Changeset 49644 in webkit

Timestamp:

Oct 15, 2009 12:04:57 PM (15 years ago)

Author:

dbates@webkit.org

Message:

2009-10-15 Daniel Bates <​dbates@webkit.org>

Reviewed by Adam Barth.

​https://bugs.webkit.org/show_bug.cgi?id=27895

Fixes an issue in which injecting an inline event handler whose value ends in a single-line
JavaScript comment can bypass the XSSAuditor. Similarly fixes this issue with respect to
the HTML Base element, HTML Object element, inline and external script tags, and
JavaScript multi-line variants of all of these attacks.

Tests: http/tests/security/xssAuditor/base-href-comment.html

http/tests/security/xssAuditor/iframe-javascript-url-comment.html
http/tests/security/xssAuditor/img-onerror-HTML-comment.html
http/tests/security/xssAuditor/img-onerror-comment.html
http/tests/security/xssAuditor/object-tag-comment.html
http/tests/security/xssAuditor/script-tag-comment-HTML-entity.html
http/tests/security/xssAuditor/script-tag-comment.html
http/tests/security/xssAuditor/script-tag-with-source-comment.html

• page/XSSAuditor.cpp: Added constant minAttackLength. (WebCore::XSSAuditor::canEvaluate): (WebCore::XSSAuditor::canEvaluateJavaScriptURL): (WebCore::XSSAuditor::canCreateInlineEventListener): (WebCore::XSSAuditor::canLoadExternalScriptFromSrc): (WebCore::XSSAuditor::canLoadObject): (WebCore::XSSAuditor::canSetBaseElementURL): (WebCore::XSSAuditor::findInRequest): Added parameter context. Only looks at up to minAttackLength of script code plus context (if any).
• page/XSSAuditor.h:

2009-10-15 Daniel Bates <​dbates@webkit.org>

Reviewed by Adam Barth.

​https://bugs.webkit.org/show_bug.cgi?id=27895

Tests that inline event handlers whose value ends in a single-line JavaScript
comment cannot bypass the XSSAuditor. Also tests that the XSSAuditor prevents
similar attack vectors with respect to the HTML Base element, HTML Object
element, and external JavaScripts.

• http/tests/security/xssAuditor/base-href-comment-expected.txt: Added.
• http/tests/security/xssAuditor/base-href-comment.html: Added.
• http/tests/security/xssAuditor/iframe-javascript-url-comment-expected.txt: Added.
• http/tests/security/xssAuditor/iframe-javascript-url-comment.html: Added.
• http/tests/security/xssAuditor/img-onerror-HTML-comment-expected.txt: Added.
• http/tests/security/xssAuditor/img-onerror-HTML-comment.html: Added.
• http/tests/security/xssAuditor/img-onerror-comment-expected.txt: Added.
• http/tests/security/xssAuditor/img-onerror-comment.html: Added.
• http/tests/security/xssAuditor/object-tag-comment-expected.txt: Added.
• http/tests/security/xssAuditor/object-tag-comment.html: Added.
• http/tests/security/xssAuditor/resources/echo-before-image.pl: Added.
• http/tests/security/xssAuditor/resources/echo-head-base-href-comment.pl: Added.
• http/tests/security/xssAuditor/script-tag-comment-HTML-entity-expected.txt: Added.
• http/tests/security/xssAuditor/script-tag-comment-HTML-entity.html: Added.
• http/tests/security/xssAuditor/script-tag-comment-expected.txt: Added.
• http/tests/security/xssAuditor/script-tag-comment.html: Added.
• http/tests/security/xssAuditor/script-tag-with-source-comment-expected.txt: Added.
• http/tests/security/xssAuditor/script-tag-with-source-comment.html: Added.

