Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

JS: extract .erb files as html #11175

Open
wants to merge 3 commits into
base: main
Choose a base branch
from
Open

JS: extract .erb files as html #11175

wants to merge 3 commits into from

Conversation

erik-krogh
Copy link
Contributor

@erik-krogh erik-krogh commented Nov 8, 2022

CVE-2022-3704: TP/TN

In that CVE the security issue is entirely contained within some JS code, that sits inside a <script> tag in an .erb file.

I figured that our HTML parser already handles HTML with various templating languages, so handling .erb shouldn't be that different.
And it wasn't, it just worked.


I tried to add an .erb file to the xss-through-dom test, but that wouldn't work, and I don't know why.
That's why I put an .erb test in the trap-tests.


Evaluations look fine.
4 new extracted files in our default.yml suite.
Evaluation on the nightly sources used by Ruby shows a bunch of new extracted files, and OK results.

@github-actions github-actions bot added the JS label Nov 8, 2022
@erik-krogh erik-krogh marked this pull request as ready for review Nov 9, 2022
@erik-krogh erik-krogh requested a review from a team as a code owner Nov 9, 2022
Copy link
Contributor

@aibaars aibaars left a comment

LGTM, one suggestion.

@@ -104,7 +104,7 @@ private static int skipBOM(byte[] bytes, int length) {

/** Information about supported file types. */
public static enum FileType {
HTML(".htm", ".html", ".xhtm", ".xhtml", ".vue", ".hbs", ".ejs", ".njk") {
HTML(".htm", ".html", ".xhtm", ".xhtml", ".vue", ".hbs", ".ejs", ".njk", ".erb") {
Copy link
Contributor

@aibaars aibaars Nov 10, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Perhaps restrict to .html.erb. While many erb files are html-like templates, they are also used for many other text formats.

Suggested change
HTML(".htm", ".html", ".xhtm", ".xhtml", ".vue", ".hbs", ".ejs", ".njk", ".erb") {
HTML(".htm", ".html", ".xhtm", ".xhtml", ".vue", ".hbs", ".ejs", ".njk", ".html.erb") {

Copy link
Contributor

@aibaars aibaars left a comment

Looks good to me. I assume the HTML extractor behaves nicely when parsing invalid HTML code, right? .html.erb files tend to be mostly HTML but also have <% %>-like tags.

@erik-krogh
Copy link
Contributor Author

erik-krogh commented Nov 10, 2022

Looks good to me. I assume the HTML extractor behaves nicely when parsing invalid HTML code, right? .html.erb files tend to be mostly HTML but also have <% %>-like tags.

Yes. The parser already handles that various templating systems does various weird things.
(It does so by accepting lots and lots of parse-errors).

I will become problematic if <% %> like tags are used within JS code though.
(Which is an extremely bad idea, maybe we should have a query in the Ruby analysis for that?)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

Successfully merging this pull request may close these issues.

None yet

2 participants