codewalker/marked
1
0
Fork 0
Code Pull Requests Actions Packages Releases Activity

Sanitize hardening (#1504)

Browse Source 
Sanitize hardening

Co-authored-by: Tony Brix <tony@brix.ninja>
This commit is contained in:
Tony Brix 2019-07-02 09:33:53 -05:00 committed by GitHub
commit 2a1bbeda57
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
13 changed files with 53 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
README.md
View File

@ -39,7 +39,7 @@ Also read about:
## Usage ## Usage
### Warning: 🚨 Marked does not [sanitize](https://marked.js.org/#/USING_ADVANCED.md#options) the output HTML by default 🚨 ### Warning: 🚨 Marked does not [sanitize](https://marked.js.org/#/USING_ADVANCED.md#options) the output HTML. Please use a sanitize library, like [DOMPurify](https://github.com/cure53/DOMPurify) (recommended), [sanitize-html](https://github.com/apostrophecms/sanitize-html) or [insane](https://github.com/bevacqua/insane) on the output HTML! 🚨
**CLI** **CLI**

2
docs/README.md
View File

@ -25,7 +25,7 @@ These documentation pages are also rendered using marked 💯
<h2 id="usage">Usage</h2> <h2 id="usage">Usage</h2>
### Warning: 🚨 Marked does not [sanitize](https://marked.js.org/#/USING_ADVANCED.md#options) the output HTML by default 🚨 ### Warning: 🚨 Marked does not [sanitize](https://marked.js.org/#/USING_ADVANCED.md#options) the output HTML. Please use a sanitize library, like [DOMPurify](https://github.com/cure53/DOMPurify) (recommended), [sanitize-html](https://github.com/apostrophecms/sanitize-html) or [insane](https://github.com/bevacqua/insane) on the output HTML! 🚨
**CLI** **CLI**

2
docs/USING_ADVANCED.md
View File

@ -51,7 +51,7 @@ console.log(marked(markdownString));
|mangle |`boolean` |`true` |v0.3.4 |If true, autolinked email address is escaped with HTML character references.| |mangle |`boolean` |`true` |v0.3.4 |If true, autolinked email address is escaped with HTML character references.|
|pedantic |`boolean` |`false` |v0.2.1 |If true, conform to the original `markdown.pl` as much as possible. Don't fix original markdown bugs or behavior. Turns off and overrides `gfm`.| |pedantic |`boolean` |`false` |v0.2.1 |If true, conform to the original `markdown.pl` as much as possible. Don't fix original markdown bugs or behavior. Turns off and overrides `gfm`.|
|renderer |`object` |`new Renderer()`|v0.3.0|An object containing functions to render tokens to HTML. See [extensibility](USING_PRO.md) for more details.| |renderer |`object` |`new Renderer()`|v0.3.0|An object containing functions to render tokens to HTML. See [extensibility](USING_PRO.md) for more details.|
|sanitize |`boolean` |`false` |v0.2.1 |If true, sanitize the HTML passed into `markdownString` with the `sanitizer` function.| |sanitize |`boolean` |`false` |v0.2.1 |If true, sanitize the HTML passed into `markdownString` with the `sanitizer` function.<br>**Warning**: This feature is deprecated and it should NOT be used as it cannot be considered secure.<br>Instead use a sanitize library, like [DOMPurify](https://github.com/cure53/DOMPurify) (recommended), [sanitize-html](https://github.com/apostrophecms/sanitize-html) or [insane](https://github.com/bevacqua/insane) on the output HTML! |
|sanitizer |`function`|`null` |v0.3.4 |A function to sanitize the HTML passed into `markdownString`.| |sanitizer |`function`|`null` |v0.3.4 |A function to sanitize the HTML passed into `markdownString`.|
|silent |`boolean` |`false` |v0.2.7 |If true, the parser does not throw any exception.| |silent |`boolean` |`false` |v0.2.7 |If true, the parser does not throw any exception.|
|smartLists |`boolean` |`false` |v0.2.8 |If true, use smarter list behavior than those found in `markdown.pl`.| |smartLists |`boolean` |`false` |v0.2.8 |If true, use smarter list behavior than those found in `markdown.pl`.|

