colin
/
bookstack
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Merge branch 'master' into release

This commit is contained in:
Dan Brown 2020-10-31 16:51:54 +00:00
parent 94c59c1e3d 6d8b0605a0
commit 3dc3d4a639
No known key found for this signature in database
GPG Key ID: 46D9F943C24A2EF9
9 changed files with 166 additions and 33 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

18
app/Entities/Managers/PageContent.php
View File

@ -296,6 +296,24 @@ class PageContent
$scriptElem->parentNode->removeChild($scriptElem); $scriptElem->parentNode->removeChild($scriptElem);
} }
// Remove clickable links to JavaScript URI
$badLinks = $xPath->query('//*[contains(@href, \'javascript:\')]');
foreach ($badLinks as $badLink) {
$badLink->parentNode->removeChild($badLink);
}
// Remove forms with calls to JavaScript URI
$badForms = $xPath->query('//*[contains(@action, \'javascript:\')] | //*[contains(@formaction, \'javascript:\')]');
foreach ($badForms as $badForm) {
$badForm->parentNode->removeChild($badForm);
}
// Remove meta tag to prevent external redirects
$metaTags = $xPath->query('//meta[contains(@content, \'url\')]');
foreach ($metaTags as $metaTag) {
$metaTag->parentNode->removeChild($metaTag);
}
// Remove data or JavaScript iFrames // Remove data or JavaScript iFrames
$badIframes = $xPath->query('//*[contains(@src, \'data:\')] | //*[contains(@src, \'javascript:\')] | //*[@srcdoc]'); $badIframes = $xPath->query('//*[contains(@src, \'data:\')] | //*[contains(@src, \'javascript:\')] | //*[@srcdoc]');
foreach ($badIframes as $badIframe) { foreach ($badIframes as $badIframe) {

6
app/Http/Controllers/AttachmentController.php
View File

@ -110,7 +110,7 @@ class AttachmentController extends Controller
try { try {
$this->validate($request, [ $this->validate($request, [
'attachment_edit_name' => 'required|string|min:1|max:255', 'attachment_edit_name' => 'required|string|min:1|max:255',
'attachment_edit_url' => 'string|min:1|max:255' 'attachment_edit_url' => 'string|min:1|max:255|safe_url'
]); ]);
} catch (ValidationException $exception) { } catch (ValidationException $exception) {
return response()->view('attachments.manager-edit-form', array_merge($request->only(['attachment_edit_name', 'attachment_edit_url']), [ return response()->view('attachments.manager-edit-form', array_merge($request->only(['attachment_edit_name', 'attachment_edit_url']), [
@ -145,7 +145,7 @@ class AttachmentController extends Controller
$this->validate($request, [ $this->validate($request, [
'attachment_link_uploaded_to' => 'required|integer|exists:pages,id', 'attachment_link_uploaded_to' => 'required|integer|exists:pages,id',
'attachment_link_name' => 'required|string|min:1|max:255', 'attachment_link_name' => 'required|string|min:1|max:255',
'attachment_link_url' => 'required|string|min:1|max:255' 'attachment_link_url' => 'required|string|min:1|max:255|safe_url'
]); ]);
} catch (ValidationException $exception) { } catch (ValidationException $exception) {
return response()->view('attachments.manager-link-form', array_merge($request->only(['attachment_link_name', 'attachment_link_url']), [ return response()->view('attachments.manager-link-form', array_merge($request->only(['attachment_link_name', 'attachment_link_url']), [
@ -161,7 +161,7 @@ class AttachmentController extends Controller
$attachmentName = $request->get('attachment_link_name'); $attachmentName = $request->get('attachment_link_name');
$link = $request->get('attachment_link_url'); $link = $request->get('attachment_link_url');
$attachment = $this->attachmentService->saveNewFromLink($attachmentName, $link, $pageId); $attachment = $this->attachmentService->saveNewFromLink($attachmentName, $link, intval($pageId));
return view('attachments.manager-link-form', [ return view('attachments.manager-link-form', [
'pageId' => $pageId, 'pageId' => $pageId,

