html_sanitizer_test.rb 17 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222
  1. # Copyright (C) 2012-2022 Zammad Foundation, https://zammad-foundation.org/
  2. require 'test_helper'
  3. class HtmlSanitizerTest < ActiveSupport::TestCase
  4. setup do
  5. @processing_timeout = HtmlSanitizer.const_get(:PROCESSING_TIMEOUT)
  6. # XSS processing may run into a timeout on slow CI systems, so turn the timeout off for the test.
  7. HtmlSanitizer.const_set(:PROCESSING_TIMEOUT, nil)
  8. end
  9. teardown do
  10. HtmlSanitizer.const_set(:PROCESSING_TIMEOUT, @processing_timeout)
  11. end
  12. test 'xss' do
  13. assert_equal(HtmlSanitizer.strict('<b>123</b>'), '<b>123</b>')
  14. assert_equal(HtmlSanitizer.strict('<script><b>123</b></script>'), '')
  15. assert_equal(HtmlSanitizer.strict('<script><style><b>123</b></style></script>'), '')
  16. assert_equal(HtmlSanitizer.strict('<abc><i><b>123</b><bbb>123</bbb></i></abc>'), '<i><b>123</b>123</i>')
  17. assert_equal(HtmlSanitizer.strict('<abc><i><b>123</b><bbb>123<i><ccc>abc</ccc></i></bbb></i></abc>'), '<i><b>123</b>123<i>abc</i></i>')
  18. assert_equal(HtmlSanitizer.strict('<not_existing>123</not_existing>'), '123')
  19. assert_equal(HtmlSanitizer.strict('<script type="text/javascript">alert("XSS!");</script>'), '')
  20. assert_equal(HtmlSanitizer.strict('<SCRIPT SRC=http://xss.rocks/xss.js></SCRIPT>'), '')
  21. assert_equal(HtmlSanitizer.strict('<IMG SRC="javascript:alert(\'XSS\');">'), '')
  22. assert_equal(HtmlSanitizer.strict('<IMG SRC=javascript:alert(\'XSS\')>'), '')
  23. assert_equal(HtmlSanitizer.strict('<IMG SRC=JaVaScRiPt:alert(\'XSS\')>'), '')
  24. assert_equal(HtmlSanitizer.strict('<IMG SRC=`javascript:alert("RSnake says, \'XSS\'")`>'), '')
  25. assert_equal(HtmlSanitizer.strict('<IMG """><SCRIPT>alert("XSS")</SCRIPT>">'), '<img>"&gt;')
  26. assert_equal(HtmlSanitizer.strict('<IMG SRC=# onmouseover="alert(\'xxs\')">'), '<img src="#">')
  27. assert_equal(HtmlSanitizer.strict('<IMG SRC="jav ascript:alert(\'XSS\');">'), '')
  28. assert_equal(HtmlSanitizer.strict('<IMG SRC="jav&#x09;ascript:alert(\'XSS\');">'), '')
  29. assert_equal(HtmlSanitizer.strict('<IMG SRC="jav&#x0A;ascript:alert(\'XSS\');">'), '')
  30. assert_equal(HtmlSanitizer.strict('<IMG SRC="jav&#x0D;ascript:alert(\'XSS\');">'), '')
  31. assert_equal(HtmlSanitizer.strict('<IMG SRC=" &#14; javascript:alert(\'XSS\');">'), '<img src="">')
  32. assert_equal(HtmlSanitizer.strict('<SCRIPT/XSS SRC="http://xss.rocks/xss.js"></SCRIPT>'), '')
  33. assert_equal(HtmlSanitizer.strict('<BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert("XSS")>'), '')
  34. assert_equal(HtmlSanitizer.strict('<SCRIPT/SRC="http://xss.rocks/xss.js"></SCRIPT>'), '')
  35. assert_equal(HtmlSanitizer.strict('<<SCRIPT>alert("XSS");//<</SCRIPT>'), '&lt;')
  36. assert_equal(HtmlSanitizer.strict('<SCRIPT SRC=http://xss.rocks/xss.js?< B >'), '')
  37. assert_equal(HtmlSanitizer.strict('<SCRIPT SRC=//xss.rocks/.j>'), '')
  38. assert_equal(HtmlSanitizer.strict('<IMG SRC="javascript:alert(\'XSS\')"'), '')
