From 212dbf00d3613f5c21cfe2efba871f0419dd0797 Mon Sep 17 00:00:00 2001 From: "Martin.Blapp" Date: Fri, 16 Nov 2018 15:51:20 +0100 Subject: [PATCH 1/5] Rework Pullrequest #122, avoid xss false positives starting with 'on.*' --- src/libinjection_xss.c | 93 ++++++++++++++++++++++++++++++++++++++++-- 1 file changed, 90 insertions(+), 3 deletions(-) diff --git a/src/libinjection_xss.c b/src/libinjection_xss.c index f0df4d84..53d0dbaf 100644 --- a/src/libinjection_xss.c +++ b/src/libinjection_xss.c @@ -135,6 +135,86 @@ static int html_decode_char_at(const char* src, size_t len, size_t* consumed) } } +/* + * view-source: + * data: + * javascript: + * events: + */ +static stringtype_t BLACKATTREVENT[] = { + { "ONBEFOREUNLOAD", TYPE_BLACK } + , { "ONERROR", TYPE_BLACK } + , { "ONHASHCHANGE", TYPE_BLACK } + , { "ONLOAD", TYPE_BLACK } + , { "ONMESSAGE", TYPE_BLACK } + , { "ONOFFLINE", TYPE_BLACK } + , { "ONONLINE", TYPE_BLACK } + , { "ONPAGEHIDE", TYPE_BLACK } + , { "ONPAGESHOW", TYPE_BLACK } + , { "ONPOPSTATE", TYPE_BLACK } + , { "ONRESIZE", TYPE_BLACK } + , { "ONSTORAGE", TYPE_BLACK } + , { "ONUNLOAD", TYPE_BLACK } + , { "ONBLUR", TYPE_BLACK } + , { "ONCHANGE", TYPE_BLACK } + , { "ONCONTEXTMENU", TYPE_BLACK } + , { "ONFOCUS", TYPE_BLACK } + , { "ONINPUT", TYPE_BLACK } + , { "ONINVALID", TYPE_BLACK } + , { "ONRESET", TYPE_BLACK } + , { "ONSEARCH", TYPE_BLACK } + , { "ONSELECT", TYPE_BLACK } + , { "ONSUBMIT", TYPE_BLACK } + , { "ONKEYDOWN", TYPE_BLACK } + , { "ONKEYPRESS", TYPE_BLACK } + , { "ONKEYUP", TYPE_BLACK } + , { "ONCLICK", TYPE_BLACK } + , { "ONDBLCLICK", TYPE_BLACK } + , { "ONMOUSEDOWN", TYPE_BLACK } + , { "ONMOUSEMOVE", TYPE_BLACK } + , { "ONMOUSEOUT", TYPE_BLACK } + , { "ONMOUSEOVER", TYPE_BLACK } + , { "ONMOUSEUP", TYPE_BLACK } + , { "ONMOUSEWHEEL", TYPE_BLACK } + , { "ONWHEEL", TYPE_BLACK } + , { "ONDRAG", TYPE_BLACK } + , { "ONDRAGEND", TYPE_BLACK } + , { "ONDRAGENTER", TYPE_BLACK } + , { "ONDRAGLEAVE", TYPE_BLACK } + , { "ONDRAGOVER", TYPE_BLACK } + , { "ONDRAGSTART", TYPE_BLACK } + , { "ONDROP", TYPE_BLACK } + , { "ONSCROLL", TYPE_BLACK } + , { "ONCOPY", TYPE_BLACK } + , { "ONCUT", TYPE_BLACK } + , { "ONPASTE", TYPE_BLACK } + , { "ONABORT", TYPE_BLACK } + , { "ONCANPLAY", TYPE_BLACK } + , { "ONCANPLAYTHROUGH", TYPE_BLACK } + , { "ONCUECHANGE", TYPE_BLACK } + , { "ONDURATIONCHANGE", TYPE_BLACK } + , { "ONEMPTIED", TYPE_BLACK } + , { "ONENDED", TYPE_BLACK } + , { "ONERROR", TYPE_BLACK } + , { "ONLOADEDDATA", TYPE_BLACK } + , { "ONLOADEDMETADATA", TYPE_BLACK } + , { "ONLOADSTART", TYPE_BLACK } + , { "ONPAUSE", TYPE_BLACK } + , { "ONPLAY", TYPE_BLACK } + , { "ONPLAYING", TYPE_BLACK } + , { "ONPROGRESS", TYPE_BLACK } + , { "ONRATECHANGE", TYPE_BLACK } + , { "ONSEEKED", TYPE_BLACK } + , { "ONSEEKING", TYPE_BLACK } + , { "ONSTALLED", TYPE_BLACK } + , { "ONSUSPEND", TYPE_BLACK } + , { "ONTIMEUPDATE", TYPE_BLACK } + , { "ONVOLUMECHANGE", TYPE_BLACK } + , { "ONWAITING", TYPE_BLACK } + , { "ONAFTERPRINT", TYPE_BLACK } + , { "ONBEFOREPRINT", TYPE_BLACK } + , { NULL, TYPE_NONE } +}; /* * view-source: @@ -341,10 +421,17 @@ static attribute_t is_black_attr(const char* s, size_t len) } if (len >= 5) { - /* JavaScript on.* */ + + /* JavaScript on.* event handlers */ if ((s[0] == 'o' || s[0] == 'O') && (s[1] == 'n' || s[1] == 'N')) { - /* printf("Got JavaScript on- attribute name\n"); */ - return TYPE_BLACK; + black = BLACKATTREVENT; + while (black->name != NULL) { + if (cstrcasecmp_with_null(black->name, s, len) == 0) { + /* printf("Got banned attribute name %s\n", black->name); */ + return black->atype; + } + black += 1; + } } From 11191aa19ca8e5605c82b6a202b10c31e4b49478 Mon Sep 17 00:00:00 2001 From: "Martin.Blapp" Date: Fri, 16 Nov 2018 16:17:50 +0100 Subject: [PATCH 2/5] Fix compare length --- src/libinjection_xss.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/libinjection_xss.c b/src/libinjection_xss.c index 53d0dbaf..1e1c703a 100644 --- a/src/libinjection_xss.c +++ b/src/libinjection_xss.c @@ -426,7 +426,7 @@ static attribute_t is_black_attr(const char* s, size_t len) if ((s[0] == 'o' || s[0] == 'O') && (s[1] == 'n' || s[1] == 'N')) { black = BLACKATTREVENT; while (black->name != NULL) { - if (cstrcasecmp_with_null(black->name, s, len) == 0) { + if (cstrcasecmp_with_null(black->name, s, strlen(black->name)) == 0) { /* printf("Got banned attribute name %s\n", black->name); */ return black->atype; } From 333897e0dba1174ccc2c6163383b7a365881ecb2 Mon Sep 17 00:00:00 2001 From: "Martin.Blapp" Date: Fri, 16 Nov 2018 16:45:18 +0100 Subject: [PATCH 3/5] Add missing events --- src/libinjection_xss.c | 96 +++++++++++++++++++++++------------------- 1 file changed, 53 insertions(+), 43 deletions(-) diff --git a/src/libinjection_xss.c b/src/libinjection_xss.c index 1e1c703a..e6d9095a 100644 --- a/src/libinjection_xss.c +++ b/src/libinjection_xss.c @@ -142,77 +142,87 @@ static int html_decode_char_at(const char* src, size_t len, size_t* consumed) * events: */ static stringtype_t BLACKATTREVENT[] = { - { "ONBEFOREUNLOAD", TYPE_BLACK } - , { "ONERROR", TYPE_BLACK } - , { "ONHASHCHANGE", TYPE_BLACK } - , { "ONLOAD", TYPE_BLACK } - , { "ONMESSAGE", TYPE_BLACK } - , { "ONOFFLINE", TYPE_BLACK } - , { "ONONLINE", TYPE_BLACK } - , { "ONPAGEHIDE", TYPE_BLACK } - , { "ONPAGESHOW", TYPE_BLACK } - , { "ONPOPSTATE", TYPE_BLACK } - , { "ONRESIZE", TYPE_BLACK } - , { "ONSTORAGE", TYPE_BLACK } - , { "ONUNLOAD", TYPE_BLACK } + { "ONABORT", TYPE_BLACK } + , { "ONACTIVATE, TYPE_BLACK } + , { "ONAFTERPRINT", TYPE_BLACK } + , { "ONBEFOREACTIVATE, TYPE_BLACK } + , { "ONBEFOREPRINT", TYPE_BLACK } + , { "ONBEFOREUNLOAD", TYPE_BLACK } , { "ONBLUR", TYPE_BLACK } + , { "ONCANPLAYTHROUGH", TYPE_BLACK } + , { "ONCANPLAY", TYPE_BLACK } , { "ONCHANGE", TYPE_BLACK } - , { "ONCONTEXTMENU", TYPE_BLACK } - , { "ONFOCUS", TYPE_BLACK } - , { "ONINPUT", TYPE_BLACK } - , { "ONINVALID", TYPE_BLACK } - , { "ONRESET", TYPE_BLACK } - , { "ONSEARCH", TYPE_BLACK } - , { "ONSELECT", TYPE_BLACK } - , { "ONSUBMIT", TYPE_BLACK } - , { "ONKEYDOWN", TYPE_BLACK } - , { "ONKEYPRESS", TYPE_BLACK } - , { "ONKEYUP", TYPE_BLACK } , { "ONCLICK", TYPE_BLACK } + , { "ONCONTEXTMENU", TYPE_BLACK } + , { "ONCOPY", TYPE_BLACK } + , { "ONCUECHANGE", TYPE_BLACK } + , { "ONCUT", TYPE_BLACK } , { "ONDBLCLICK", TYPE_BLACK } - , { "ONMOUSEDOWN", TYPE_BLACK } - , { "ONMOUSEMOVE", TYPE_BLACK } - , { "ONMOUSEOUT", TYPE_BLACK } - , { "ONMOUSEOVER", TYPE_BLACK } - , { "ONMOUSEUP", TYPE_BLACK } - , { "ONMOUSEWHEEL", TYPE_BLACK } - , { "ONWHEEL", TYPE_BLACK } - , { "ONDRAG", TYPE_BLACK } , { "ONDRAGEND", TYPE_BLACK } , { "ONDRAGENTER", TYPE_BLACK } , { "ONDRAGLEAVE", TYPE_BLACK } , { "ONDRAGOVER", TYPE_BLACK } , { "ONDRAGSTART", TYPE_BLACK } + , { "ONDRAG", TYPE_BLACK } , { "ONDROP", TYPE_BLACK } - , { "ONSCROLL", TYPE_BLACK } - , { "ONCOPY", TYPE_BLACK } - , { "ONCUT", TYPE_BLACK } - , { "ONPASTE", TYPE_BLACK } - , { "ONABORT", TYPE_BLACK } - , { "ONCANPLAY", TYPE_BLACK } - , { "ONCANPLAYTHROUGH", TYPE_BLACK } - , { "ONCUECHANGE", TYPE_BLACK } , { "ONDURATIONCHANGE", TYPE_BLACK } , { "ONEMPTIED", TYPE_BLACK } , { "ONENDED", TYPE_BLACK } + , { "ONERROR, TYPE_BLACK } , { "ONERROR", TYPE_BLACK } + , { "ONERROR", TYPE_BLACK } + , { "ONFOCUS", TYPE_BLACK } + , { "ONFORMCHANGE, TYPE_BLACK } + , { "ONFORMINPUT, TYPE_BLACK } + , { "ONHASHCHANGE", TYPE_BLACK } + , { "ONINPUT", TYPE_BLACK } + , { "ONINVALID", TYPE_BLACK } + , { "ONKEYDOWN", TYPE_BLACK } + , { "ONKEYPRESS", TYPE_BLACK } + , { "ONKEYUP", TYPE_BLACK } , { "ONLOADEDDATA", TYPE_BLACK } , { "ONLOADEDMETADATA", TYPE_BLACK } , { "ONLOADSTART", TYPE_BLACK } + , { "ONLOAD", TYPE_BLACK } + , { "ONMESSAGE", TYPE_BLACK } + , { "ONMOUSEDOWN", TYPE_BLACK } + , { "ONMOUSEENTER, TYPE_BLACK } + , { "ONMOUSELEAVE, TYPE_BLACK } + , { "ONMOUSEMOVE", TYPE_BLACK } + , { "ONMOUSEOUT", TYPE_BLACK } + , { "ONMOUSEOVER", TYPE_BLACK } + , { "ONMOUSEUP", TYPE_BLACK } + , { "ONMOUSEWHEEL", TYPE_BLACK } + , { "ONOFFLINE", TYPE_BLACK } + , { "ONONLINE", TYPE_BLACK } + , { "ONPAGEHIDE", TYPE_BLACK } + , { "ONPAGESHOW", TYPE_BLACK } + , { "ONPASTE", TYPE_BLACK } , { "ONPAUSE", TYPE_BLACK } - , { "ONPLAY", TYPE_BLACK } , { "ONPLAYING", TYPE_BLACK } + , { "ONPLAY", TYPE_BLACK } + , { "ONPOPSTATE", TYPE_BLACK } , { "ONPROGRESS", TYPE_BLACK } + , { "ONPROPERTYCHANGE, TYPE_BLACK } , { "ONRATECHANGE", TYPE_BLACK } + , { "ONREADYSTATECHANGE, TYPE_BLACK } + , { "ONRESET", TYPE_BLACK } + , { "ONRESIZE", TYPE_BLACK } + , { "ONSCROLL", TYPE_BLACK } + , { "ONSEARCH", TYPE_BLACK } , { "ONSEEKED", TYPE_BLACK } , { "ONSEEKING", TYPE_BLACK } + , { "ONSELECT", TYPE_BLACK } , { "ONSTALLED", TYPE_BLACK } + , { "ONSTART, TYPE_BLACK } + , { "ONSTORAGE", TYPE_BLACK } + , { "ONSUBMIT", TYPE_BLACK } , { "ONSUSPEND", TYPE_BLACK } , { "ONTIMEUPDATE", TYPE_BLACK } + , { "ONUNLOAD", TYPE_BLACK } , { "ONVOLUMECHANGE", TYPE_BLACK } , { "ONWAITING", TYPE_BLACK } - , { "ONAFTERPRINT", TYPE_BLACK } - , { "ONBEFOREPRINT", TYPE_BLACK } + , { "ONWHEEL", TYPE_BLACK } , { NULL, TYPE_NONE } }; From 25a6c7ddde82ddb28ede4411b38c47fbb86bd44b Mon Sep 17 00:00:00 2001 From: "Martin.Blapp" Date: Fri, 16 Nov 2018 16:50:08 +0100 Subject: [PATCH 4/5] Add missing quotes --- src/libinjection_xss.c | 20 ++++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) diff --git a/src/libinjection_xss.c b/src/libinjection_xss.c index e6d9095a..7e84c0cc 100644 --- a/src/libinjection_xss.c +++ b/src/libinjection_xss.c @@ -143,9 +143,9 @@ static int html_decode_char_at(const char* src, size_t len, size_t* consumed) */ static stringtype_t BLACKATTREVENT[] = { { "ONABORT", TYPE_BLACK } - , { "ONACTIVATE, TYPE_BLACK } + , { "ONACTIVATE", TYPE_BLACK } , { "ONAFTERPRINT", TYPE_BLACK } - , { "ONBEFOREACTIVATE, TYPE_BLACK } + , { "ONBEFOREACTIVATE", TYPE_BLACK } , { "ONBEFOREPRINT", TYPE_BLACK } , { "ONBEFOREUNLOAD", TYPE_BLACK } , { "ONBLUR", TYPE_BLACK } @@ -168,12 +168,12 @@ static stringtype_t BLACKATTREVENT[] = { , { "ONDURATIONCHANGE", TYPE_BLACK } , { "ONEMPTIED", TYPE_BLACK } , { "ONENDED", TYPE_BLACK } - , { "ONERROR, TYPE_BLACK } + , { "ONERROR", TYPE_BLACK } , { "ONERROR", TYPE_BLACK } , { "ONERROR", TYPE_BLACK } , { "ONFOCUS", TYPE_BLACK } - , { "ONFORMCHANGE, TYPE_BLACK } - , { "ONFORMINPUT, TYPE_BLACK } + , { "ONFORMCHANGE", TYPE_BLACK } + , { "ONFORMINPUT", TYPE_BLACK } , { "ONHASHCHANGE", TYPE_BLACK } , { "ONINPUT", TYPE_BLACK } , { "ONINVALID", TYPE_BLACK } @@ -186,8 +186,8 @@ static stringtype_t BLACKATTREVENT[] = { , { "ONLOAD", TYPE_BLACK } , { "ONMESSAGE", TYPE_BLACK } , { "ONMOUSEDOWN", TYPE_BLACK } - , { "ONMOUSEENTER, TYPE_BLACK } - , { "ONMOUSELEAVE, TYPE_BLACK } + , { "ONMOUSEENTER", TYPE_BLACK } + , { "ONMOUSELEAVE", TYPE_BLACK } , { "ONMOUSEMOVE", TYPE_BLACK } , { "ONMOUSEOUT", TYPE_BLACK } , { "ONMOUSEOVER", TYPE_BLACK } @@ -203,9 +203,9 @@ static stringtype_t BLACKATTREVENT[] = { , { "ONPLAY", TYPE_BLACK } , { "ONPOPSTATE", TYPE_BLACK } , { "ONPROGRESS", TYPE_BLACK } - , { "ONPROPERTYCHANGE, TYPE_BLACK } + , { "ONPROPERTYCHANGE", TYPE_BLACK } , { "ONRATECHANGE", TYPE_BLACK } - , { "ONREADYSTATECHANGE, TYPE_BLACK } + , { "ONREADYSTATECHANGE", TYPE_BLACK } , { "ONRESET", TYPE_BLACK } , { "ONRESIZE", TYPE_BLACK } , { "ONSCROLL", TYPE_BLACK } @@ -214,7 +214,7 @@ static stringtype_t BLACKATTREVENT[] = { , { "ONSEEKING", TYPE_BLACK } , { "ONSELECT", TYPE_BLACK } , { "ONSTALLED", TYPE_BLACK } - , { "ONSTART, TYPE_BLACK } + , { "ONSTART", TYPE_BLACK } , { "ONSTORAGE", TYPE_BLACK } , { "ONSUBMIT", TYPE_BLACK } , { "ONSUSPEND", TYPE_BLACK } From 92cfc51978e3bdbdc29e377cf33df4a98dd8cd34 Mon Sep 17 00:00:00 2001 From: Martin Blapp Date: Sat, 17 Nov 2018 20:18:42 +0100 Subject: [PATCH 5/5] Cleanup --- src/libinjection_xss.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/src/libinjection_xss.c b/src/libinjection_xss.c index 7e84c0cc..1bc67ba0 100644 --- a/src/libinjection_xss.c +++ b/src/libinjection_xss.c @@ -149,6 +149,7 @@ static stringtype_t BLACKATTREVENT[] = { , { "ONBEFOREPRINT", TYPE_BLACK } , { "ONBEFOREUNLOAD", TYPE_BLACK } , { "ONBLUR", TYPE_BLACK } + , { "ONCANCEL", TYPE_BLACK } , { "ONCANPLAYTHROUGH", TYPE_BLACK } , { "ONCANPLAY", TYPE_BLACK } , { "ONCHANGE", TYPE_BLACK } @@ -169,8 +170,6 @@ static stringtype_t BLACKATTREVENT[] = { , { "ONEMPTIED", TYPE_BLACK } , { "ONENDED", TYPE_BLACK } , { "ONERROR", TYPE_BLACK } - , { "ONERROR", TYPE_BLACK } - , { "ONERROR", TYPE_BLACK } , { "ONFOCUS", TYPE_BLACK } , { "ONFORMCHANGE", TYPE_BLACK } , { "ONFORMINPUT", TYPE_BLACK } @@ -213,12 +212,14 @@ static stringtype_t BLACKATTREVENT[] = { , { "ONSEEKED", TYPE_BLACK } , { "ONSEEKING", TYPE_BLACK } , { "ONSELECT", TYPE_BLACK } + , { "ONSHOW", TYPE_BLACK } , { "ONSTALLED", TYPE_BLACK } , { "ONSTART", TYPE_BLACK } , { "ONSTORAGE", TYPE_BLACK } , { "ONSUBMIT", TYPE_BLACK } , { "ONSUSPEND", TYPE_BLACK } , { "ONTIMEUPDATE", TYPE_BLACK } + , { "ONTOGGLE", TYPE_BLACK } , { "ONUNLOAD", TYPE_BLACK } , { "ONVOLUMECHANGE", TYPE_BLACK } , { "ONWAITING", TYPE_BLACK }