Location:

trunk

Files:

• LayoutTests/ChangeLog (modified) (1 diff)
• LayoutTests/http/tests/security/xssAuditor/base-href-comment-expected.txt (added)
• LayoutTests/http/tests/security/xssAuditor/base-href-comment.html (added)
• LayoutTests/http/tests/security/xssAuditor/iframe-javascript-url-comment-expected.txt (added)
• LayoutTests/http/tests/security/xssAuditor/iframe-javascript-url-comment.html (added)
• LayoutTests/http/tests/security/xssAuditor/img-onerror-HTML-comment-expected.txt (added)
• LayoutTests/http/tests/security/xssAuditor/img-onerror-HTML-comment.html (added)
• LayoutTests/http/tests/security/xssAuditor/img-onerror-comment-expected.txt (added)
• LayoutTests/http/tests/security/xssAuditor/img-onerror-comment.html (added)
• LayoutTests/http/tests/security/xssAuditor/object-tag-comment-expected.txt (added)
• LayoutTests/http/tests/security/xssAuditor/object-tag-comment.html (added)
• LayoutTests/http/tests/security/xssAuditor/resources/echo-before-image.pl (added)
• LayoutTests/http/tests/security/xssAuditor/resources/echo-head-base-href-comment.pl (added)
• LayoutTests/http/tests/security/xssAuditor/script-tag-comment-HTML-entity-expected.txt (added)
• LayoutTests/http/tests/security/xssAuditor/script-tag-comment-HTML-entity.html (added)
• LayoutTests/http/tests/security/xssAuditor/script-tag-comment-expected.txt (added)
• LayoutTests/http/tests/security/xssAuditor/script-tag-comment.html (added)
• LayoutTests/http/tests/security/xssAuditor/script-tag-with-source-comment-expected.txt (added)
• LayoutTests/http/tests/security/xssAuditor/script-tag-with-source-comment.html (added)
• WebCore/ChangeLog (modified) (1 diff)
• WebCore/page/XSSAuditor.cpp (modified) (11 diffs)
• WebCore/page/XSSAuditor.h (modified) (1 diff)

trunk/LayoutTests/ChangeLog

@@ +1 @@
+2009-10-15  Daniel Bates  <dbates@webkit.org>
+
+        Reviewed by Adam Barth.
+
+        https://bugs.webkit.org/show_bug.cgi?id=27895
+        
+        Tests that inline event handlers whose value ends in a single-line JavaScript
+        comment cannot bypass the XSSAuditor. Also tests that the XSSAuditor prevents
+        similar attack vectors with respect to the HTML Base element, HTML Object
+        element, and external JavaScripts.
+
+        * http/tests/security/xssAuditor/base-href-comment-expected.txt: Added.
+        * http/tests/security/xssAuditor/base-href-comment.html: Added.
+        * http/tests/security/xssAuditor/iframe-javascript-url-comment-expected.txt: Added.
+        * http/tests/security/xssAuditor/iframe-javascript-url-comment.html: Added.
+        * http/tests/security/xssAuditor/img-onerror-HTML-comment-expected.txt: Added.
+        * http/tests/security/xssAuditor/img-onerror-HTML-comment.html: Added.
+        * http/tests/security/xssAuditor/img-onerror-comment-expected.txt: Added.
+        * http/tests/security/xssAuditor/img-onerror-comment.html: Added.
+        * http/tests/security/xssAuditor/object-tag-comment-expected.txt: Added.
+        * http/tests/security/xssAuditor/object-tag-comment.html: Added.
+        * http/tests/security/xssAuditor/resources/echo-before-image.pl: Added.
+        * http/tests/security/xssAuditor/resources/echo-head-base-href-comment.pl: Added.
+        * http/tests/security/xssAuditor/script-tag-comment-HTML-entity-expected.txt: Added.
+        * http/tests/security/xssAuditor/script-tag-comment-HTML-entity.html: Added.
+        * http/tests/security/xssAuditor/script-tag-comment-expected.txt: Added.
+        * http/tests/security/xssAuditor/script-tag-comment.html: Added.
+        * http/tests/security/xssAuditor/script-tag-with-source-comment-expected.txt: Added.
+        * http/tests/security/xssAuditor/script-tag-with-source-comment.html: Added.
+
 2009-10-15  Brian Weinstein  <bweinstein@apple.com>
 