  39. assert_equal(HtmlSanitizer.strict('<IMG SRC="javascript:alert(\'XSS\')" abc<b>123</b>'), '123')
  40. assert_equal(HtmlSanitizer.strict('<iframe src=http://xss.rocks/scriptlet.html <'), '')
  41. assert_equal(HtmlSanitizer.strict('</script><script>alert(\'XSS\');</script>'), '')
  42. assert_equal(HtmlSanitizer.strict('<STYLE>li {list-style-image: url("javascript:alert(\'XSS\')");}</STYLE><UL><LI>XSS</br>'), '<ul><li>XSS</li></ul>')
  43. assert_equal(HtmlSanitizer.strict('<IMG SRC=\'vbscript:msgbox("XSS")\'>'), '')
  44. assert_equal(HtmlSanitizer.strict('<IMG SRC="livescript:[code]">'), '')
  45. assert_equal(HtmlSanitizer.strict('<svg/onload=alert(\'XSS\')>'), '')
  46. assert_equal(HtmlSanitizer.strict('<BODY ONLOAD=alert(\'XSS\')>'), '')
  47. assert_equal(HtmlSanitizer.strict('<LINK REL="stylesheet" HREF="javascript:alert(\'XSS\');">'), '')
  48. assert_equal(HtmlSanitizer.strict('<STYLE>@import\'http://xss.rocks/xss.css\';</STYLE>'), '')
  49. assert_equal(HtmlSanitizer.strict('<META HTTP-EQUIV="Link" Content="<http://xss.rocks/xss.css>; REL=stylesheet">'), '')
  50. assert_equal(HtmlSanitizer.strict('<IMG STYLE="java/*XSS*/script:(alert(\'XSS\'), \'\')">'), '<img>')
  51. assert_equal(HtmlSanitizer.strict('<IMG src="java/*XSS*/script:(alert(\'XSS\'), \'\')">'), '')
  52. assert_equal(HtmlSanitizer.strict('<IFRAME SRC="javascript:alert(\'XSS\');"></IFRAME>'), '')
  53. assert_equal(HtmlSanitizer.strict('<TABLE><TD BACKGROUND="javascript:alert(\'XSS\')">'), '<table><td></td></table>')
  54. assert_equal(HtmlSanitizer.strict('<DIV STYLE="background-image: url(javascript:alert(\'XSS\'), \'\')">'), '<div></div>')
  55. assert_equal(HtmlSanitizer.strict('<a href="/some/path">test</a>'), '<a href="/some/path">test</a>')
  56. assert_equal(HtmlSanitizer.strict('<a href="https://some/path">test</a>'), '<a href="https://some/path" rel="nofollow noreferrer noopener" target="_blank" title="https://some/path">test</a>')
  57. assert_equal(HtmlSanitizer.strict('<a href="https://some/path">test</a>', true), '<a href="https://some/path" rel="nofollow noreferrer noopener" target="_blank" title="https://some/path">test</a>')
  58. assert_equal(HtmlSanitizer.strict('<XML ID="xss"><I><B><IMG SRC="javas<!-- -->cript:alert(\'XSS\')"></B></I></XML>'), '<i><b></b></i>')
  59. assert_equal(HtmlSanitizer.strict('<IMG SRC="javas<!-- -->cript:alert(\'XSS\')">'), '')
  60. assert_equal(HtmlSanitizer.strict(' <HEAD><META HTTP-EQUIV="CONTENT-TYPE" CONTENT="text/html; charset=UTF-7"> </HEAD>+ADw-SCRIPT+AD4-alert(\'XSS\');+ADw-/SCRIPT+AD4-'), ' +ADw-SCRIPT+AD4-alert(\'XSS\');+ADw-/SCRIPT+AD4-')
  61. assert_equal(HtmlSanitizer.strict('<SCRIPT a=">" SRC="httx://xss.rocks/xss.js"></SCRIPT>'), '')
  62. assert_equal(HtmlSanitizer.strict('<A HREF="h
  63. tt p://6 6.000146.0x7.147/">XSS</A>'), '<a href="h%0Att%20%20p://6%206.000146.0x7.147/" rel="nofollow noreferrer noopener" target="_blank" title="h%0Att%20%20p://6%206.000146.0x7.147/">XSS</a>')
  64. assert_equal(HtmlSanitizer.strict('<A HREF="h
