mirror of
https://github.com/BookStackApp/BookStack.git
synced 2026-02-24 19:07:20 +03:00
Content Filtering: Covered new config options and filters with tests
This commit is contained in:
Dan Brown
@@ -42,17 +42,17 @@ return [
|
||||
// Even when overridden the WYSIWYG editor may still escape script content.
|
||||
'allow_content_scripts' => env('ALLOW_CONTENT_SCRIPTS', false),
|
||||
|
||||
// Control the behaviour of page content filtering.
|
||||
// Control the behaviour of content filtering, primarily used for page content.
|
||||
// This setting is a collection of characters which represent different available filters:
|
||||
// - j - Filter out JavaScript based content
|
||||
// - h - Filter out unexpected, potentially dangerous, HTML elements
|
||||
// - j - Filter out JavaScript and unknown binary data based content
|
||||
// - h - Filter out unexpected, and potentially dangerous, HTML elements
|
||||
// - f - Filter out unexpected form elements
|
||||
// - a - Run content through a more complex allow-list filter
|
||||
// This defaults to using all filters, unless ALLOW_CONTENT_SCRIPTS is set to true in which case no filters are used.
|
||||
// Note: These filters are a best attempt, and may not be 100% effective. They are typically a layer used in addition to other security measures.
|
||||
// TODO - Add to example env
|
||||
// TODO - Remove allow_content_scripts option above
|
||||
'content_filtering' => env('CONTENT_FILTERING', env('ALLOW_CONTENT_SCRIPTS', false) === true ? '' : 'jfha'),
|
||||
'content_filtering' => env('APP_CONTENT_FILTERING', env('ALLOW_CONTENT_SCRIPTS', false) === true ? '' : 'jhfa'),
|
||||
|
||||
// Allow server-side fetches to be performed to potentially unknown
|
||||
// and user-provided locations. Primarily used in exports when loading
|
||||
|
||||
@@ -341,7 +341,8 @@ class PageContent
|
||||
$contentId = $this->page->id;
|
||||
$contentTime = $this->page->updated_at?->timestamp ?? time();
|
||||
$appVersion = AppVersion::get();
|
||||
return "page-content-cache::{$appVersion}::{$contentId}::{$contentTime}::{$contentHash}";
|
||||
$filterConfig = config('app.content_filtering') ?? '';
|
||||
return "page-content-cache::{$filterConfig}::{$appVersion}::{$contentId}::{$contentTime}::{$contentHash}";
|
||||
}
|
||||
|
||||
/**
|
||||
|
||||
@@ -34,6 +34,7 @@
|
||||
<server name="AUTH_AUTO_INITIATE" value="false"/>
|
||||
<server name="DISABLE_EXTERNAL_SERVICES" value="true"/>
|
||||
<server name="ALLOW_UNTRUSTED_SERVER_FETCHING" value="false"/>
|
||||
<server name="CONTENT_FILTERING" value="jhfa"/>
|
||||
<server name="ALLOW_CONTENT_SCRIPTS" value="false"/>
|
||||
<server name="AVATAR_URL" value=""/>
|
||||
<server name="LDAP_START_TLS" value="false"/>
|
||||
|
||||
@@ -22,6 +22,8 @@ class PageContentFilteringTest extends TestCase
|
||||
|
||||
public function test_more_complex_content_script_escaping_scenarios()
|
||||
{
|
||||
config()->set('app.content_filtering', 'j');
|
||||
|
||||
$checks = [
|
||||
"<p>Some script</p><script>alert('cat')</script>",
|
||||
"<div><div><div><div><p>Some script</p><script>alert('cat')</script></div></div></div></div>",
|
||||
@@ -47,6 +49,8 @@ class PageContentFilteringTest extends TestCase
|
||||
|
||||
public function test_js_and_base64_src_urls_are_removed()
|
||||
{
|
||||
config()->set('app.content_filtering', 'j');
|
||||
|
||||
$checks = [
|
||||
