[BUGFIX beta] Sanitize Href attribute values.

rwjblue · rwjblue · commit 724142b1a471 · 2014-12-23T13:21:40.000-05:00
diff --git a/packages/ember-handlebars/lib/helpers/bind_attr.js b/packages/ember-handlebars/lib/helpers/bind_attr.js
@@ -13,6 +13,8 @@ import { forEach } from "ember-metal/array";
 import View from "ember-views/views/view";
 import keys from "ember-metal/keys";
 
+import sanitizeAttributeValue from "ember-views/system/sanitize_attribute_value";
+
 var helpers = EmberHandlebars.helpers;
 var SafeString = EmberHandlebars.SafeString;
 
@@ -178,6 +180,7 @@ function bindAttrHelper(options) {
 
     var lazyValue = view.getStream(path);
     var value = lazyValue.value();
+    value = sanitizeAttributeValue(null, attr, value);
     var type = typeOf(value);
 
     Ember.assert(fmt("Attributes must be numbers, strings or booleans, not %@", [value]), 
diff --git a/packages/ember-htmlbars/lib/attr_nodes.js b/packages/ember-htmlbars/lib/attr_nodes.js
@@ -6,15 +6,18 @@
 import QuotedAttrNode from "ember-htmlbars/attr_nodes/quoted";
 import UnquotedAttrNode from "ember-htmlbars/attr_nodes/unquoted";
 import UnquotedNonpropertyAttrNode from "ember-htmlbars/attr_nodes/unquoted_nonproperty";
+import HrefAttrNode from "ember-htmlbars/attr_nodes/href";
 import { create as o_create } from "ember-metal/platform";
 import { normalizeProperty } from "ember-htmlbars/attr_nodes/utils";
 
 var svgNamespaceURI = 'http://www.w3.org/2000/svg';
 
 var unquotedAttrNodeTypes = o_create(null);
 unquotedAttrNodeTypes['class'] = UnquotedNonpropertyAttrNode;
+unquotedAttrNodeTypes['href'] = HrefAttrNode;
 
 var quotedAttrNodeTypes = o_create(null);
+quotedAttrNodeTypes['href'] = HrefAttrNode;
 
 export default function attrNodeTypeFor(attrName, element, quoted) {
   var result;
diff --git a/packages/ember-htmlbars/lib/attr_nodes/href.js b/packages/ember-htmlbars/lib/attr_nodes/href.js
@@ -0,0 +1,24 @@
+/**
+@module ember
+@submodule ember-htmlbars
+*/
+
+import SimpleAttrNode from "./simple";
+import { create as o_create } from "ember-metal/platform";
+import { chainStream, read } from "ember-metal/streams/utils";
+import sanitizeAttributeValue from "ember-views/system/sanitize_attribute_value";
+
+function HrefAttrNode(element, attrName, attrValue, dom) {
+  var sanitizedValue = chainStream(attrValue, function(){
+    var unsafeValue = read(attrValue);
+    var safeValue = sanitizeAttributeValue(element, attrName, unsafeValue);
+
+    return safeValue;
+  });
+
+  this.init(element, attrName, sanitizedValue, dom);
+}
+
+HrefAttrNode.prototype = o_create(SimpleAttrNode.prototype);
+
+export default HrefAttrNode;
diff --git a/packages/ember-htmlbars/lib/helpers/bind-attr.js b/packages/ember-htmlbars/lib/helpers/bind-attr.js
@@ -8,6 +8,7 @@ import Ember from "ember-metal/core"; // Ember.assert
 import { fmt } from "ember-runtime/system/string";
 import QuotedAttrNode from "ember-htmlbars/attr_nodes/quoted";
 import LegacyBindAttrNode from "ember-htmlbars/attr_nodes/legacy_bind";
+import HrefAttrNode from "ember-htmlbars/attr_nodes/href";
 import keys from "ember-metal/keys";
 import helpers from "ember-htmlbars/helpers";
 import { map } from 'ember-metal/enumerable_utils';
@@ -177,7 +178,11 @@ function bindAttrHelper(params, hash, options, env) {
       );
       lazyValue = view.getStream(path);
     }
-    new LegacyBindAttrNode(element, attr, lazyValue, env.dom);
+    if (attr === 'href') {
+      new HrefAttrNode(element, attr, lazyValue, env.dom);
+    } else {
+      new LegacyBindAttrNode(element, attr, lazyValue, env.dom);
+    }
   }
 }
 
diff --git a/packages/ember-htmlbars/lib/hooks/attribute.js b/packages/ember-htmlbars/lib/hooks/attribute.js
@@ -6,6 +6,7 @@
 import attrNodeTypeFor from "ember-htmlbars/attr_nodes";
 import EmberError from "ember-metal/error";
 import { isStream } from "ember-metal/streams/utils";
+import sanitizeAttributeValue from "ember-views/system/sanitize_attribute_value";
 
 var boundAttributesEnabled = false;
 