  65. tt p://6 6.000146.0x7.147/">XSS</A>', true), '<a href="http://h%0Att%20%20p://6%206.000146.0x7.147/" rel="nofollow noreferrer noopener" target="_blank" title="http://h%0Att%20%20p://6%206.000146.0x7.147/">XSS</a>')
  66. assert_equal(HtmlSanitizer.strict('<A HREF="//www.google.com/">XSS</A>'), '<a href="//www.google.com/" rel="nofollow noreferrer noopener" target="_blank" title="//www.google.com/">XSS</a>')
  67. assert_equal(HtmlSanitizer.strict('<A HREF="//www.google.com/">XSS</A>', true), '<a href="//www.google.com/" rel="nofollow noreferrer noopener" target="_blank" title="//www.google.com/">XSS</a>')
  68. assert_equal(HtmlSanitizer.strict('<form id="test"></form><button form="test" formaction="javascript:alert(1)">X</button>'), 'X')
  69. assert_equal(HtmlSanitizer.strict('<maction actiontype="statusline#http://google.com" xlink:href="javascript:alert(2)">CLICKME</maction>'), 'CLICKME')
  70. assert_equal(HtmlSanitizer.strict('<a xlink:href="javascript:alert(2)">CLICKME</a>'), 'CLICKME')
  71. assert_equal(HtmlSanitizer.strict('<a xlink:href="javascript:alert(2)">CLICKME</a>', true), 'CLICKME')
  72. assert_equal(HtmlSanitizer.strict('<!--<img src="--><img src=x onerror=alert(1)//">'), '<img src="x">')
  73. assert_equal(HtmlSanitizer.strict('<![><img src="]><img src=x onerror=alert(1)//">'), '&lt;![&gt;<img src="%5D&gt;&lt;img%20src=x%20onerror=alert(1)//">')
  74. assert_equal(HtmlSanitizer.strict('<svg><![CDATA[><image xlink:href="]]><img src=xx:x onerror=alert(2)//"></svg>'), '&lt;![CDATA[&gt;')
  75. assert_equal(HtmlSanitizer.strict('<abc><img src="</abc><img src=x onerror=alert(1)//">'), '<img src="&lt;/abc&gt;&lt;img%20src=x%20onerror=alert(1)//">')
  76. assert_equal(HtmlSanitizer.strict('<object data="data:text/html;base64,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg=="></object>'), '')
  77. assert_equal(HtmlSanitizer.strict('<embed src="data:text/html;base64,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg=="></embed>'), '')
  78. assert_equal(HtmlSanitizer.strict('<img[a][b]src=x[d]onerror[c]=[e]"alert(1)">'), '<img>')
  79. assert_equal(HtmlSanitizer.strict('<a href="[a]java[b]script[c]:alert(1)">XXX</a>'), '<a href="%5Ba%5Djava%5Bb%5Dscript%5Bc%5D:alert(1)">XXX</a>')
  80. assert_equal(HtmlSanitizer.strict('<a href="[a]java[b]script[c]:alert(1)">XXX</a>', true), '<a href="http://%5Ba%5Djava%5Bb%5Dscript%5Bc%5D:alert(1)" rel="nofollow noreferrer noopener" target="_blank" title="http://%5Ba%5Djava%5Bb%5Dscript%5Bc%5D:alert(1)">XXX</a>')
  81. assert_equal(HtmlSanitizer.strict('<svg xmlns="http://www.w3.org/2000/svg"><script>alert(1)</script></svg>'), '')
  82. assert_equal(HtmlSanitizer.strict('<a style="position:fixed;top:0;left:0;width: 260px;height:100vh;background-color:red;display: block;" href="http://example.com"></a>'), '<a href="http://example.com" rel="nofollow noreferrer noopener" target="_blank" title="http://example.com"></a>')
