search

AngleSharp / AngleSharp.Css

:angel: Library to enable support for cascading stylesheets in AngleSharp.
https://anglesharp.github.io
MIT License
72 stars 34 forks source link

Parametrize HTTP requests behavior on CSS import rules #113

Closed spassarop closed 9 months ago

spassarop commented 2 years ago

New Feature Proposal

Description

AngleSharp has its own browsing context manipulation capabilities which disable redirections by default for example, but you can even enable them again with a custom Setup method. I thought this was used when requesting imported style sheets, but it has no effect. Reading the code, I take AngleSharp.Css uses other methods that do not involve the browsing context stored in the CssParser when using ParseStyleSheetAsync.

The code I use is something like this (actual complete code is here):

ICssStyleSheet styleSheet = parser.ParseStyleSheet("SOME CSS WITH IMPORT RULE");
using (Task<IDocument> documentTask = styleSheet.Context.OpenAsync(req => req.Content(styleSheet.ToCss())))
{
    documentTask.Wait();
    IDocument document = documentTask.Result;
    styleSheet.SetOwner(document.DocumentElement);
}
using (Task<ICssStyleSheet> styleSheetTask = parser.ParseStyleSheetAsync(styleSheet, CancellationToken.None))
{
    styleSheetTask.Wait();
    styleSheet = styleSheetTask.Result;
}
// PROCESS styleSheet...

The associated Context is defined in the parser like this:

IBrowsingContext browsingContext = BrowsingContext.New(Configuration.Default
    .WithCss()
    .With(new DefaultHttpRequester(userAgent: null, setup: SetupHttpRequest))
    .WithDefaultLoader(new LoaderOptions { 
        IsResourceLoadingEnabled = true,
        IsNavigationDisabled = true
    }));
parser = new CssParser(NOT_RELEVANT_OPTIONS, browsingContext);

private void SetupHttpRequest(HttpWebRequest httpWebRequest)
{
    httpWebRequest.Timeout = SOME_TIMEOUT;
    httpWebRequest.AllowAutoRedirect = false;
}

As per current AngleSharp Default configuration I would not need to set AllowAutoRedirect to false, from what I understand. Anyway, when running ParseStyleSheetAsync, the imports are resolved, the SetupHttpRequest auxiliary method is executed for each request, but if the URL results in a redirection, it is followed. I've set a Python HTTP server with redirects to emulate this.

What I propose is to add the capability of configuring the HTTP request behavior so anyone could set the request timeout, disabling redirects, etc. Which is what I was expecting when defining a browsing context.

Background

I came to this scenario because of situations when the component just issues HTTP requests to a controlled URL which makes the client redirect to an arbitrary different URL. That would categorize as an SSRF vulnerability. Even though it is not the responsibility of AngleSharp.Css to eliminate this scenario, it can help prevent it. In my case, controlling the timeouts is also a need.

If I'm misusing the library, then with an example of code on how to address this need will be sufficient. and this feature request can be discarded.

Specification

Sorry I did not understand if this applies to my request.

FlorianRappl commented 9 months ago

Hm not sure this is still accurate.

  1. I think this is rather an AngleSharp issue than an AngleSharp.Css issue
  2. The intercept possibility allows you to intercept calls (this is done via the Filter property using the LoaderOptions)

Maybe I am wrong on this? I'll close it for now. Feel free to comment / bring this up again.