@@ -21,7 +22,8 @@ export default function attribute(element, attrName, quoted, view, attrValue, op
     if (isStream(attrValue)) {
       throw new EmberError('Bound attributes are not yet supported in Ember.js');
     } else {
-      env.dom.setAttribute(element, attrName, attrValue);
+      var sanitizedValue = sanitizeAttributeValue(element, attrName, attrValue);
+      env.dom.setAttribute(element, attrName, sanitizedValue);
     }
   }
 }
diff --git a/packages/ember-htmlbars/tests/attr_nodes/href_test.js b/packages/ember-htmlbars/tests/attr_nodes/href_test.js
@@ -1,7 +1,10 @@
+/* jshint scripturl:true */
+
 import EmberView from "ember-views/views/view";
 import run from "ember-metal/run_loop";
 import compile from "ember-template-compiler/system/compile";
 import { equalInnerHTML } from "htmlbars-test-helpers";
+import { SafeString } from "ember-htmlbars/utils/string";
 
 var view;
 
@@ -30,4 +33,48 @@ test("href is set", function() {
                  "attribute is output");
 });
 
+test("href is sanitized when using blacklisted protocol", function() {
+  view = EmberView.create({
+    context: {url: 'javascript://example.com'},
+    template: compile("<a href={{url}}></a>")
+  });
+  appendView(view);
+
+  equalInnerHTML(view.element, '<a href="unsafe:javascript://example.com"></a>',
+                 "attribute is output");
+});
+
+test("href is sanitized when using quoted non-whitelisted protocol", function() {
+  view = EmberView.create({
+    context: {url: 'javascript://example.com'},
+    template: compile("<a href='{{url}}'></a>")
+  });
+  appendView(view);
+
+  equalInnerHTML(view.element, '<a href="unsafe:javascript://example.com"></a>',
+                 "attribute is output");
+});
+
+test("href is not sanitized when using non-whitelisted protocol with a SafeString", function() {
+  view = EmberView.create({
+    context: {url: new SafeString('javascript://example.com')},
+    template: compile("<a href={{url}}></a>")
+  });
+  appendView(view);
+
+  equalInnerHTML(view.element, '<a href="javascript://example.com"></a>',
+                 "attribute is output");
+});
+
+test("href is sanitized when using quoted+concat non-whitelisted protocol", function() {
+  view = EmberView.create({
+    context: {protocol: 'javascript:', path: '//example.com'},
+    template: compile("<a href='{{protocol}}{{path}}'></a>")
+  });
+  appendView(view);
+
+  equalInnerHTML(view.element, '<a href="unsafe:javascript://example.com"></a>',
+                 "attribute is output");
+});
+
 }
diff --git a/packages/ember-htmlbars/tests/helpers/bind_attr_test.js b/packages/ember-htmlbars/tests/helpers/bind_attr_test.js
@@ -15,6 +15,7 @@ import { equalInnerHTML } from "htmlbars-test-helpers";
 
 import helpers from "ember-htmlbars/helpers";
 import compile from "ember-template-compiler/system/compile";
+import { SafeString } from "ember-htmlbars/utils/string";
 
 var view;
 
@@ -529,3 +530,52 @@ test("property before didInsertElement", function() {
   runAppend(view);
   equal(matchingElement.length, 1, 'element is in the DOM when didInsertElement');
 });
+
+test("XSS - should not bind unsafe href values", function() {
+  /* jshint scripturl:true */
+
+  view = EmberView.create({
+    template: compile('<a {{bind-attr href=view.badValue}}>wat</a>'),
+    badValue: "javascript:(function() { window.bar = 'NOOOOOOOOO!!!!!!!';})();"
+  });
+
+  runAppend(view);
+
+  var element = view.$('a')[0];
+
+  notEqual(element.protocol, 'javascript:');
+});
+
+test("XSS - should not bind unsafe href values on rerender", function() {
+  /* jshint scripturl:true */
+
+  view = EmberView.create({
+    template: compile('<a {{bind-attr href=view.badValue}}>wat</a>'),
+    badValue: "/sunshine/and/rainbows"
+  });
+
+  runAppend(view);
+
+  var element = view.$('a')[0];
+
+  notEqual(element.protocol, 'javascript:', 'precond - badValue is normal');
+
+  run(view, 'set', 'badValue', 'javascript:alert("XSS")');
+
+  notEqual(element.protocol, 'javascript:');
+});
+
+test("should bind unsafe href values if they are SafeString", function() {
+  /* jshint scripturl:true */
+
+  view = EmberView.create({
+    template: compile('<a {{bind-attr href=view.badValue}}>wat</a>'),
+    badValue: new SafeString("javascript:(function() { window.bar = 'NOOOOOOOOO!!!!!!!';})();")
+  });
+
+  runAppend(view);
+
+  var element = view.$('a')[0];
+
+  equal(element.protocol, 'javascript:');
+});
diff --git a/packages/ember-htmlbars/tests/helpers/unbound_test.js b/packages/ember-htmlbars/tests/helpers/unbound_test.js
@@ -69,6 +69,36 @@ test('it should throw the helper missing error if multiple properties are provid
   }, EmberError);
 });
 
