-
Notifications
You must be signed in to change notification settings - Fork 92
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
fix: Complete multi-character sanitization #416
Conversation
Thank you for the report and for the PR. Sadly the PR doesn't fix that (potential security) issue, which is not documented publicly. |
I reviewed my solution again which indeed does not fix the issue. I checked again how this could be resolved by creating one additional test based on your message. With your given example: |
errorHandler.error("end tag name: "+tagName+' is not complete:'+config.tagName); | ||
end = tagStart+1+tagName.length; | ||
}else if(tagName.match(/\s</)){ | ||
tagName = tagName.replace(/[\s<].*/,''); | ||
tagName = tagName.replace(/[\s<].*/g,''); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
By calculating the length first, the injection could be prevented.
Snapshot test 'unclosed inner' in simple.test.js will start failing, but while looking into it I'm struggling to understand why the test should work without errors. My expectation would be that it fails with an error.
tagName = tagName.replace(/[\s<].*/g,''); | |
end = tagStart + 2 + tagName.length; | |
tagName = tagName.replace(/[\s<].*/g,''); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
And we need to shift the index +1 to catch the closing '>'
Yes, I agree that this support for automatically closing unclosed tags is the culprit. |
I'm not having the full view on the lib in regards to this breaking change. |
Sorry for not replying for such a long time. |
Would be good to have this released soon for whelk-io/maven-settings-xml-action#144 |
@mgerlach @ACN-kck what is the reason for not using the latest version in the linked PR? The reason why I'm asking this is that any fx we can come up with, would also be a breaking change, so you will have to update to at least 0.9.* version. If the effort is not to high it would be awesome to have that CodeQL check as part of the xmldom pipeline. |
I have tried to understand the current state of the PR, but I'm not able to relate the code suggestion in the comment to the code that was already commited. I'm also not able to push updates to your branch, I guess you didn't check the box "allow edits by maintainers"? So it looks like I have to replicate you changes in a local branch to better understand them. |
Hi @karfau I only jumped onto this because GitHub Actions is complaining about https://github.com/whelk-io/maven-settings-xml-action still using Node.js 12. whelk-io/maven-settings-xml-action#144 would fix that (among other things). I don't know why the PR has xmldom-0.7.0 rather than 0.8.3... @ACN-kck or @zteater, can you please help @karfau? |
Previously it was tested as a feature, that tags after incomplete closing tags would be part of the dom. The code responsible for this triggered a CodeQL error suspecting that it could lead to injection of a `script` tag. When parsing HTML there no longer an error being reported to align the behavior with the one in the browser. BREAKING CHANGE: If your code relied on not well formed XML to be parsed and include subsequent tags, this will no longer work. #416
Previously it was tested as a feature, that tags after incomplete closing tags would be part of the dom. The code responsible for this triggered a CodeQL error suspecting that it could lead to injection of a `script` tag. BREAKING CHANGE: It no longer reports an error when parsing HTML containing incomplete closing tags, to align the behavior with the one in the browser. BREAKING CHANGE: If your code relied on not well formed XML to be parsed and include subsequent tags, this will no longer work. #416
Go to know by CodeQL in another project, that there is a missing multi-character sanitization.
https://github.com/whelk-io/maven-settings-xml-action/pull/144/files#diff-3d2b59189eeedc2d428ddd632e97658fe310f587f7cb63b01f9b98ffc11c0197R909