7
app/Providers/AppServiceProvider.php
View File

@ -43,6 +43,13 @@ class AppServiceProvider extends ServiceProvider
return substr_count($uploadName, '.') < 2; return substr_count($uploadName, '.') < 2;
}); });
Validator::extend('safe_url', function ($attribute, $value, $parameters, $validator) {
$cleanLinkName = strtolower(trim($value));
$isJs = strpos($cleanLinkName, 'javascript:') === 0;
$isData = strpos($cleanLinkName, 'data:') === 0;
return !$isJs && !$isData;
});
// Custom blade view directives // Custom blade view directives
Blade::directive('icon', function ($expression) { Blade::directive('icon', function ($expression) {
return "<?php echo icon($expression); ?>"; return "<?php echo icon($expression); ?>";

13
app/Uploads/AttachmentService.php
View File

@ -88,12 +88,8 @@ class AttachmentService extends UploadService
/** /**
* Save a new File attachment from a given link and name. * Save a new File attachment from a given link and name.
* @param string $name
* @param string $link
* @param int $page_id
* @return Attachment
*/ */
public function saveNewFromLink($name, $link, $page_id) public function saveNewFromLink(string $name, string $link, int $page_id): Attachment
{ {
$largestExistingOrder = Attachment::where('uploaded_to', '=', $page_id)->max('order'); $largestExistingOrder = Attachment::where('uploaded_to', '=', $page_id)->max('order');
return Attachment::forceCreate([ return Attachment::forceCreate([
@ -123,13 +119,11 @@ class AttachmentService extends UploadService
/** /**
* Update the details of a file. * Update the details of a file.
* @param Attachment $attachment
* @param $requestData
* @return Attachment
*/ */
public function updateFile(Attachment $attachment, $requestData) public function updateFile(Attachment $attachment, array $requestData): Attachment
{ {
$attachment->name = $requestData['name']; $attachment->name = $requestData['name'];
if (isset($requestData['link']) && trim($requestData['link']) !== '') { if (isset($requestData['link']) && trim($requestData['link']) !== '') {
$attachment->path = $requestData['link']; $attachment->path = $requestData['link'];
if (!$attachment->external) { if (!$attachment->external) {
@ -137,6 +131,7 @@ class AttachmentService extends UploadService
$attachment->external = true; $attachment->external = true;
} }
} }
$attachment->save(); $attachment->save();
return $attachment; return $attachment;
} }

2
dev/docker/entrypoint.node.sh
View File

@ -5,4 +5,4 @@ set -e
npm install npm install
npm rebuild node-sass npm rebuild node-sass
exec npm run watch SHELL=/bin/sh exec npm run watch

2
package.json
View File

@ -5,7 +5,7 @@
"build:css:watch": "sass ./resources/sass:./public/dist --watch", "build:css:watch": "sass ./resources/sass:./public/dist --watch",
"build:css:production": "sass ./resources/sass:./public/dist -s compressed", "build:css:production": "sass ./resources/sass:./public/dist -s compressed",
"build:js:dev": "esbuild --bundle ./resources/js/index.js --outfile=public/dist/app.js --sourcemap --target=es2019 --main-fields=module,main", "build:js:dev": "esbuild --bundle ./resources/js/index.js --outfile=public/dist/app.js --sourcemap --target=es2019 --main-fields=module,main",
"build:js:watch": "chokidar \"./resources/**/*.js\" -c \"npm run build:js:dev\"", "build:js:watch": "chokidar --initial \"./resources/**/*.js\" -c \"npm run build:js:dev\"",
"build:js:production": "NODE_ENV=production esbuild --bundle ./resources/js/index.js --outfile=public/dist/app.js --sourcemap --target=es2019 --main-fields=module,main --minify", "build:js:production": "NODE_ENV=production esbuild --bundle ./resources/js/index.js --outfile=public/dist/app.js --sourcemap --target=es2019 --main-fields=module,main --minify",
"build": "npm-run-all --parallel build:*:dev", "build": "npm-run-all --parallel build:*:dev",
"production": "npm-run-all --parallel build:*:production", "production": "npm-run-all --parallel build:*:production",