+test('should property escape unsafe hrefs', function() {
+  /* jshint scripturl:true */
+
+  expect(3);
+
+  runDestroy(view);
+
+  view = EmberView.create({
+    template: compile('<ul>{{#each person in view.people}}<a href="{{unbound person.url}}">{{person.name}}</a>{{/each}}</ul>'),
+    people: A([{
+      name: 'Bob',
+      url: 'javascript:bob-is-cool'
+    }, {
+      name: 'James',
+      url: 'vbscript:james-is-cool'
+    }, {
+      name: 'Richard',
+      url: 'javascript:richard-is-cool'
+    }])
+  });
+
+  runAppend(view);
+
+  var links = view.$('a');
+  for (var i = 0, l = links.length; i < l; i++) {
+    var link = links[i];
+    equal(link.protocol, 'unsafe:', 'properly escaped');
+  }
+});
+
 QUnit.module("ember-htmlbars: {{#unbound boundHelper arg1 arg2... argN}} form: render unbound helper invocations", {
   setup: function() {
     Ember.lookup = lookup = { Ember: Ember };
diff --git a/packages/ember-views/lib/system/sanitize_attribute_value.js b/packages/ember-views/lib/system/sanitize_attribute_value.js
@@ -0,0 +1,35 @@
+/* jshint scripturl:true */
+
+var parsingNode;
+var badProtocols = {
+  'javascript:': true,
+  'vbscript:': true
+};
+
+export default function sanitizeAttributeValue(element, attribute, value) {
+  var tagName;
+
+  if (!parsingNode) {
+    parsingNode = document.createElement('a');
+  }
+
+  if (!element) {
+    tagName = null;
+  } else {
+    tagName = element.tagName;
+  }
+
+  if (value && value.toHTML) {
+    return value.toHTML();
+  }
+
+  if ((tagName === null || tagName === 'A') && attribute === 'href') {
+    parsingNode.href = value;
+
+    if (badProtocols[parsingNode.protocol] === true) {
+      return 'unsafe:' + value;
+    }
+  }
+
+  return value;
+}
diff --git a/packages/ember-views/lib/views/view.js b/packages/ember-views/lib/views/view.js
@@ -55,6 +55,7 @@ import {
   read,
   isStream
 } from "ember-metal/streams/utils";
+import sanitizeAttributeValue from "ember-views/system/sanitize_attribute_value";
 
 function K() { return this; }
 
@@ -2193,7 +2194,8 @@ View.views = {};
 View.childViewsProperty = childViewsProperty;
 
 // Used by Handlebars helpers, view element attributes
-View.applyAttributeBindings = function(elem, name, value) {
+View.applyAttributeBindings = function(elem, name, initialValue) {
+  var value = sanitizeAttributeValue(elem[0], name, initialValue);
   var type = typeOf(value);
 
