GHSL-2021-1014, GHSL-2021-1015, GHSL-2021-1016

jupyter · Aug 9, 2022 · 7100b2b · 7100b2b
1 parent 47bd263
commit 7100b2b
Show file tree

Hide file tree

Showing 10 changed files with 62 additions and 7 deletions.
diff --git a/nbconvert/exporters/templateexporter.py b/nbconvert/exporters/templateexporter.py
@@ -7,6 +7,7 @@
 
 
 import json
+from lxml.html.clean import clean_html
 import os
 import uuid
 import warnings
@@ -69,6 +70,7 @@
     # browsers will parse </script>, closing a script tag early
     # Since JSON allows escaping forward slash, this will still be parsed by JSON
     "escape_html_script": lambda x: x.replace("</script>", "<\\/script>"),
+    "clean_html": clean_html,
     "strip_trailing_newline": filters.strip_trailing_newline,
     "text_base64": filters.text_base64,
 }

diff --git a/nbconvert/exporters/tests/files/notebook_inject.ipynb b/nbconvert/exporters/tests/files/notebook_inject.ipynb
@@ -0,0 +1,39 @@
+{
+ "cells": [
+  {
+   "cell_type": "code",
+   "execution_count": null,
+   "id": "79aede83-fba6-4715-bce6-9f3926b128a2",
+   "metadata": {
+     "tags": ["FOO\"><script>alert('cell_tag')</script><div \""]
+   },
+   "outputs": [],
+   "source": []
+  }
+ ],
+ "metadata": {
+  "title": "TITLE</title><script>alert('title')</script>",
+  "kernelspec": {
+   "display_name": "Python 3 (ipykernel)",
+   "language": "python",
+   "name": "python3"
+  },
+  "language_info": {
+   "codemirror_mode": {
+    "name": "ipython",
+    "version": 3
+   },
+   "file_extension": ".py",
+   "mimetype": "text/x-python",
+   "name": "python",
+   "nbconvert_exporter": "python",
+   "pygments_lexer": "ipython3",
+   "version": "3.10.5"
+  },
+  "widgets": {
+    "application/vnd.jupyter.widget-state+json": {"foo": "pwntester</script><script>alert('widgets');//"}
+  }
+ },
+ "nbformat": 4,
+ "nbformat_minor": 5
+}
diff --git a/nbconvert/exporters/tests/test_html.py b/nbconvert/exporters/tests/test_html.py
@@ -134,3 +134,16 @@ def test_basic_name(self):
             self._get_notebook()
         )
         assert len(output) > 0
+
+    def test_javascript_injection(self):
+        for template in ["lab", "classic", "reveal"]:
+            (output, resources) = HTMLExporter(template_name=template).from_filename(self._get_notebook('notebook_inject.ipynb'))
+
+            # Check injection in the metadata.title of the Notebook
+            assert "<script>alert('title')</script>" not in output
+
+            # Check injection in the metadata.widgets of the Notebook
+            assert "</script><script>alert('widgets')" not in output
+
+            # Check injection in the cell.metadata.tags of the Notebook
+            assert "<script>alert('cell_tag')</script>" not in output
diff --git a/pyproject.toml b/pyproject.toml
@@ -20,6 +20,7 @@ classifiers = [
 urls = {Homepage = "https://jupyter.org"}
 requires-python = ">=3.7"
 dependencies = [
+    "lxml",
     "beautifulsoup4",
     "bleach",
     "defusedxml",

diff --git a/share/templates/base/celltags.j2 b/share/templates/base/celltags.j2
@@ -1,7 +1,7 @@
 {%- macro celltags(cell) -%}
     {% if cell.metadata.tags | length > 0 -%}
-        {% for tag in cell.metadata.tags -%}
-            {{ ' celltag_' ~ tag -}}
+        {% for tag in (cell.metadata.tags) -%}
+            {{ (' celltag_' ~ tag) | clean_html -}}
         {%- endfor -%}
     {%- endif %}
 {%- endmacro %}
diff --git a/share/templates/classic/base.html.j2 b/share/templates/classic/base.html.j2
@@ -267,7 +267,7 @@ var element = $('#{{ div_id }}');
 {% set mimetype = 'application/vnd.jupyter.widget-state+json'%}
 {% if mimetype in nb.metadata.get("widgets",{})%}
 <script type="{{ mimetype }}">
-{{ nb.metadata.widgets[mimetype] | json_dumps | escape_html_script }}
+{{ nb.metadata.widgets[mimetype] | json_dumps | clean_html }}
 </script>
 {% endif %}
 {{ super() }}

diff --git a/share/templates/classic/index.html.j2 b/share/templates/classic/index.html.j2
@@ -9,7 +9,7 @@
 {%- block html_head -%}
 <meta charset="utf-8" />
 <meta name="viewport" content="width=device-width, initial-scale=1.0">
-{% set nb_title = nb.metadata.get('title', '') or resources['metadata']['name'] %}
+{% set nb_title = nb.metadata.get('title', resources['metadata']['name']) | clean_html %}
 <title>{{nb_title}}</title>
 
 {%- block html_head_js -%}

diff --git a/share/templates/lab/base.html.j2 b/share/templates/lab/base.html.j2
@@ -303,7 +303,7 @@ var element = document.getElementById('{{ div_id }}');
 {% set mimetype = 'application/vnd.jupyter.widget-state+json'%}
 {% if mimetype in nb.metadata.get("widgets",{})%}
 <script type="{{ mimetype }}">
-{{ nb.metadata.widgets[mimetype] | json_dumps | escape_html_script }}
+{{ nb.metadata.widgets[mimetype] | json_dumps | clean_html }}
 </script>
 {% endif %}
 {{ super() }}

diff --git a/share/templates/lab/index.html.j2 b/share/templates/lab/index.html.j2
@@ -9,7 +9,7 @@
 {%- block html_head -%}
 <meta charset="utf-8" />
 <meta name="viewport" content="width=device-width, initial-scale=1.0">
-{% set nb_title = nb.metadata.get('title', '') or resources['metadata']['name'] %}
+{% set nb_title = nb.metadata.get('title', resources['metadata']['name']) | clean_html %}
 <title>{{nb_title}}</title>
 
 {%- block html_head_js -%}

diff --git a/share/templates/reveal/index.html.j2 b/share/templates/reveal/index.html.j2
@@ -20,7 +20,7 @@
 <meta name="apple-mobile-web-app-capable" content="yes" />
 <meta name="apple-mobile-web-app-status-bar-style" content="black-translucent" />
 
-{% set nb_title = nb.metadata.get('title', '') or resources['metadata']['name'] %}
+{% set nb_title = nb.metadata.get('title', resources['metadata']['name']) | clean_html %}
 <title>{{nb_title}} slides</title>
 
 {%- block html_head_js -%}