'<iframe src="javascript:alert(document.cookie)"></iframe>',
|
||||
'<iframe src="JavAScRipT:alert(document.cookie)"></iframe>',
|
||||
@@ -89,6 +93,8 @@ class PageContentFilteringTest extends TestCase
|
||||
|
||||
public function test_javascript_uri_links_are_removed()
|
||||
{
|
||||
config()->set('app.content_filtering', 'j');
|
||||
|
||||
$checks = [
|
||||
'<a id="xss" href="javascript:alert(document.cookie)>Click me</a>',
|
||||
'<a id="xss" href="javascript: alert(document.cookie)>Click me</a>',
|
||||
@@ -110,8 +116,23 @@ class PageContentFilteringTest extends TestCase
|
||||
}
|
||||
}
|
||||
|
||||
public function test_form_filtering_is_controlled_by_config()
|
||||
{
|
||||
config()->set('app.content_filtering', '');
|
||||
$page = $this->entities->page();
|
||||
$page->html = '<form><input type="text" id="dont-see-this" value="test"></form>';
|
||||
$page->save();
|
||||
|
||||
$this->asEditor()->get($page->getUrl())->assertSee('dont-see-this', false);
|
||||
|
||||
config()->set('app.content_filtering', 'f');
|
||||
$this->get($page->getUrl())->assertDontSee('dont-see-this', false);
|
||||
}
|
||||
|
||||
public function test_form_actions_with_javascript_are_removed()
|
||||
{
|
||||
config()->set('app.content_filtering', 'j');
|
||||
|
||||
$checks = [
|
||||
'<customform><custominput id="xss" type=submit formaction=javascript:alert(document.domain) value=Submit><custominput></customform>',
|
||||
'<customform ><custombutton id="xss" formaction="JaVaScRiPt:alert(document.domain)">Click me</custombutton></customform>',
|
||||
@@ -139,6 +160,8 @@ class PageContentFilteringTest extends TestCase
|
||||
|
||||
public function test_form_elements_are_removed()
|
||||
{
|
||||
config()->set('app.content_filtering', 'f');
|
||||
|
||||
$checks = [
|
||||
'<p>thisisacattofind</p><form>thisdogshouldnotbefound</form>',
|
||||
'<p>thisisacattofind</p><input type="text" value="thisdogshouldnotbefound">',
|
||||
@@ -182,6 +205,8 @@ TESTCASE
|
||||
|
||||
public function test_form_attributes_are_removed()
|
||||
{
|
||||
config()->set('app.content_filtering', 'f');
|
||||
|
||||
$withinSvgSample = <<<'TESTCASE'
|
||||
<svg width="200" height="100" xmlns="http://www.w3.org/2000/svg">
|
||||
<foreignObject width="100%" height="100%">
|
||||
@@ -229,6 +254,8 @@ TESTCASE;
|
||||
|
||||
public function test_metadata_redirects_are_removed()
|
||||
{
|
||||
config()->set('app.content_filtering', 'h');
|
||||
|
||||
$checks = [
|
||||
'<meta http-equiv="refresh" content="0; url=//external_url">',
|
||||
'<meta http-equiv="refresh" ConTeNt="0; url=//external_url">',
|
||||
@@ -253,6 +280,8 @@ TESTCASE;
|
||||
|
||||
public function test_page_inline_on_attributes_removed_by_default()
|
||||
{
|
||||
config()->set('app.content_filtering', 'j');
|
||||
|
||||
$this->asEditor();
|
||||
$page = $this->entities->page();
|
||||
$script = '<p onmouseenter="console.log(\'test\')">Hello</p>';
|
||||
@@ -267,6 +296,8 @@ TESTCASE;
|
||||
|
||||
public function test_more_complex_inline_on_attributes_escaping_scenarios()
|
||||
{
|
||||
config()->set('app.content_filtering', 'j');
|
||||
|
||||
$checks = [
|
||||
'<p onclick="console.log(\'test\')">Hello</p>',
|
||||
'<p OnCliCk="console.log(\'test\')">Hello</p>',
|
||||
@@ -308,6 +339,8 @@ TESTCASE;
|
||||
|
||||
public function test_svg_script_usage_is_removed()
|
||||
{
|
||||
config()->set('app.content_filtering', 'j');
|
||||
|
||||