trunk/WebCore/ChangeLog

@@ +1 @@
+2009-10-15  Daniel Bates  <dbates@webkit.org>
+
+        Reviewed by Adam Barth.
+
+        https://bugs.webkit.org/show_bug.cgi?id=27895
+        
+        Fixes an issue in which injecting an inline event handler whose value ends in a single-line
+        JavaScript comment can bypass the XSSAuditor. Similarly fixes this issue with respect to
+        the HTML Base element, HTML Object element, inline and external script tags, and
+        JavaScript multi-line variants of all of these attacks.
+
+        Tests: http/tests/security/xssAuditor/base-href-comment.html
+               http/tests/security/xssAuditor/iframe-javascript-url-comment.html
+               http/tests/security/xssAuditor/img-onerror-HTML-comment.html
+               http/tests/security/xssAuditor/img-onerror-comment.html
+               http/tests/security/xssAuditor/object-tag-comment.html
+               http/tests/security/xssAuditor/script-tag-comment-HTML-entity.html
+               http/tests/security/xssAuditor/script-tag-comment.html
+               http/tests/security/xssAuditor/script-tag-with-source-comment.html
+
+        * page/XSSAuditor.cpp: Added constant minAttackLength.
+        (WebCore::XSSAuditor::canEvaluate):
+        (WebCore::XSSAuditor::canEvaluateJavaScriptURL):
+        (WebCore::XSSAuditor::canCreateInlineEventListener):
+        (WebCore::XSSAuditor::canLoadExternalScriptFromSrc):
+        (WebCore::XSSAuditor::canLoadObject):
+        (WebCore::XSSAuditor::canSetBaseElementURL):
+        (WebCore::XSSAuditor::findInRequest): Added parameter context. Only looks at up 
+        to minAttackLength of script code plus context (if any).
+        * page/XSSAuditor.h:
+
 2009-10-08  Adam Langley  <agl@google.com>
 

trunk/WebCore/page/XSSAuditor.cpp

@@ -47 +47 @@
 namespace WebCore {
 
+// Note, we believe it is sufficient to only look at a substring of 7
+// characters (or less) of code.  Observe that "alert()" is seven characters
+// in length.
+static const unsigned minAttackLength = 7;
+
 static bool isNonCanonicalCharacter(UChar c)
 {
@@ -106 +111 @@
         return true;
 
-    if (findInRequest(code, false, true)) {
+    if (findInRequest(String(), code, false, true)) {
         DEFINE_STATIC_LOCAL(String, consoleMessage, ("Refused to execute a JavaScript script. Source code of script found within request.\n"));
         m_frame->domWindow()->console()->addMessage(JSMessageSource, LogMessageType, ErrorMessageLevel, consoleMessage, 1, String());
@@ -119 +124 @@
         return true;
 
-    if (findInRequest(code, true, false, true)) {
+    if (findInRequest(String(), code, true, false, true)) {
         DEFINE_STATIC_LOCAL(String, consoleMessage, ("Refused to execute a JavaScript script. Source code of script found within request.\n"));
         m_frame->domWindow()->console()->addMessage(JSMessageSource, LogMessageType, ErrorMessageLevel, consoleMessage, 1, String());
@@ -132 +137 @@
         return true;
 
-    if (findInRequest(code, true, true)) {
+    if (findInRequest(String(), code, true, true)) {
         DEFINE_STATIC_LOCAL(String, consoleMessage, ("Refused to execute a JavaScript script. Source code of script found within request.\n"));
         m_frame->domWindow()->console()->addMessage(JSMessageSource, LogMessageType, ErrorMessageLevel, consoleMessage, 1, String());
@@ -155 +160 @@
         return true;
 