1
resources/lang/en/validation.php
View File

@ -90,6 +90,7 @@ return [
'required_without' => 'The :attribute field is required when :values is not present.', 'required_without' => 'The :attribute field is required when :values is not present.',
'required_without_all' => 'The :attribute field is required when none of :values are present.', 'required_without_all' => 'The :attribute field is required when none of :values are present.',
'same' => 'The :attribute and :other must match.', 'same' => 'The :attribute and :other must match.',
'safe_url' => 'The provided link may not be safe.',
'size' => [ 'size' => [
'numeric' => 'The :attribute must be :size.', 'numeric' => 'The :attribute must be :size.',
'file' => 'The :attribute must be :size kilobytes.', 'file' => 'The :attribute must be :size kilobytes.',

66
tests/Entity/PageContentTest.php
View File

@ -159,6 +159,72 @@ class PageContentTest extends TestCase
} }
public function test_javascript_uri_links_are_removed()
{
$checks = [
'<a id="xss" href="javascript:alert(document.cookie)>Click me</a>',
'<a id="xss" href="javascript: alert(document.cookie)>Click me</a>'
];
$this->asEditor();
$page = Page::first();
foreach ($checks as $check) {
$page->html = $check;
$page->save();
$pageView = $this->get($page->getUrl());
$pageView->assertStatus(200);
$pageView->assertElementNotContains('.page-content', '<a id="xss">');
$pageView->assertElementNotContains('.page-content', 'href=javascript:');
}
}
public function test_form_actions_with_javascript_are_removed()
{
$checks = [
'<form><input id="xss" type=submit formaction=javascript:alert(document.domain) value=Submit><input></form>',
'<form ><button id="xss" formaction=javascript:alert(document.domain)>Click me</button></form>',
'<form id="xss" action=javascript:alert(document.domain)><input type=submit value=Submit></form>'
];
$this->asEditor();
$page = Page::first();
foreach ($checks as $check) {
$page->html = $check;
$page->save();
$pageView = $this->get($page->getUrl());
$pageView->assertStatus(200);
$pageView->assertElementNotContains('.page-content', '<button id="xss"');
$pageView->assertElementNotContains('.page-content', '<input id="xss"');
$pageView->assertElementNotContains('.page-content', '<form id="xss"');
$pageView->assertElementNotContains('.page-content', 'action=javascript:');
$pageView->assertElementNotContains('.page-content', 'formaction=javascript:');
}
}
public function test_metadata_redirects_are_removed()
{
$checks = [
'<meta http-equiv="refresh" content="0; url=//external_url">',
];
$this->asEditor();
$page = Page::first();
foreach ($checks as $check) {
$page->html = $check;
$page->save();
$pageView = $this->get($page->getUrl());
$pageView->assertStatus(200);
$pageView->assertElementNotContains('.page-content', '<meta>');
$pageView->assertElementNotContains('.page-content', '</meta>');
$pageView->assertElementNotContains('.page-content', 'content=');
$pageView->assertElementNotContains('.page-content', 'external_url');
}
}
public function test_page_inline_on_attributes_removed_by_default() public function test_page_inline_on_attributes_removed_by_default()
{ {
$this->asEditor(); $this->asEditor();

