Added ability to whitelist particular functions #122 #123
Conversation
|
This seems reasonable to me, the W3C spec on expression syntax doesn't seem to allow for any opportunities for XSS: https://www.w3.org/TR/css3-values/#calc-notation I'm inclined to merge this in. Will wait a day or two for comment. |
|
+1 hooray for solving the exact problem my team is dealing with right now! |
|
+1 as actually even |
| @@ -137,6 +137,8 @@ module WhiteList | |||
| purple red right solid silver teal top transparent underline white | |||
| yellow] | |||
|
|
|||
| ACCEPTABLE_CSS_FUNCTIONS = Set.new %w[calc] | |||
There was a problem hiding this comment.
In the light of this comment: #123 (comment) I think this should be extended to cover rgb, rgba, hls, hlsa and probably a bunch more.
There was a problem hiding this comment.
Agreed, but I'd suggest merging in as it is and raising a separate issue for assessing other functions as defaults.
Until this is merged in, users of loofah can't whitelist any themselves.
There was a problem hiding this comment.
Looking at the two weeks this PR has been open, I think it wouldn't hurt to make it completely functional. Whitelisting just calc is very very limited. However, it's your PR, so it's yours and maintainers choice :)
There was a problem hiding this comment.
Whitelisting many functions by default, opens up the gem as being the root cause of sanitization an XSS attack vector which, unless I'm mistaken, could potentially undermine many Rails projects.
The primary concern of this PR is to allow individuals to whitelist functions themselves, that they can assess in their own time.
I'd be quite happy to even remove calc as a default as long as the gem allowed defining ACCEPTABLE_CSS_FUNCTIONS it would fulfil the functionality aim I had.
There was a problem hiding this comment.
Sure, for your use-case this is enough. I'm rather thinking of the bigger picture. Gems like this one only make sense if they whitelist all allowed (according to W3C) tags, attributes, css functions, etc. etc. If you had to define all such lists on your own, this gem would be a major PITA to use. Not to mention it would lose all of its security features as a lot of ppl would whitelist stuff which shouldn't be allowed in the first place.
There was a problem hiding this comment.
Enabling ppl to whitelist to their own demise is exactly what the gem should enable.
Rushing into having a large whitelist could potentially mean undermining the safety of sanitizing strings.
For example if the wrong function is accidently whitelisted, it could mean sanitize(unsafe_html) in all apps running a particular version of Loofah could be targets of a XSS attack.
If each individual is responsible for whitelisting their own functions, it is unlikely that malicious attackers will have a way of identifying the version of Loofah being used through automated testing.
I'm not saying more shouldn't be added to the default function whitelist like the color functions. But before they are, there should be some research done into ways that each function may be used maliciously.
There was a problem hiding this comment.
For reference: https://www.quackit.com/css/functions/ -- all those functions should be added.
There was a problem hiding this comment.
Quick note: at least url() and image() can be used for arbitrary JS code execution and parameter snooping.
They can also be used to snoop URL params by logging all requests via a remote call.
|
Any idea when this PR gets to be merged? @pjg - Wondering if there's any reason why it's still opened. Thanks! |
|
It's up to the maintainers. Personally I would extend the default list by a lot, but even with just one function there the PR is still very useful. |
|
Hello @NikoRoberts , any idea of when this will be merged? Thanks |
|
Pinging again to see if any date is planned for the merge @NikoRoberts |
|
I’m not a maintainer, so have no control over this being merged @ramzizaz |
|
Sorry @NikoRoberts . @flavorjones do you have any timelines for merging this |
|
@flavorjones any update on the merge timing? |
|
@flavorjones any idea on merge timing? |
|
@flavorjones I would love to have this so that my |
|
I'd also love an ETA on this update, thanks a lot 👍 |
|
Happy New Year! @flavorjones |
|
@flavorjones, is there something specific holding up the merge of this PR? |
|
Sorry, been behind on email. Merging. Will plan on cutting a release this weekend. |
|
Planned release is 2.2.0 |
|
Note I've whitelisted |
|
Thanks a lot for the release. I think the version number in the gemspec is still wrong, correct? |
|
@remofritzsche do you mean the fake gemspec that's checked into git? I forget that people still do that. Will bump it. |
|
Please note that upcoming v2.3.0 will whitelist almost all of the CSS3 functions as suggested by @pjg. |
|
@flavorjones is allowing |
|
@NikoRoberts Can you say more? Was planning to allow |
|
I haven’t got any concrete examples of how to do it. |
|
Ah, interesting. I looked into it, and there are a couple of reasons I feel mostly OK about including it:
I'm not at all a CSS expert though, so I would really like to hear from anyone with deeper knowledge on whether it's acceptable to allow There are some interesting opinions expressed on this topic at this SO post: https://stackoverflow.com/questions/26967890/css-set-background-image-by-data-image-attr |
A PR for #122
I'm not 100% on the XSS concerns with enabling calc() by default.