  83. assert_equal(HtmlSanitizer.strict('<a style="position:fixed;top:0;left:0;width: 260px;height:100vh;background-color:red;display: block;" href="http://example.com"></a>', true), '<a href="http://example.com" rel="nofollow noreferrer noopener" target="_blank" title="http://example.com"></a>')
  84. assert_equal(HtmlSanitizer.strict('<div>
  85. <style type="text/css">#outlook A {
  86. .content { WIDTH: 100%; MAX-WIDTH: 740px }
  87. A { COLOR: #666666; TEXT-DECORATION: none }
  88. A:link { COLOR: #666666; TEXT-DECORATION: none }
  89. A:hover { COLOR: #666666; TEXT-DECORATION: none }
  90. A:active { COLOR: #666666; TEXT-DECORATION: none }
  91. A:focus { COLOR: #666666; TEXT-DECORATION: none }
  92. BODY { FONT-FAMILY: Calibri, Arial, Verdana, sans-serif }
  93. </style>
  94. <!--[if (gte mso 9)|(IE)]>
  95. <META name=GENERATOR content="MSHTML 9.00.8112.16800"></HEAD>
  96. <BODY bgColor=#ffffff>
  97. <DIV><FONT size=2 face=Arial></FONT>&nbsp;</DIV>
  98. <BLOCKQUOTE
  99. style="BORDER-LEFT: #000000 2px solid; PADDING-LEFT: 5px; PADDING-RIGHT: 0px; MARGIN-LEFT: 5px; MARGIN-RIGHT: 0px">
  100. <DIV style="FONT: 10pt arial">----- Original Message ----- </DIV>
  101. <DIV style="FONT: 10pt arial"><B>To:</B> <A title=smith.test@example.dk
  102. href="mailto:smith.test@example.dk">smith.test@example.dk</A> </DIV>
  103. <DIV style="FONT: 10pt arial"><B>Sent:</B> Friday, November 10, 2017 9:11
  104. PM</DIV>
  105. <DIV style="FONT: 10pt arial"><B>Subject:</B> Din bestilling hos
  106. example.dk - M123 - KD1234</DIV>
  107. <div>&nbsp;</div>
  108. <![endif]-->test 123
  109. <blockquote></div>'), '<div>
  110. test 123
  111. <blockquote></blockquote>
  112. </div>')
  113. assert_equal(HtmlSanitizer.strict('<style><!--
  114. /* Font Definitions */
  115. @font-face
  116. {font-family:"Cambria Math";
  117. panose-1:2 4 5 3 5 4 6 3 2 4;}
  118. {page:WordSection1;}</style><!--[if gte mso 9]><xml>
  119. <o:shapedefaults v:ext="edit" spidmax="1026" />
  120. </xml><![endif]--><!--[if gte mso 9]><xml>
  121. <o:shapelayout v:ext="edit">
  122. <o:idmap v:ext="edit" data="1" />
  123. </o:shapelayout></xml><![endif]-->
  124. <div>123</div>
  125. <a href="#DAB4FAD8-2DD7-40BB-A1B8-4E2AA1F9FDF2" width="1" height="1">abc</a></div>'), '
  126. <div>123</div>
  127. <a href="#DAB4FAD8-2DD7-40BB-A1B8-4E2AA1F9FDF2">abc</a>')
  128. assert_equal(HtmlSanitizer.strict('<table><tr style="font-size: 0"><td>123</td></tr></table>'), '<table><tr><td>123</td></tr></table>')
  129. assert_equal(HtmlSanitizer.strict('<table><tr style="font-size: 0px"><td>123</td></tr></table>'), '<table><tr><td>123</td></tr></table>')
  130. assert_equal(HtmlSanitizer.strict('<table><tr style="font-size: 0pt"><td>123</td></tr></table>'), '<table><tr><td>123</td></tr></table>')
  131. assert_equal(HtmlSanitizer.strict('<table><tr style="font-size:0"><td>123</td></tr></table>'), '<table><tr><td>123</td></tr></table>')
  132. assert_equal(HtmlSanitizer.strict('<table><tr style="font-Size:0px"><td>123</td></tr></table>'), '<table><tr><td>123</td></tr></table>')
  133. assert_equal(HtmlSanitizer.strict('<table><tr style="font-size:0em"><td>123</td></tr></table>'), '<table><tr><td>123</td></tr></table>')
