tmp/DOMPUrify" ;
+
+metadata = {
+  "attrs": require(dir + "/src/attrs"),
+  "tags": require(dir + "/src/tags")
+};
+
+process.stdout.write(JSON.stringify(metadata));
diff --git a/tasks/generate-allowlists b/tasks/generate-allowlists
@@ -0,0 +1,56 @@
+#! /usr/bin/env ruby
+
+require "open3"
+require "json"
+require "fileutils"
+
+TEMP_DIR = "tmp"
+DOMPURIFY_URL = "https://github.com/cure53/DOMPurify"
+DOMPURIFY_VERSION = "1.0.8"
+
+# FileUtils.mkdir_p TEMP_DIR
+# Dir.chdir TEMP_DIR do
+#   system("git clone #{DOMPURIFY_URL}")unless Dir.exist?("DOMPurify")
+
+#   Dir.chdir "DOMPurify" do
+#     system("npm install") unless Dir.exist?("node_modules")
+#     system "git checkout #{DOMPURIFY_VERSION}"
+#   end
+# end
+
+dompurify_metadata = Open3.popen2("tasks/dompurify-to-json") do |stdin, stdout, wait_thr|
+  raise wait_thr.value.to_s unless wait_thr.value.success?
+  JSON.parse(stdout.read)
+end
+
+dompurify_metadata.each { |k, v| puts "#{k}: #{v.keys}" }
+
+require "loofah"
+
+pairs = {
+  "html:tags" => [Loofah::HTML5::WhiteList::ACCEPTABLE_ELEMENTS, dompurify_metadata["tags"]["html"]],
+  "mathml:tags" => [Loofah::HTML5::WhiteList::MATHML_ELEMENTS, dompurify_metadata["tags"]["mathMl"]],
+  "svg:tags" => [Loofah::HTML5::WhiteList::SVG_ELEMENTS, dompurify_metadata["tags"]["svg"]],
+  "html:attrs" => [Loofah::HTML5::WhiteList::ACCEPTABLE_ATTRIBUTES, dompurify_metadata["attrs"]["html"]],
+  "mathml:attrs" => [Loofah::HTML5::WhiteList::MATHML_ATTRIBUTES, dompurify_metadata["attrs"]["mathMl"]],
+  "svg:attrs" => [Loofah::HTML5::WhiteList::SVG_ATTRIBUTES, dompurify_metadata["attrs"]["svg"]],
+}
+
+pairs.each do |name, v|
+  existing, updated = *v
+
+  existing = existing.to_a.sort
+  updated = updated.to_a.sort
+
+  removals = existing - updated
+  additions = updated - existing
+
+  puts "#{name}:"
+  puts "  removals (#{removals.length}):"
+  puts "    #{removals}"
+  puts "  additions (#{additions.length}):"
+  puts "    #{additions}"
+  puts
+end
+
+# TODO actually generate whitelists
diff --git a/tasks/generate-whitelists b/tasks/generate-whitelists
diff --git a/test/html5/test_sanitizer.rb b/test/html5/test_sanitizer.rb
@@ -275,6 +275,12 @@ def test_css_negative_value_sanitization_shorthand_css_properties
     assert_match %r/-0.05em/, sane.inner_html
   end
 
+  def test_css_high_precision_value_shorthand_css_properties
+    html = "<span style=\"margin-left:0.3333333334em;\">"
+    sane = Nokogiri::HTML(Loofah.scrub_fragment(html, :escape).to_xml)
+    assert_match %r/0.3333333334em/, sane.inner_html
+  end
+
   def test_css_function_sanitization_leaves_whitelisted_functions_calc
     html = "<span style=\"width:calc(5%)\">"
     sane = Nokogiri::HTML(Loofah.scrub_fragment(html, :strip).to_html)
@@ -298,11 +304,11 @@ def test_css_function_sanitization_leaves_whitelisted_list_style_type
   end
 
   def test_css_function_sanitization_strips_style_attributes_with_unsafe_functions
-    html = "<span style=\"width:attr(data-evil-attr)\">"
+    html = "<span style=\"width:url(data-evil-url)\">"
     sane = Nokogiri::HTML(Loofah.scrub_fragment(html, :strip).to_html)
     assert_match %r/<span><\/span>/, sane.inner_html
 
-    html = "<span style=\"width: attr(data-evil-attr)\">"
+    html = "<span style=\"width: url(data-evil-url)\">"
     sane = Nokogiri::HTML(Loofah.scrub_fragment(html, :strip).to_html)
     assert_match %r/<span><\/span>/, sane.inner_html
   end