Skip to content

Commit

Permalink
[CVE-2022-37421] Sanitise ExtraMeta field for XSS
Browse files Browse the repository at this point in the history
  • Loading branch information
emteknetnz authored and GuySartorelli committed Oct 2, 2022
1 parent c4f5558 commit d162fab
Show file tree
Hide file tree
Showing 3 changed files with 82 additions and 0 deletions.
34 changes: 34 additions & 0 deletions code/Model/SiteTree.php
Original file line number Diff line number Diff line change
Expand Up @@ -69,6 +69,7 @@
use SilverStripe\Versioned\Versioned;
use SilverStripe\View\ArrayData;
use SilverStripe\View\HTML;
use SilverStripe\View\Parsers\HTMLValue;
use SilverStripe\View\Parsers\ShortcodeParser;
use SilverStripe\View\Parsers\URLSegmentFilter;
use SilverStripe\View\Shortcodes\EmbedShortcodeProvider;
Expand Down Expand Up @@ -1684,6 +1685,8 @@ protected function onBeforeWrite()
$this->setNextWriteWithoutVersion(true);
}

$this->sanitiseExtraMeta();

// Flush cached [embed] shortcodes
// Flush on both DRAFT and LIVE because VersionedCacheAdapter has separate caches for both
// Clear both caches at once for the scenario where a CMS-author updates a remote resource
Expand All @@ -1703,6 +1706,27 @@ protected function onBeforeWrite()
}
}

private function sanitiseExtraMeta(): void
{
$htmlValue = HTMLValue::create($this->ExtraMeta);
/** @var DOMElement $el */
foreach ($htmlValue->query('//*') as $el) {
/** @var DOMAttr $attr */
$attributes = $el->attributes;
for ($i = count($attributes) - 1; $i >= 0; $i--) {
$attr = $attributes->item($i);
// remove any attribute starting with 'on' e.g. onclick
// and remove the accesskey attribute
if (substr($attr->name, 0, 2) === 'on' ||
$attr->name === 'accesskey'
) {
$el->removeAttributeNode($attr);
}
}
}
$this->ExtraMeta = $htmlValue->getContent();
}

/**
* Trigger synchronisation of link tracking
*
Expand Down Expand Up @@ -1797,6 +1821,16 @@ public function validate()
);
}

// Ensure ExtraMeta can be turned into valid HTML
if ($this->ExtraMeta && !HTMLValue::create($this->ExtraMeta)->getContent()) {
$result->addError(
_t(
'SilverStripe\\CMS\\Model\\SiteTree.InvalidExtraMeta',
'Custom Meta Tags does not contain valid HTML',
)
);
}

return $result;
}

Expand Down
1 change: 1 addition & 0 deletions lang/en.yml
Original file line number Diff line number Diff line change
Expand Up @@ -208,6 +208,7 @@ en:
HTMLEDITORTITLE: Content
INHERIT: 'Inherit from parent page'
INHERITSITECONFIG: 'Inherit from site access settings'
InvalidExtraMeta: 'Custom Meta Tags does not contain valid HTML'
LASTPUBLISHED: 'Last published'
LASTSAVED: 'Last saved'
LASTUPDATED: 'Last Updated'
Expand Down
47 changes: 47 additions & 0 deletions tests/php/Model/SiteTreeTest.php
Original file line number Diff line number Diff line change
Expand Up @@ -1986,4 +1986,51 @@ public function testGetCMSActionsWithoutForms()
);
// END ARCHIVED
}

/**
* @dataProvider provideSanitiseExtraMeta
*/
public function testSanitiseExtraMeta(string $extraMeta, string $expected, string $message): void
{
$siteTree = new SiteTree();
$siteTree->ExtraMeta = $extraMeta;
$siteTree->write();
$this->assertSame($expected, $siteTree->ExtraMeta, $message);
}

public function provideSanitiseExtraMeta(): array
{
return [
[
'<link rel="canonical" accesskey="X" sometrigger="alert(1)" />',
'<link rel="canonical" sometrigger="alert(1)">',
'accesskey attribute is removed'
],
[
'<link rel="canonical" onclick="alert(1)" /><meta name="x" onerror="alert(0)">',
'<link rel="canonical"><meta name="x">',
'Attributes starting with "on" are removed'
],
[
'<link rel="canonical" onclick=alert(1) /><meta name="x" onerror=\'alert(0)\'>',
'<link rel="canonical"><meta name="x">',
'Attributes with different quote styles are removed'
],
[
'<link rel="canonical" ONCLICK=alert(1) /><meta name="x" oNeRrOr=\'alert(0)\'>',
'<link rel="canonical"><meta name="x">',
'Mixed case attributes are removed'
],
[
'<link rel="canonical" accesskey="X" onclick="alert(1)" name="x" />',
'<link rel="canonical" name="x">',
'Multiple attributes are removed'
],
[
'<link rel="canonical" href="valid" ;;// somethingdodgy < onmouseover=alert(1)',
'<link rel="canonical" href="valid" somethingdodgy="">',
'Invalid HTML is converted to valid HTML and parsed'
],
];
}
}

0 comments on commit d162fab

Please sign in to comment.