ZCS-16214 #6
ZCS-16214 #6
Conversation
ashishkataria86
requested review from
dasiyogesh,
Gopal-Moolchandani,
shrutig0510,
preshitaagrawal,
silentsakky and
k-kato
|
Please add technical information about the fix in commit and PR description so we know what and how we are fixing here |
| @@ -97,7 +97,28 @@ public AntiSamyDOMScanner(Policy policy) { | |||
| public AntiSamyDOMScanner() throws PolicyException { | |||
| super(); | |||
| } | |||
|
|
|||
| // Method to decode the Unicode escape sequences | |||
| private String decodeUnicodeEscapes(String input) { | |||
There was a problem hiding this comment.
I guess import-related regex was introduced in #4, and digging deeper found that it was introduced to circumvent an issue in antisamy library nahsra#24, and as per antisamy developer it's issue with CSS parser used in antisamy which seems fixed in nahsra#108
so if we upgrade the antisamy library then it's very well possible that we could remove our custom handling and also get rid of security issue
There was a problem hiding this comment.
I have further investigated this, and here are my findings:
The fix mentioned in nahsra#108 refers to enabling embedStyleSheets
<directive name="embedStyleSheets" value="true"/>
According to the documentation https://github.com/nahsra/antisamy/wiki/AntiSamy-Directives,
the embedStyleSheets directive allows external stylesheets referenced through @import to be fetched and embedded into the sanitized output. Allowing CSS imports from external URLs is a dangerous practice. It exposes the application to security risks by allowing the inclusion of potentially malicious external CSS, which goes against AntiSamy’s purpose of ensuring secure input sanitization. Support for this feature in AntiSamy is deprecated and will be removed in a future release.
As described in #2, there remains an issue where media queries are stripped during sanitization. This behavior is attributed to the underlying third-party library (org.apache.xml.serialize.HTMLSerializer) used for document serialization within AntiSamy. The fix in nahsra#108 does not explicitly address this media query stripping issue.
Therefore, it is uncertain whether the upgrade resolves the media query serialization issue.
Suggested Next Steps:
Conduct a detailed review of the latest AntiSamy release to verify if the media query stripping issue (linked to HTMLSerializer) has been resolved.
Determine whether the upgrade allows us to eliminate our custom handling without compromising security.
Ensure the embedStyleSheets directive remains disabled to mitigate risks associated with remote CSS imports.
| Matcher matcher = pattern.matcher(input); | ||
|
|
||
| // Find all matches and replace them with the decoded character | ||
| while (matcher.find()) { |
There was a problem hiding this comment.
Fixed to match the required style
The fix addresses the issue by decoding any Unicode-encoded characters in the string before checking for the @import rule. This ensures that encoded variants like Key Changes: This approach improves detection of obfuscated Unicode CSS payloads by normalizing input prior to applying further regex-based filtering. |
… statements and bumped the version of AntiSamy.
ashishkataria86
force-pushed
the
bugfix/ZCS-16214
branch
from
b97d36b to
e7d58f7
Compare
No description provided.