$checks = [
|
||||
'<svg id="test" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" width="100" height="100"><a xlink:href="javascript:alert(document.domain)"><rect x="0" y="0" width="100" height="100" /></a></svg>',
|
||||
'<svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink"><use xlink:href="data:application/xml;base64 ,PHN2ZyB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciIHhtbG5zOnhsaW5rPSJodHRwOi8vd3d3LnczLm9yZy8xOTk5L3hsaW5rIj4KPGRlZnM+CjxjaXJjbGUgaWQ9InRlc3QiIHI9IjAiIGN4PSIwIiBjeT0iMCIgc3R5bGU9ImZpbGw6ICNGMDAiPgo8c2V0IGF0dHJpYnV0ZU5hbWU9ImZpbGwiIGF0dHJpYnV0ZVR5cGU9IkNTUyIgb25iZWdpbj0nYWxlcnQoZG9jdW1lbnQuZG9tYWluKScKb25lbmQ9J2FsZXJ0KCJvbmVuZCIpJyB0bz0iIzAwRiIgYmVnaW49IjBzIiBkdXI9Ijk5OXMiIC8+CjwvY2lyY2xlPgo8L2RlZnM+Cjx1c2UgeGxpbms6aHJlZj0iI3Rlc3QiLz4KPC9zdmc+#test"/></svg>',
|
||||
@@ -350,4 +383,46 @@ TESTCASE;
|
||||
$pageView->assertSee($script, false);
|
||||
$pageView->assertDontSee('<p>Hello</p>', false);
|
||||
}
|
||||
|
||||
public function test_non_content_filtering_is_controlled_by_config()
|
||||
{
|
||||
config()->set('app.content_filtering', 'h');
|
||||
$page = $this->entities->page();
|
||||
$html = <<<'HTML'
|
||||
<style>superbeans!</style>
|
||||
<p>inbetweenpsection</p>
|
||||
<link rel="stylesheet" href="https://example.com/superbeans.css">
|
||||
<meta name="description" content="superbeans!">
|
||||
<title>superbeans!</title>
|
||||
<template id="template">superbeans!</template>
|
||||
HTML;
|
||||
|
||||
$page->html = $html;
|
||||
$page->save();
|
||||
|
||||
$resp = $this->asEditor()->get($page->getUrl());
|
||||
$resp->assertDontSee('superbeans', false);
|
||||
$resp->assertSee('inbetweenpsection', false);
|
||||
}
|
||||
|
||||
public function test_non_content_filtering()
|
||||
{
|
||||
config()->set('app.content_filtering', 'h');
|
||||
}
|
||||
|
||||
public function test_allow_list_filtering_is_controlled_by_config()
|
||||
{
|
||||
config()->set('app.content_filtering', '');
|
||||
$page = $this->entities->page();
|
||||
$page->html = '<div style="position: absolute; left: 0;color:#00FFEE;">Hello!</div>';
|
||||
$page->save();
|
||||
|
||||
$resp = $this->asEditor()->get($page->getUrl());
|
||||
$resp->assertSee('style="position: absolute; left: 0;color:#00FFEE;"', false);
|
||||
|
||||
config()->set('app.content_filtering', 'a');
|
||||
$resp = $this->get($page->getUrl());
|
||||
$resp->assertDontSee('style="position: absolute; left: 0;color:#00FFEE;"', false);
|
||||
$resp->assertSee('style="color:#00FFEE;"', false);
|
||||
}
|
||||
}
|
||||
|
||||
@@ -170,6 +170,20 @@ class ConfigTest extends TestCase
|
||||
}
|
||||
}
|
||||
|
||||
public function test_content_filtering_defaults_to_enabled()
|
||||
{
|
||||
$this->runWithEnv(['APP_CONTENT_FILTERING' => null, 'ALLOW_CONTENT_SCRIPTS' => null], function () {
|
||||
$this->assertEquals('jhfa', config('app.content_filtering'));
|
||||
});
|
||||
}
|
||||
|
||||
public function test_allow_content_scripts_disables_content_filtering()
|
||||
{
|
||||
$this->runWithEnv(['APP_CONTENT_FILTERING' => null, 'ALLOW_CONTENT_SCRIPTS' => 'true'], function () {
|
||||
$this->assertEquals('', config('app.content_filtering'));
|
||||
});
|
||||
}
|
||||
|
||||
/**
|
||||
* Set an environment variable of the given name and value
|
||||
* then check the given config key to see if it matches the given result.
|
||||
|
||||
Reference in New Issue
Block a user