-    if (findInRequest(context + url)) {
+    if (findInRequest(context, url)) {
         DEFINE_STATIC_LOCAL(String, consoleMessage, ("Refused to execute a JavaScript script. Source code of script found within request.\n"));
         m_frame->domWindow()->console()->addMessage(JSMessageSource, LogMessageType, ErrorMessageLevel, consoleMessage, 1, String());
@@ -168 +173 @@
         return true;
 
-    if (findInRequest(url)) {
+    if (findInRequest(String(), url)) {
         DEFINE_STATIC_LOCAL(String, consoleMessage, ("Refused to execute a JavaScript script. Source code of script found within request"));
         m_frame->domWindow()->console()->addMessage(JSMessageSource, LogMessageType, ErrorMessageLevel, consoleMessage, 1, String());
@@ -182 +187 @@
     
     KURL baseElementURL(m_frame->document()->url(), url);
-    if (m_frame->document()->url().host() != baseElementURL.host() && findInRequest(url)) {
+    if (m_frame->document()->url().host() != baseElementURL.host() && findInRequest(String(), url)) {
         DEFINE_STATIC_LOCAL(String, consoleMessage, ("Refused to execute a JavaScript script. Source code of script found within request"));
         m_frame->domWindow()->console()->addMessage(JSMessageSource, LogMessageType, ErrorMessageLevel, consoleMessage, 1, String());
@@ -256 +261 @@
 }
 
-bool XSSAuditor::findInRequest(const String& string, bool decodeEntities, bool allowRequestIfNoIllegalURICharacters, 
+bool XSSAuditor::findInRequest(const String& context, const String& string, bool decodeEntities, bool allowRequestIfNoIllegalURICharacters, 
                                bool decodeURLEscapeSequencesTwice) const
 {
@@ -262 +267 @@
     Frame* parentFrame = m_frame->tree()->parent();
     if (parentFrame && m_frame->document()->url() == blankURL())
-        result = findInRequest(parentFrame, string, decodeEntities, allowRequestIfNoIllegalURICharacters, decodeURLEscapeSequencesTwice);
+        result = findInRequest(parentFrame, context, string, decodeEntities, allowRequestIfNoIllegalURICharacters, decodeURLEscapeSequencesTwice);
     if (!result)
-        result = findInRequest(m_frame, string, decodeEntities, allowRequestIfNoIllegalURICharacters, decodeURLEscapeSequencesTwice);
+        result = findInRequest(m_frame, context, string, decodeEntities, allowRequestIfNoIllegalURICharacters, decodeURLEscapeSequencesTwice);
     return result;
 }
 
-bool XSSAuditor::findInRequest(Frame* frame, const String& string, bool decodeEntities, bool allowRequestIfNoIllegalURICharacters, 
+bool XSSAuditor::findInRequest(Frame* frame, const String& context, const String& string, bool decodeEntities, bool allowRequestIfNoIllegalURICharacters, 
                                bool decodeURLEscapeSequencesTwice) const
 {
@@ -282 +287 @@
 
     FormData* formDataObj = frame->loader()->documentLoader()->originalRequest().httpBody();
+    const bool hasFormData = formDataObj && !formDataObj->isEmpty();
     String pageURL = frame->document()->url().string();
-
-    if (!formDataObj && string.length() >= 2 * pageURL.length()) {
+    
+    String canonicalizedString;
+    if (!hasFormData && string.length() > 2 * pageURL.length()) {
         // Q: Why do we bother to do this check at all?
         // A: Canonicalizing large inline scripts can be expensive.  We want to
-        //    bail out before the call to canonicalize below, which could
-        //    result in an unneeded allocation and memcpy.
+        //    reduce the size of the string before we call canonicalize below, 
+        //    since it could result in an unneeded allocation and memcpy.
         //
         // Q: Why do we multiply by two here?
@@ -296 +303 @@
         //    factor of two by sending " characters, which the server
         //    transforms to \".
-        return false;
-    }
+        canonicalizedString = string.substring(0, 2 * pageURL.length());
+    } else
+        canonicalizedString = string;
 
     if (frame->document()->url().protocolIs("data"))
         return false;
 
