Cimbali / markdown-viewer

Markdown (.md) file viewer WebExtension for your browser.
Other
167 stars 28 forks source link

Adhere better to secure extension guidelines #72

Closed hugotiburtino closed 1 year ago

hugotiburtino commented 4 years ago

Hi, I've noticed a security issue. The conditions to process the data are not enough to prevent a malicious site to insert an script at the head or at the < pre >. I've already fixed that and you are going to receive the pull request soon.

hugotiburtino commented 4 years ago

I could insert a script at the my local extension. If you want to see how I've done that, I can send you more details or we can schedule a small meeting.

If you wonder, why I'm so interested at the extension, it is because I've created a similar one, CSS Beautifier, and I'm having the same kind of concerns you may have

Cimbali commented 4 years ago

I think the main thing we’re trying to do with this if is detect whether we already rendered the markdown. Basically the script runs on a text file, and might be triggered more than once, in which case we shouldn’t run the renderer again. I’m not sure who or what could inject javascript, since the initial file is text. If an add-on does it, that means the user especially allowed it to do that (and we’re intentionally breaking compatibility).

hugotiburtino commented 4 years ago

The initial file were supposed to be a plain text, but there is a way to deceive the extension at this version. I've invited you @Cimbali and @KeithLRobertson to a private repo, where you can see how the attack could be done.

Cimbali commented 4 years ago

I see, we perform markdown rendering on html pages that masquerade as text files displayed by firefox (i.e. html pages with a single <pre> tag).

In both cases (script in the header or within the <pre>) it’s worth noting that Firefox runs the javascript anyway, with or without the markdown rendering, as you’re really visiting a HTML page that has some javascript. So we’re not doing anything that the user isn’t already doing by visiting that page.

Your suggestion is that we shouldn’t render pages that have javascript running on them because that risks fingerprinting, right? I think we could follow (some of) the recommendations from the MDN page to which you link, but I would rather see fixes that follow these guidelines:

hugotiburtino commented 4 years ago

Indeed, following some of the official recommendations would solve the problem altogether. Alternatively, one could take some features back (like the highlight themes, that is not anyway working right now).

I'm not sure if the extension shouldn't render pages that aren't real plain texts. I've decided for now for my extension, the CSS Beautifier, not to do that, but maybe the user wants to have it beautified, even knowing that it is not a pure md file.

My security patch #73 is just a momentary solution. It is a quicker than implementing one of the MDN recommendations, and it does not lead to deleting an existing feature. But a more robust solution is needed, you are right on that.

Cimbali commented 4 years ago

Here’s how we stand on the security guidelines currently:

Cimbali commented 1 year ago

Closing this as v2 (#99) will have proper security, including rendering in an extension page instead of on an already opened page, and placing the rendered result in a sandboxed iframe.