fix($sanitize): prevent clobbered elements from freezing the browser #15699
Conversation
|
So there's good news and bad news. 👍 The good news is that everyone that needs to sign a CLA (the pull request submitter and all commit authors) have done so. Everything is all good there. 😕 The bad news is that it appears that one or more commits were authored by someone other than the pull request submitter. We need to confirm that they're okay with their commits being contributed to this project. Please have them confirm that here in the pull request. Note to project maintainer: This is a terminal state, meaning the |
1 similar comment
|
So there's good news and bad news. 👍 The good news is that everyone that needs to sign a CLA (the pull request submitter and all commit authors) have done so. Everything is all good there. 😕 The bad news is that it appears that one or more commits were authored by someone other than the pull request submitter. We need to confirm that they're okay with their commits being contributed to this project. Please have them confirm that here in the pull request. Note to project maintainer: This is a terminal state, meaning the |
gkalpak
force-pushed
the
next-sibling
branch
from
5e3d716 to
0821355
Compare
| @@ -218,6 +219,11 @@ function $SanitizeProvider() { | |||
| htmlParser = htmlParserImpl; | |||
| htmlSanitizeWriter = htmlSanitizeWriterImpl; | |||
|
|
|||
| nodeContains = window.Node.prototype.contains || /** @this */ function(arg) { | |||
| // eslint-disable-next-line no-bitwise | |||
| return !!(this.compareDocumentPosition(arg) & 16); | |||
There was a problem hiding this comment.
compareDocumentPosition can also be clobbered. That will throw an exception - is that OK for your case i.e. is the exception caught and safely resolved?
There was a problem hiding this comment.
It is OK afaict. What we are trying to avoid is having an infinite loop, while traversing the DOM tree, which will eventually crash the browser.
| if (node === inertBodyElement) break; | ||
| nextNode = node.nextSibling; | ||
| nextNode = getNonDescendant('nextSibling', node); | ||
| if (node.nodeType === 1) { |
There was a problem hiding this comment.
What we are trying to avoid (afaict) is having an infinite loop, while traversing the DOM tree, which will eventually crash the browser.
I couldn't find a way to achive this via nodeType or nodeName. Did I miss something?
There was a problem hiding this comment.
If an infinite loop is the only concern, disregard my comments. JS-based sanitizers can usually fail by making them throw which breaks applications not catching an exception. Commonly, DOM clobbering is used to do that. If exceptions in ngSanitize do not result in apps breaking, it's fine.
There was a problem hiding this comment.
If an infinite loop is the only concern, disregard my comments.
I meant that is what we are address in this PR 😃
But afaict, we are only sanitizing HTML from ngBindHtml's watch-action. Throwing inside a watch-action, will catch the error, pass it to the $exceptionHandler and move on to the next watcher.
But if someone uses it differently, it is possible that it breaks the app (as any thrown exception could). Do you think $sanitize should be handling its own errors, @koto ?
There was a problem hiding this comment.
If the errors are triggered by processing untrusted HTML (which is likely the most common code), I think the safe default would be to return an empty string instead of throwing and requiring application to catch. But tat this point it's not really a security issue, but should be similar to how other core services behave (i.e. is it expected for them to throw and it should be handled by apps).
| @@ -381,12 +387,12 @@ function $SanitizeProvider() { | |||
| if (node.nodeType === 1) { | |||
| handler.end(node.nodeName.toLowerCase()); | |||
| function getNonDescendant(propName, node) { | ||
| // An element is clobbered if its `propName` property points to one of its descendants | ||
| var nextNode = node[propName]; | ||
| if (nextNode && nodeContains.call(node, nextNode)) { |
There was a problem hiding this comment.
are we bothered about generic descendents or only inputs that are members of a form?
if the latter then could we do:
if (nextNode && nextNode.form === node)
There was a problem hiding this comment.
I don't know of another usecase that would be affected other than <form> elements. (document is affected too, but we can't access document inside the htmlParsers afaict.)
I can't be 100% sure though. DOM has many dark corners 😃
There was a problem hiding this comment.
Hm...it seems that this won't work for img elements:
<form name="foo>
<input name="bar" />
<img name="baz" />
</form>document.foo.bar //--> `<input ... />`
document.foo.bar.form //--> `<form ... >`
document.foo.baz //--> `<img ... />`
document.foo.baz.form //--> undefinedThere was a problem hiding this comment.
OK, let's leave it as it is then
petebacondarwin
force-pushed
the
next-sibling
branch
from
9c91778 to
4f69d38
Compare
|
We merged this as-is. If there turns out to be performance issues then we will revisit and consider a different algorithm. |
What kind of change does this PR introduce? (Bug fix, feature, docs update, ...)
bug fix
What is the current behavior? (You can also link to an open issue here)
browser can be frozen with bad HTML
What is the new behavior (if this is a feature change)?
an exception is thrown instead
Does this PR introduce a breaking change?
No
Please check if the PR fulfills these requirements
Other information: