fix: Complete multi-character sanitization #416
Conversation
ACN-kck
changed the title
|
Thank you for the report and for the PR. Sadly the PR doesn't fix that (potential security) issue, which is not documented publicly. |
I reviewed my solution again which indeed does not fix the issue. I checked again how this could be resolved by creating one additional test based on your message. With your given example: |
| errorHandler.error("end tag name: "+tagName+' is not complete:'+config.tagName); | ||
| end = tagStart+1+tagName.length; | ||
| }else if(tagName.match(/\s</)){ | ||
| tagName = tagName.replace(/[\s<].*/,''); | ||
| tagName = tagName.replace(/[\s<].*/g,''); |
There was a problem hiding this comment.
By calculating the length first, the injection could be prevented.
Snapshot test 'unclosed inner' in simple.test.js will start failing, but while looking into it I'm struggling to understand why the test should work without errors. My expectation would be that it fails with an error.
| tagName = tagName.replace(/[\s<].*/g,''); | |
| end = tagStart + 2 + tagName.length; | |
| tagName = tagName.replace(/[\s<].*/g,''); |
There was a problem hiding this comment.
And we need to shift the index +1 to catch the closing '>'
|
Yes, I agree that this support for automatically closing unclosed tags is the culprit. |
I'm not having the full view on the lib in regards to this breaking change. |
|
Sorry for not replying for such a long time. |
karfau
added
needs investigation
|
Would be good to have this released soon for whelk-io/maven-settings-xml-action#144 |
|
@mgerlach @ACN-kck what is the reason for not using the latest version in the linked PR? The reason why I'm asking this is that any fx we can come up with, would also be a breaking change, so you will have to update to at least 0.9.* version. If the effort is not to high it would be awesome to have that CodeQL check as part of the xmldom pipeline. |
|
I have tried to understand the current state of the PR, but I'm not able to relate the code suggestion in the comment to the code that was already commited. I'm also not able to push updates to your branch, I guess you didn't check the box "allow edits by maintainers"? So it looks like I have to replicate you changes in a local branch to better understand them. |
|
Hi @karfau I only jumped onto this because GitHub Actions is complaining about https://github.com/whelk-io/maven-settings-xml-action still using Node.js 12. whelk-io/maven-settings-xml-action#144 would fix that (among other things). I don't know why the PR has xmldom-0.7.0 rather than 0.8.3... @ACN-kck or @zteater, can you please help @karfau? |
Previously it was tested as a feature, that tags after incomplete closing tags would be part of the dom. The code responsible for this triggered a CodeQL error suspecting that it could lead to injection of a `script` tag. When parsing HTML there no longer an error being reported to align the behavior with the one in the browser. BREAKING CHANGE: If your code relied on not well formed XML to be parsed and include subsequent tags, this will no longer work. #416
Previously it was tested as a feature, that tags after incomplete closing tags would be part of the dom. The code responsible for this triggered a CodeQL error suspecting that it could lead to injection of a `script` tag. BREAKING CHANGE: It no longer reports an error when parsing HTML containing incomplete closing tags, to align the behavior with the one in the browser. BREAKING CHANGE: If your code relied on not well formed XML to be parsed and include subsequent tags, this will no longer work. #416
Go to know by CodeQL in another project, that there is a missing multi-character sanitization.
https://github.com/whelk-io/maven-settings-xml-action/pull/144/files#diff-3d2b59189eeedc2d428ddd632e97658fe310f587f7cb63b01f9b98ffc11c0197R909