treehouse
/
mastodon
19
8
Fork 5
Code Issues 32 Pull Requests Projects 1 Releases Wiki Activity

Improve HTML/Markdown sanitization #14

New Issue
Open
opened 2022-11-16 16:03:51 +00:00 by fox · 3 comments
fox commented 2022-11-16 16:03:51 +00:00
Owner

The recent exploit required HTML formatting. Glitch has an open issue for Markdown rendering. Other vulnerabilities likely exist.

Removing the option to create posts in HTML/Markdown is trivial, but to disable rendering recieved HTML/Markdown posts is much more integrated.

Perhaps the ability to toggle HTML/Markdown formatting instance wide is an upstream feature request. Disabling these features also breaks previously formatted posts (it will look the same as sending HTML formatting to an instance that does not support HTML formatting).

The recent exploit required HTML formatting. Glitch has an open issue for Markdown rendering. Other vulnerabilities likely exist. Removing the option to create posts in HTML/Markdown is trivial, but to disable rendering recieved HTML/Markdown posts is much more integrated. Perhaps the ability to toggle HTML/Markdown formatting instance wide is an upstream feature request. Disabling these features also breaks previously formatted posts (it will look the same as sending HTML formatting to an instance that does not support HTML formatting).
kouhai commented 2022-11-16 17:18:53 +00:00
Owner

I use markdown formatting a lot, so disabling markdown is a "won't fix". However, it's probably worth looking into better sanitization.

I use markdown formatting a lot, so disabling markdown is a "won't fix". However, it's probably worth looking into better sanitization.
kouhai changed title from Disable HTML and Markdown Formatting to Improve HTML/Markdown sanitization 2022-11-16 17:19:21 +00:00
fox commented 2022-11-16 17:57:20 +00:00
Poster
Owner

I am not against Markdown (I'd prefer others to beta test 😅).

HTML I'd hope to deprecate.

The PoC of the last exploit looked scary by stealing autofill passwords, but much more was possible. They could inject iframes. The vulnerability was only in Glitch, but upstream Mastodon fixed it--which makes me question Glitch.

I am not against Markdown (I'd prefer others to beta test 😅). HTML I'd hope to deprecate. The PoC of the last exploit looked scary by stealing autofill passwords, but much more was possible. They could inject iframes. The vulnerability was only in Glitch, but upstream Mastodon fixed it--which makes me question Glitch.
eureka commented 2022-11-17 17:32:50 +00:00
Owner

We discussed this on Discord briefly, so just recapping: I think the best route here is to entity encode the entire non-text (excluding "safe" symbol) input before doing Markdown processing. Doing sanitiziation is prone to errors and corner cases, even if we use a full blown HTML parser to do it. A lot of injection bugs rely on malformed tags to escape parser-based sanitization, so just forbidding them from appearing unencoded seems like the best route. This does bloat the size of the toot data, but it seems worthwhile.

We discussed this on Discord briefly, so just recapping: I think the best route here is to entity encode the entire non-text (excluding "safe" symbol) input before doing Markdown processing. Doing sanitiziation is prone to errors and corner cases, even if we use a full blown HTML parser to do it. A lot of injection bugs rely on malformed tags to escape parser-based sanitization, so just forbidding them from appearing unencoded seems like the best route. This does bloat the size of the toot data, but it seems worthwhile.
👍 1
fox added the
type/enhancement
tag/help wanted
priority/3.low
 labels 2022-12-03 15:36:50 +00:00
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
main
streaming-builds
th-new
lolsob-rspec
that-one-spammer
test-faster-builds
main-unfiltered
treehouse-vagrant
fix/password-length
roof/22-11-24-misc
glitch/v1.2.2
glitch/v1.2.1
glitch/v1.2
glitch/v1.1.2
glitch/v1.1.1
glitch/v1.1
glitch/v1.0
glitch/v0.9.9
glitch/v0.9
glitch/v0.8
glitch/v0.7
glitch/v0.6
glitch/v0.1.2
glitch/v0.1.1
glitch/v0.1.0
Labels
Clear labels
  
area/i18n

Internationalization   
area/infrastructure

Infrastructure and operations   
area/moderation & safety
   
area/ux

User experience   
priority/1.high
   
priority/2.medium
   
priority/3.low
   
tag/upstream issue

This issue should be filed against upstream   
tag/duplicate

This issue or pull request already exists   
tag/help wanted

Feedback and pull requests welcome!   
tag/invalid

Something is wrong   
tag/won't fix

This won't be fixed   
type/bug

Something is not working   
type/enhancement

New feature   
type/question

More information is needed
No Label
area/i18n
area/infrastructure
area/moderation & safety
area/ux
priority/1.high
priority/2.medium
priority/3.low
tag/upstream issue
tag/duplicate
tag/help wanted
tag/invalid
tag/won't fix
type/bug
type/enhancement
type/question
Milestone
Clear milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
No Assignees
3 Participants
Notifications
Due Date
The due date is invalid or out of range. Please use the format 'yyyy-mm-dd'.

No due date set.

Dependencies

No dependencies set.

Reference: treehouse/mastodon#14
There is no content yet.
Delete Branch "%!s(<nil>)"

Deleting a branch is permanent. Although the deleted branch may exist for a short time before cleaning up, in most cases it CANNOT be undone. Continue?