12
lib/marked.js
View File

@ -434,7 +434,7 @@ Lexer.prototype.token = function(src, top) {
: 'html', : 'html',
pre: !this.options.sanitizer pre: !this.options.sanitizer
&& (cap[1] === 'pre' || cap[1] === 'script' || cap[1] === 'style'), && (cap[1] === 'pre' || cap[1] === 'script' || cap[1] === 'style'),
text: cap[0] text: this.options.sanitize ? (this.options.sanitizer ? this.options.sanitizer(cap[0]) : escape(cap[0])) : cap[0]
}); });
continue; continue;
} }
@ -850,7 +850,7 @@ InlineLexer.prototype.output = function(src) {
if (cap = this.rules.text.exec(src)) { if (cap = this.rules.text.exec(src)) {
src = src.substring(cap[0].length); src = src.substring(cap[0].length);
if (this.inRawBlock) { if (this.inRawBlock) {
out += this.renderer.text(cap[0]); out += this.renderer.text(this.options.sanitize ? (this.options.sanitizer ? this.options.sanitizer(cap[0]) : escape(cap[0])) : cap[0]);
} else { } else {
out += this.renderer.text(escape(this.smartypants(cap[0]))); out += this.renderer.text(escape(this.smartypants(cap[0])));
} }
@ -1539,6 +1539,12 @@ function findClosingBracket(str, b) {
return -1; return -1;
} }
function checkSanitizeDeprecation(opt) {
if (opt && opt.sanitize && !opt.silent) {
console.warn('marked(): sanitize and sanitizer parameters are deprecated since version 0.7.0, should not be used and will be removed in the future. Read more here: https://marked.js.org/#/USING_ADVANCED.md#options');
}
}
/** /**
* Marked * Marked
*/ */
@ -1560,6 +1566,7 @@ function marked(src, opt, callback) {
} }
opt = merge({}, marked.defaults, opt || {}); opt = merge({}, marked.defaults, opt || {});
checkSanitizeDeprecation(opt);
var highlight = opt.highlight, var highlight = opt.highlight,
tokens, tokens,
@ -1624,6 +1631,7 @@ function marked(src, opt, callback) {
} }
try { try {
if (opt) opt = merge({}, marked.defaults, opt); if (opt) opt = merge({}, marked.defaults, opt);
checkSanitizeDeprecation(opt);
return Parser.parse(Lexer.lex(src, opt), opt); return Parser.parse(Lexer.lex(src, opt), opt);
} catch (e) { } catch (e) {
e.message += '\nPlease report this to https://github.com/markedjs/marked.'; e.message += '\nPlease report this to https://github.com/markedjs/marked.';

5
test/specs/run-spec.js
View File

@ -16,6 +16,10 @@ function runSpecs(title, dir, showCompletionTable, options) {
spec.options = Object.assign({}, options, (spec.options || {})); spec.options = Object.assign({}, options, (spec.options || {}));
const example = (spec.example ? ' example ' + spec.example : ''); const example = (spec.example ? ' example ' + spec.example : '');
const passFail = (spec.shouldFail ? 'fail' : 'pass'); const passFail = (spec.shouldFail ? 'fail' : 'pass');
if (spec.options.sanitizer) {
// eslint-disable-next-line no-eval
spec.options.sanitizer = eval(spec.options.sanitizer);
}
(spec.only ? fit : it)('should ' + passFail + example, () => { (spec.only ? fit : it)('should ' + passFail + example, () => {
const before = process.hrtime(); const before = process.hrtime();
if (spec.shouldFail) { if (spec.shouldFail) {
@ -40,3 +44,4 @@ runSpecs('CommonMark', './commonmark', true, { headerIds: false });
runSpecs('Original', './original', false, { gfm: false }); runSpecs('Original', './original', false, { gfm: false });
runSpecs('New', './new'); runSpecs('New', './new');
runSpecs('ReDOS', './redos'); runSpecs('ReDOS', './redos');
runSpecs('Security', './security', false, { silent: true }); // silent - do not show deprecation warning

6
test/specs/security/sanitizer_bypass.html Normal file
View File

@ -0,0 +1,6 @@
<p>AAA&lt;script&gt; &lt;img &lt;script&gt; src=x onerror=alert(1) /&gt;BBB</p>
<p>AAA&lt;sometag&gt; &lt;img &lt;sometag&gt; src=x onerror=alert(1)BBB</p>
<p>&lt;a&gt;a2&lt;a2t&gt;a2&lt;/a&gt; b &lt;c&gt;c&lt;/c&gt; d</p>
<h1 id="text"><img src="URL" alt="text"></h1>

9
test/specs/security/sanitizer_bypass.md Normal file
View File

@ -0,0 +1,9 @@
---
sanitize: true
---
AAA<script> <img <script> src=x onerror=alert(1) />BBB
AAA<sometag> <img <sometag> src=x onerror=alert(1)BBB
<a>a2<a2t>a2</a> b <c>c</c> d
# ![text](URL)

2
test/specs/security/sanitizer_bypass_remove_generic.html Normal file
View File

@ -0,0 +1,2 @@
<p>a2a2 b c d</p>
<h1 id="text"><img src="URL" alt="text"></h1>

6
test/specs/security/sanitizer_bypass_remove_generic.md Normal file
View File

@ -0,0 +1,6 @@
---
sanitize: true
sanitizer: () => ''
---
<a>a2<a2t>a2</a> b <c>c</c> d
# ![text](URL)

1
test/specs/security/sanitizer_bypass_remove_script.html Normal file
View File

@ -0,0 +1 @@
<p>AAA</p>

5
test/specs/security/sanitizer_bypass_remove_script.md Normal file
View File

@ -0,0 +1,5 @@
---
sanitize: true
sanitizer: () => ''
---
AAA<script> <img <script> src=x onerror=alert(1) />BBB

1
test/specs/security/sanitizer_bypass_remove_tag.html Normal file
View File

@ -0,0 +1 @@
<p>AAA &lt;img src=x onerror=alert(1)BBB</p>

5
test/specs/security/sanitizer_bypass_remove_tag.md Normal file
View File

@ -0,0 +1,5 @@
---
sanitize: true
sanitizer: () => ''
---
AAA<sometag> <img <sometag> src=x onerror=alert(1)BBB