  134. assert_equal(HtmlSanitizer.strict('<table><tr style=" Font-size:0%"><td>123</td></tr></table>'), '<table><tr><td>123</td></tr></table>')
  135. assert_equal(HtmlSanitizer.strict('<table><tr style="font-size:0%;display: none;"><td>123</td></tr></table>'), '<table><tr><td>123</td></tr></table>')
  136. assert_equal(HtmlSanitizer.strict('<table><tr style="font-size:0%;visibility:hidden;"><td>123</td></tr></table>'), '<table><tr><td>123</td></tr></table>')
  137. assert_equal(HtmlSanitizer.strict('<table><tr style="font-size:0%;visibility:hidden;"><td>123</td></tr></table>'), '<table><tr><td>123</td></tr></table>')
  138. assert_equal(HtmlSanitizer.strict('<a href="/some/path%20test.pdf">test</a>'), '<a href="/some/path%20test.pdf">test</a>')
  139. assert_equal(HtmlSanitizer.strict('<a href="https://somehost.domain/path%20test.pdf">test</a>'), '<a href="https://somehost.domain/path%20test.pdf" rel="nofollow noreferrer noopener" target="_blank" title="https://somehost.domain/path%20test.pdf">test</a>')
  140. assert_equal(HtmlSanitizer.strict('<a href="https://somehost.domain/zaihan%20test">test</a>'), '<a href="https://somehost.domain/zaihan%20test" rel="nofollow noreferrer noopener" target="_blank" title="https://somehost.domain/zaihan%20test">test</a>')
  141. api_path = Rails.configuration.api_path
  142. http_type = Setting.get('http_type')
  143. fqdn = Setting.get('fqdn')
  144. attachment_url = "#{http_type}://#{fqdn}#{api_path}/ticket_attachment/239/986/1653"
  145. attachment_url_good = "#{attachment_url}?disposition=attachment"
  146. attachment_url_evil = "#{attachment_url}?disposition=inline"
  147. assert_equal(HtmlSanitizer.strict("<a href=\"#{attachment_url_evil}\">Evil link</a>"), "<a href=\"#{attachment_url_good}\" rel=\"nofollow noreferrer noopener\" target=\"_blank\" title=\"#{attachment_url_good}\">Evil link</a>")
  148. assert_equal(HtmlSanitizer.strict("<a href=\"#{attachment_url_good}\">Good link</a>"), "<a href=\"#{attachment_url_good}\" rel=\"nofollow noreferrer noopener\" target=\"_blank\" title=\"#{attachment_url_good}\">Good link</a>")
  149. assert_equal(HtmlSanitizer.strict("<a href=\"#{attachment_url}\">No disposition</a>"), "<a href=\"#{attachment_url}\" rel=\"nofollow noreferrer noopener\" target=\"_blank\" title=\"#{attachment_url}\">No disposition</a>")
  150. different_fqdn_url = attachment_url_evil.gsub(fqdn, 'some.other.tld')
  151. assert_equal(HtmlSanitizer.strict("<a href=\"#{different_fqdn_url}\">Different FQDN</a>"), "<a href=\"#{different_fqdn_url}\" rel=\"nofollow noreferrer noopener\" target=\"_blank\" title=\"#{different_fqdn_url}\">Different FQDN</a>")
  152. attachment_url_evil_other = "#{attachment_url}?disposition=some_other"
  153. assert_equal(HtmlSanitizer.strict("<a href=\"#{attachment_url_evil_other}\">Evil link</a>"), "<a href=\"#{attachment_url_good}\" rel=\"nofollow noreferrer noopener\" target=\"_blank\" title=\"#{attachment_url_good}\">Evil link</a>")
