Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[hackerone] IPFS crash #24093

Closed
diracdeltas opened this issue Jul 17, 2022 · 2 comments · Fixed by brave/brave-core#14211
Closed

[hackerone] IPFS crash #24093

diracdeltas opened this issue Jul 17, 2022 · 2 comments · Fixed by brave/brave-core#14211
Assignees
@cypt4
Labels
bug feature/web3/ipfs OS/Desktop priority/P2 A bad problem. We might uplift this to the next planned release. QA Pass-macOS QA/Yes release-notes/exclude security
Milestone
1.43.x - Release

Comments

@diracdeltas
Copy link
Member

diracdeltas commented Jul 17, 2022
edited
Loading

see https://hackerone.com/reports/1636430 for details

credit: neeythann
@cypt4 cypt4 added priority/P2 A bad problem. We might uplift this to the next planned release. feature/web3/ipfs labels Jul 18, 2022
cypt4 added a commit to brave/brave-core that referenced this issue Jul 18, 2022
@cypt4
Block incorrect IPFS\IPNS urls.
498ade8 
Fixes brave/brave-browser#24093
Don't allow to commit raw ipfs\ipns navigations.
@cypt4 cypt4 mentioned this issue Jul 18, 2022
Merged
25 tasks
@cypt4 cypt4 added the QA/Yes label Jul 19, 2022
@brave-builds brave-builds added this to the 1.43.x - Nightly milestone Jul 19, 2022
@stephendonner stephendonner added QA/In-Progress Indicates that QA is currently in progress for that particular issue bug labels Aug 4, 2022
@stephendonner
Copy link

stephendonner commented Aug 4, 2022
edited
Loading

Verification PASSED (see crash note) using

Brave 1.43.56 Chromium: 104.0.5112.81 (Official Build) dev (x86_64)
Revision 5b7b76419d50f583022568b6764b630f6ddc9208-refs/branch-heads/5112@{#1309}
OS macOS Version 13.0 (Build 22A5311f)

Test Setup

Created webserver instance via python3 -m http.server 8080, from /Desktop/issue24093.

For the "incorrect {ipfs, ipns} tests", I ensured the following HTML snippets (from HackerOne and @cypt4) don't crash on load:

  • ipfs-crash-test-1.html (dotted-quad IP address)
  • ipfs-crash-test-2.html (empty ipfs:// scheme)
  • ipfs-crash-test-3.html (full IPFS URL)
  • ipfs-crash-test-4.html (redirect testcase)
  • ipfs-crash-test-5.html (empty ipns:// scheme)
  • ipfs-crash-test-6.html (full IPNS URL)

*Encountered the following crash while testing:

IPFS disabled - PASSED*:

Steps:

  1. install 1.43.59
  2. launch Brave
  3. [open a new Private window, if specified]
  4. open the appropriate local HTML testcase(s)
  1. Check iframe with correct ipfs url in normal tab
  2. Check iframe with correct ipfs url in private tab
  3. Check iframe with incorrect ipfs url in normal tab
  4. Check iframe with incorrect ipfs url in private tab
  5. Check iframe with correct ipns url in normal tab
  6. Check iframe with correct ipns url in private tab
  7. Check iframe with incorrect ipns url in normal tab
  8. Check iframe with incorrect ipns url in private tab
1 2 3 4 5 6 7 8
Screenshot 2022-08-04 at 5 00 36 PM issue 24211 Screenshot 2022-08-04 at 5 01 58 PM issue 24211 Screenshot 2022-08-04 at 5 02 55 PM issue 24211 Screenshot 2022-08-04 at 5 03 30 PM issue 24211

IPFS enabled, local node - PASSED*:

Steps:

  1. install 1.43.59
  2. launch Brave
  3. load ipns://ipfs.io
  4. click on Use a Brave local IPFS node
  5. [open a new Private window, if specified]
  6. open the appropriate local HTML testcase(s)
  1. Check iframe with correct ipfs url in normal tab
  2. Check iframe with correct ipfs url in private tab
  3. Check iframe with incorrect ipfs url in normal tab
  4. Check iframe with incorrect ipfs url in private tab
  5. Check iframe with correct ipns url in normal tab
  6. Check iframe with correct ipns url in private tab
  7. Check iframe with incorrect ipns url in normal tab
  8. Check iframe with incorrect ipns url in private tab
1 2 3 4 5 6 7 8
Screenshot 2022-08-04 at 5 12 04 PM issue 24211 Screenshot 2022-08-04 at 5 12 13 PM issue 24211 Screenshot 2022-08-04 at 5 12 20 PM issue 24211 Screenshot 2022-08-04 at 5 12 25 PM issue 24211

IPFS enabled, gateway - PASSED*:

Steps:

  1. install 1.43.59
  2. launch Brave
  3. load ipns://ipfs.io
  4. click on Use a public gateway
  5. opened brave://settings/ipfs and set IPFS public gateway address to https://cf-ipfs.com (it's faster, IMHO)
  6. [open a new Private window, if specified]
  7. open the appropriate local HTML testcase(s)
  1. Check iframe with correct ipfs url normal tab
  2. Check iframe with correct ipfs url private tab
  3. Check iframe with incorrect ipfs url in normal tab
  4. Check iframe with incorrect ipfs url in private tab
  5. Check iframe with correct ipns url in normal tab
  6. Check iframe with correct ipns url in private tab
  7. Check iframe with incorrect ipns url in normal tab
  8. Check iframe with incorrect ipns url in private tab
1 2 3 4 5 6 7 8
Screenshot 2022-08-04 at 5 17 33 PM issue 24211 Screenshot 2022-08-04 at 5 18 03 PM issue 24211 Screenshot 2022-08-04 at 5 18 10 PM issue 24211 Screenshot 2022-08-04 at 5 18 17 PM issue 24211

@stephendonner stephendonner mentioned this issue Aug 4, 2022
Merged
25 tasks
@stephendonner stephendonner added QA Pass-macOS and removed QA/In-Progress Indicates that QA is currently in progress for that particular issue labels Aug 5, 2022
@stephendonner
Copy link

I passed this, but we need to uplift #24211; left a comment in brave/brave-core#14313 (comment) to that effect.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@cypt4 cypt4

Labels
bug feature/web3/ipfs OS/Desktop priority/P2 A bad problem. We might uplift this to the next planned release. QA Pass-macOS QA/Yes release-notes/exclude security
Projects
None yet
Milestone
1.43.x - Release
Development

Successfully merging a pull request may close this issue.

Block incorrect IPFS\IPNS urls. brave/brave-core
4 participants
@stephendonner @diracdeltas @brave-builds @cypt4