84
tests/Uploads/AttachmentTest.php
View File

@ -3,39 +3,51 @@
use BookStack\Uploads\Attachment; use BookStack\Uploads\Attachment;
use BookStack\Entities\Page; use BookStack\Entities\Page;
use BookStack\Auth\Permissions\PermissionService; use BookStack\Auth\Permissions\PermissionService;
use BookStack\Uploads\AttachmentService;
use Illuminate\Http\UploadedFile;
use Tests\TestCase; use Tests\TestCase;
use Tests\TestResponse;
class AttachmentTest extends TestCase class AttachmentTest extends TestCase
{ {
/** /**
* Get a test file that can be uploaded * Get a test file that can be uploaded
* @param $fileName
* @return \Illuminate\Http\UploadedFile
*/ */
protected function getTestFile($fileName) protected function getTestFile(string $fileName): UploadedFile
{ {
return new \Illuminate\Http\UploadedFile(base_path('tests/test-data/test-file.txt'), $fileName, 'text/plain', 55, null, true); return new UploadedFile(base_path('tests/test-data/test-file.txt'), $fileName, 'text/plain', 55, null, true);
} }
/** /**
* Uploads a file with the given name. * Uploads a file with the given name.
* @param $name
* @param int $uploadedTo
* @return \Illuminate\Foundation\Testing\TestResponse
*/ */
protected function uploadFile($name, $uploadedTo = 0) protected function uploadFile(string $name, int $uploadedTo = 0): \Illuminate\Foundation\Testing\TestResponse
{ {
$file = $this->getTestFile($name); $file = $this->getTestFile($name);
return $this->call('POST', '/attachments/upload', ['uploaded_to' => $uploadedTo], [], ['file' => $file], []); return $this->call('POST', '/attachments/upload', ['uploaded_to' => $uploadedTo], [], ['file' => $file], []);
} }
/**
* Create a new attachment
*/
protected function createAttachment(Page $page): Attachment
{
$this->post('attachments/link', [
'attachment_link_url' => 'https://example.com',
'attachment_link_name' => 'Example Attachment Link',
'attachment_link_uploaded_to' => $page->id,
]);
return Attachment::query()->latest()->first();
}
/** /**
* Delete all uploaded files. * Delete all uploaded files.
* To assist with cleanup. * To assist with cleanup.
*/ */
protected function deleteUploads() protected function deleteUploads()
{ {
$fileService = $this->app->make(\BookStack\Uploads\AttachmentService::class); $fileService = $this->app->make(AttachmentService::class);
foreach (Attachment::all() as $file) { foreach (Attachment::all() as $file) {
$fileService->deleteFile($file); $fileService->deleteFile($file);
} }
@ -145,21 +157,14 @@ class AttachmentTest extends TestCase
$page = Page::first(); $page = Page::first();
$this->asAdmin(); $this->asAdmin();
$this->call('POST', 'attachments/link', [ $attachment = $this->createAttachment($page);
'attachment_link_url' => 'https://example.com', $update = $this->call('PUT', 'attachments/' . $attachment->id, [
'attachment_link_name' => 'Example Attachment Link',
'attachment_link_uploaded_to' => $page->id,
]);
$attachmentId = Attachment::first()->id;
$update = $this->call('PUT', 'attachments/' . $attachmentId, [
'attachment_edit_name' => 'My new attachment name', 'attachment_edit_name' => 'My new attachment name',
'attachment_edit_url' => 'https://test.example.com' 'attachment_edit_url' => 'https://test.example.com'
]); ]);
$expectedData = [ $expectedData = [
'id' => $attachmentId, 'id' => $attachment->id,
'path' => 'https://test.example.com', 'path' => 'https://test.example.com',
'name' => 'My new attachment name', 'name' => 'My new attachment name',
'uploaded_to' => $page->id 'uploaded_to' => $page->id
@ -242,4 +247,45 @@ class AttachmentTest extends TestCase
$this->deleteUploads(); $this->deleteUploads();
} }
public function test_data_and_js_links_cannot_be_attached_to_a_page()
{
$page = Page::first();
$this->asAdmin();
$badLinks = [
'javascript:alert("bunny")',
' javascript:alert("bunny")',
'JavaScript:alert("bunny")',
"\t\n\t\nJavaScript:alert(\"bunny\")",
"data:text/html;<a></a>",
"Data:text/html;<a></a>",
"Data:text/html;<a></a>",
];
foreach ($badLinks as $badLink) {
$linkReq = $this->post('attachments/link', [
'attachment_link_url' => $badLink,
'attachment_link_name' => 'Example Attachment Link',
'attachment_link_uploaded_to' => $page->id,
]);
$linkReq->assertStatus(422);
$this->assertDatabaseMissing('attachments', [
'path' => $badLink,
]);
}
$attachment = $this->createAttachment($page);
foreach ($badLinks as $badLink) {
$linkReq = $this->put('attachments/' . $attachment->id, [
'attachment_edit_url' => $badLink,
'attachment_edit_name' => 'Example Attachment Link',
]);
$linkReq->assertStatus(422);
$this->assertDatabaseMissing('attachments', [
'path' => $badLink,
]);
}
}
} }