  154. assert_equal(HtmlSanitizer.strict('<a href="mailto:testäöü@example.com" id="123">test</a>'), '<a href="mailto:test%C3%A4%C3%B6%C3%BC@example.com">test</a>')
  155. assert_equal(HtmlSanitizer.strict('<pre><code>apt-get update
  156. Get:1 http://security.ubuntu.com/ubuntu focal-security InRelease [114 kB]
  157. Hit:2 http://de.archive.ubuntu.com/ubuntu focal InRelease
  158. Hit:3 http://de.archive.ubuntu.com/ubuntu focal-updates InRelease
  159. Get:4 http://10.10.21.205:3207/dprepo/ubuntu experimental/20.04_x86_64/ InR=
  160. elease [3820 B]
  161. Hit:5 http://de.archive.ubuntu.com/ubuntu focal-backports InRelease
  162. Get:6 http://10.10.21.205:3207/dprepo/ubuntu 20.04_x86_64/ InRelease [3781 =
  163. B]
  164. Get:7 http://10.10.21.205:3207/dprepo/ubuntu experimental/20.04_x86_64/ Sou=
  165. rces [2710 B]
  166. Get:8 http://10.10.21.205:3207/dprepo/ubuntu experimental/20.04_x86_64/ Pac=
  167. kages [6507 B]
  168. Get:9 http://10.10.21.205:3207/dprepo/ubuntu 20.04_x86_64/ Sources [9066 B]
  169. Get:10 http://10.10.21.205:3207/dprepo/ubuntu 20.04_x86_64/ Packages [23.8 =
  170. kB]
  171. Get:11 http://security.ubuntu.com/ubuntu focal-security/main amd64 DEP-11 M=
  172. etadata [40.6 kB]
  173. Get:12 http://security.ubuntu.com/ubuntu focal-security/universe amd64 DEP-=
  174. 11 Metadata [66.3 kB]
  175. Get:13 http://security.ubuntu.com/ubuntu focal-security/multiverse amd64 DE=
  176. P-11 Metadata [2464 B]
  177. Fetched 273 kB in 1s (288 kB/s)
  178. Reading package lists...
  179. Batterie-Status pr&uuml;fen
  180. Reading package lists...
  181. Building dependency tree...</code></pre>'), '<pre><code>apt-get update
  182. Get:1 http://security.ubuntu.com/ubuntu focal-security InRelease [114 kB]
  183. Hit:2 http://de.archive.ubuntu.com/ubuntu focal InRelease
  184. Hit:3 http://de.archive.ubuntu.com/ubuntu focal-updates InRelease
  185. Get:4 http://10.10.21.205:3207/dprepo/ubuntu experimental/20.04_x86_64/ InR=
  186. elease [3820 B]
  187. Hit:5 http://de.archive.ubuntu.com/ubuntu focal-backports InRelease
  188. Get:6 http://10.10.21.205:3207/dprepo/ubuntu 20.04_x86_64/ InRelease [3781 =
  189. B]
  190. Get:7 http://10.10.21.205:3207/dprepo/ubuntu experimental/20.04_x86_64/ Sou=
  191. rces [2710 B]
  192. Get:8 http://10.10.21.205:3207/dprepo/ubuntu experimental/20.04_x86_64/ Pac=
  193. kages [6507 B]
  194. Get:9 http://10.10.21.205:3207/dprepo/ubuntu 20.04_x86_64/ Sources [9066 B]
  195. Get:10 http://10.10.21.205:3207/dprepo/ubuntu 20.04_x86_64/ Packages [23.8 =
  196. kB]
  197. Get:11 http://security.ubuntu.com/ubuntu focal-security/main amd64 DEP-11 M=
  198. etadata [40.6 kB]
  199. Get:12 http://security.ubuntu.com/ubuntu focal-security/universe amd64 DEP-=
  200. 11 Metadata [66.3 kB]
  201. Get:13 http://security.ubuntu.com/ubuntu focal-security/multiverse amd64 DE=
  202. P-11 Metadata [2464 B]
  203. Fetched 273 kB in 1s (288 kB/s)
  204. Reading package lists...
  205. Batterie-Status prüfen
  206. Reading package lists...
  207. Building dependency tree...</code></pre>')
  208. end
  209. end