-    String canonicalizedString = canonicalize(string);
+    canonicalizedString = canonicalize(canonicalizedString);
     if (canonicalizedString.isEmpty())
         return false;
 
-    if (string.length() < pageURL.length()) {
-        // The string can actually fit inside the pageURL.
-        String decodedPageURL = m_cache.canonicalizeURL(pageURL, frame->document()->decoder()->encoding(), decodeEntities, decodeURLEscapeSequencesTwice);
-
-        if (allowRequestIfNoIllegalURICharacters && (!formDataObj || formDataObj->isEmpty()) 
-            && decodedPageURL.find(&isIllegalURICharacter, 0) == -1)
-            return false; // Injection is impossible because the request does not contain any illegal URI characters. 
-
-        if (decodedPageURL.find(canonicalizedString, 0, false) != -1)
-            return true;  // We've found the smoking gun.
-    }
-
-    if (formDataObj && !formDataObj->isEmpty()) {
-        String formData = formDataObj->flattenToString();
-        if (string.length() < formData.length()) {
-            // Notice it is sufficient to compare the length of the string to
-            // the url-encoded POST data because the length of the url-decoded
-            // code is less than or equal to the length of the url-encoded
-            // string.
-            String decodedFormData = m_cache.canonicalizeURL(formData, frame->document()->decoder()->encoding(), decodeEntities, decodeURLEscapeSequencesTwice);
-            if (decodedFormData.find(canonicalizedString, 0, false) != -1)
-                return true;  // We found the string in the POST data.
-        }
+    // We only look at the first minAttackLength characters to avoid looking at
+    // characters the attacker has pulled in from the page using an attack string
+    // like: <img onerror="alert(/XSS/);//
+    canonicalizedString = canonicalizedString.substring(0, minAttackLength);
+
+    if (!context.isEmpty())
+        canonicalizedString = context + canonicalizedString;
+
+    String decodedPageURL = m_cache.canonicalizeURL(pageURL, frame->document()->decoder()->encoding(), decodeEntities, decodeURLEscapeSequencesTwice);
+
+    if (allowRequestIfNoIllegalURICharacters && !hasFormData && decodedPageURL.find(&isIllegalURICharacter, 0) == -1)
+        return false; // Injection is impossible because the request does not contain any illegal URI characters. 
+
+    if (decodedPageURL.find(canonicalizedString, 0, false) != -1)
+        return true;  // We've found the string in the GET data.
+
+    if (hasFormData) {
+        String decodedFormData = m_cache.canonicalizeURL(formDataObj->flattenToString(), frame->document()->decoder()->encoding(), decodeEntities, decodeURLEscapeSequencesTwice);
+        if (decodedFormData.find(canonicalizedString, 0, false) != -1)
+            return true;  // We found the string in the POST data.
     }
 

trunk/WebCore/page/XSSAuditor.h

@@ -123 +123 @@
         static String decodeHTMLEntities(const String&, bool leaveUndecodableEntitiesUntouched = true);
 
-        bool findInRequest(const String&, bool decodeEntities = true, bool allowRequestIfNoIllegalURICharacters = false, 
+        bool findInRequest(const String& context, const String&, bool decodeEntities = true, bool allowRequestIfNoIllegalURICharacters = false, 
                            bool decodeURLEscapeSequencesTwice = false) const;
-        bool findInRequest(Frame*, const String&, bool decodeEntities = true, bool allowRequestIfNoIllegalURICharacters = false, 
+        bool findInRequest(Frame*, const String& context, const String&, bool decodeEntities = true, bool allowRequestIfNoIllegalURICharacters = false, 
                            bool decodeURLEscapeSequencesTwice = false) const;