$sceDelegateProvider.resourceUrlWhitelist() regex security risks

[josephlord]

I don't know how deeply this has been discussed but I think requiring regexs rather than a list of hosts/paths opens up risks.

If someone puts 'https://cdnhost-name12345.cdn.com.' they risk attack from anyone having a domain and creating a file at 'https://cdnhost-name12345.cdn.com.example.com". Now obviously the user should have entered: 'https://cdnhost-name12345\.cdn\.com/.' but the documentation doesn't seem to give examples. [Edited as 's weren't showing.]

I know that there are many valid uses for regexs where a number of servers or paths may be being used but that should be the advance option rather than the default and I would like it if there was stronger documentation and examples about how to (and how not to) use the regexs.

This is what my whitelist item in Rails looks like in the end and it would be all too easy to forget the escaping of the '.'s or the '/' before the '.'.
'<%= ActionController::Base.asset_host.gsub(/./, '.') %>/.' [Edited as 's weren't showing.]

Please consider a safe easy option.

[petebacondarwin]

I guess this should be documents. @chirayuk - what do you think?

[josephlord]

It is your project and your decision but I think requiring regexs in a security context when there are so many ways to accidentally be too permissive and the code apparently work is highly likely to lead to security failures. I think it is more than a documentation issue. Regex in the blacklist is fine as too broad and it stop the app from working and get fixed but too broad in a whitelist is likely to remain unnoticed and expose the user.

Please note that Github's markdown hide the 's in the what the use should have entered in the original issue report (now edited).

Couple of things, I realised that I went wrong in the necessary ruby regex to make the safe JS regex it should have read:

'<%= ActionController::Base.asset_host.gsub(/\./, '\\.') %>/.*'

Actually my total final call was:

$sceDelegateProvider.resourceUrlWhitelist(['self' <%= ",'" + ActionController::Base.asset_host.gsub(/\./, "\\.") + "/.*'" if ActionController::Base.asset_host %>]);

[chirayuk]

While the regex languages are different, other than for control characters, I think that Regexp.escape(str) would get you the right escaping.

I get that the greater issue is the ease of doing it wrong – so I'll fix the API for that.

[josephlord]

Thanks! This looks like a really good solution and a lot of hard work. Well documented too.