   // if this changes, also change the logic in ember-handlebars/lib/helpers/binding.js
diff --git a/packages/ember-views/tests/system/sanitize_attribute_value_test.js b/packages/ember-views/tests/system/sanitize_attribute_value_test.js
@@ -0,0 +1,54 @@
+import sanitizeAttributeValue from "ember-views/system/sanitize_attribute_value";
+import { SafeString } from "ember-htmlbars/utils/string";
+
+QUnit.module('ember-views: sanitizeAttributeValue(null, "href")');
+
+var goodProtocols = [ 'https', 'http', 'ftp', 'tel', 'file'];
+
+for (var i = 0, l = goodProtocols.length; i < l; i++) {
+  buildProtocolTest(goodProtocols[i]);
+}
+
+function buildProtocolTest(protocol) {
+  test('allows ' + protocol + ' protocol when element is not provided', function() {
+    expect(1);
+
+    var expected = protocol + '://foo.com';
+    var actual = sanitizeAttributeValue(null, 'href', expected);
+
+    equal(actual, expected, 'protocol not escaped');
+  });
+}
+
+test('blocks javascript: protocol', function() {
+  /* jshint scripturl:true */
+
+  expect(1);
+
+  var expected = 'javascript:alert("foo")';
+  var actual = sanitizeAttributeValue(null, 'href', expected);
+
+  equal(actual, 'unsafe:' + expected, 'protocol escaped');
+});
+
+test('blocks blacklisted protocols', function() {
+  /* jshint scripturl:true */
+
+  expect(1);
+
+  var expected = 'javascript:alert("foo")';
+  var actual = sanitizeAttributeValue(null, 'href', expected);
+
+  equal(actual, 'unsafe:' + expected, 'protocol escaped');
+});
+
+test('does not block SafeStrings', function() {
+  /* jshint scripturl:true */
+
+  expect(1);
+
+  var expected = 'javascript:alert("foo")';
+  var actual = sanitizeAttributeValue(null, 'href', new SafeString(expected));
+
+  equal(actual, expected, 'protocol unescaped');
+});
diff --git a/packages/ember-views/tests/views/view/attribute_bindings_test.js b/packages/ember-views/tests/views/view/attribute_bindings_test.js
@@ -2,6 +2,7 @@ import Ember from "ember-metal/core";
 import run from "ember-metal/run_loop";
 import { observersFor } from "ember-metal/observer";
 import { changeProperties } from "ember-metal/property_events";
+import { SafeString } from "ember-htmlbars/utils/string";
 
 import EmberView from "ember-views/views/view";
 
@@ -301,3 +302,22 @@ test("asserts if an attributeBinding is setup on class", function() {
     appendView();
   }, 'You cannot use class as an attributeBinding, use classNameBindings instead.');
 });
+
+test("blacklists href bindings based on protocol", function() {
+  /* jshint scripturl:true */
+
+  view = EmberView.create({
+    attributeBindings: ['href'],
+    href: "javascript:alert('foo')"
+  });
+
+  appendView();
+
+  equal(view.$().attr('href'), "unsafe:javascript:alert('foo')", "value property sanitized");
+
+  run(function() {
+    view.set('href', new SafeString(view.get('href')));
+  });
+
+  equal(view.$().attr('href'), "javascript:alert('foo')", "value is not defined");
+});

Original file line number	Diff line number	Diff line change
`@@ -8,6 +8,7 @@ import Ember from "ember-metal/core"; // Ember.assert`
`8`	`8`	`import { fmt } from "ember-runtime/system/string";`
`9`	`9`	`import QuotedAttrNode from "ember-htmlbars/attr_nodes/quoted";`
`10`	`10`	`import LegacyBindAttrNode from "ember-htmlbars/attr_nodes/legacy_bind";`
	`11`	`+import HrefAttrNode from "ember-htmlbars/attr_nodes/href";`
`11`	`12`	`import keys from "ember-metal/keys";`
`12`	`13`	`import helpers from "ember-htmlbars/helpers";`
`13`	`14`	`import { map } from 'ember-metal/enumerable_utils';`
`@@ -177,7 +178,11 @@ function bindAttrHelper(params, hash, options, env) {`
`177`	`178`	`);`
`178`	`179`	`lazyValue = view.getStream(path);`
`179`	`180`	`}`
`180`		`- new LegacyBindAttrNode(element, attr, lazyValue, env.dom);`
	`181`	`+ if (attr === 'href') {`
	`182`	`+ new HrefAttrNode(element, attr, lazyValue, env.dom);`
	`183`	`+ } else {`
	`184`	`+ new LegacyBindAttrNode(element, attr, lazyValue, env.dom);`
	`185`	`+ }`
`181`	`186`	`}`
`182`	`187`	`}`
`183`	`188`
Original file line number	Diff line number	Diff line change
`@@ -6,6 +6,7 @@`
`6`	`6`	`import attrNodeTypeFor from "ember-htmlbars/attr_nodes";`
`7`	`7`	`import EmberError from "ember-metal/error";`
`8`	`8`	`import { isStream } from "ember-metal/streams/utils";`
	`9`	`+import sanitizeAttributeValue from "ember-views/system/sanitize_attribute_value";`
`9`	`10`
`10`	`11`	`var boundAttributesEnabled = false;`
`11`	`12`
`@@ -21,7 +22,8 @@ export default function attribute(element, attrName, quoted, view, attrValue, op`
`21`	`22`	`if (isStream(attrValue)) {`
`22`	`23`	`throw new EmberError('Bound attributes are not yet supported in Ember.js');`
`23`	`24`	`} else {`
`24`		`- env.dom.setAttribute(element, attrName, attrValue);`
	`25`	`+ var sanitizedValue = sanitizeAttributeValue(element, attrName, attrValue);`
	`26`	`+ env.dom.setAttribute(element, attrName, sanitizedValue);`
`25`	`27`	`}`
`26`	`28`	`}`
`27`	`29`	`}`