Skip to content

Prevent or sanitise HTML on write by default for unauthenticated users #1596

New issue
New issue
Open
Open
Prevent or sanitise HTML on write by default for unauthenticated users#1596
Labels
☀️ enhancementNew feature or request
@josephguillaume

Description

@josephguillaume
josephguillaume
opened on Mar 18, 2023

It is expected as part of an inbox in particular that unauthenticated users can write/append to certain paths in a pod.
At the moment it is possible to write HTML, which risks then being executed when rendered.

Feature description

While client side mitigations are possible (I would not personally describe it as a critical vulnerability) and I don't think it's in the spec, it would make sense by default for CSS to either prevent writing HTML if a user is unauthenticated (even if they have write or append access otherwise) or sanitise the HTML before saving.

This would presumably be implemented as storage middleware, so could be turned off through config.
Probably both the content type and file extension could be checked, as a client might use either to decide to render the content.
Markdown could possibly also be sanitised given that it can contain arbitrary HTML by default and is also commonly rendered.

My understanding is that HTML would already be prevented if shape support is enabled for the inbox, so this a more general feature request rather than specific to inboxes
https://github.com/CommunitySolidServer/shape-validator-component/blob/main/documentation/constrained-containers.md#impact-of-constraining-a-container

More context:

Example

Here is a simple "exploit", noting that the interaction with CSS is consistent with the spec, and public permission to post has been granted by the user, so the only problem is that what is being posted is executable code :

  1. Save the malicious html to a pod
curl -X POST -H "Content-Type: text/html" -H "slug: xss.html" -d "<script>
  const main = async () => {
    mashlibWindow = window.parent;
    alert('Logged in as ' + await mashlibWindow.UI.authn.checkUser())
    res = await mashlibWindow.UI.authn.session.fetch('https://pod/private/secret.txt')
    alert('Secret: ' + await res.text())
  }
  main()
</script>" https://pod/inbox/

  1. User visits the html page when authenticated, e.g. within solidos

  2. Malicious html has access to authenticated session and therefore private parts of pod

Note that inbox needs to have public append access.

Metadata

Metadata

Assignees

No one assigned

    Labels

    ☀️ enhancementNew feature or request

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions