Improve Blob/File/MediaSource handling

LavaMoat / snow

Use Snow to finally secure your web app's same origin realms!

https://lavamoat.github.io/snow/demo/

MIT License

102 stars 9 forks source link

Improve Blob/File/MediaSource handling #88

Closed weizman closed 1 year ago

weizman commented 1 year ago

This PR addresses #87 (see https://github.com/LavaMoat/snow/pull/88#issuecomment-1586267487) but ended up being more complicated...

Follow comments below in this PR by order for ctx, but to sum things up:

Making URL objects out of blobs/files is not longer fully forbidden.
If you use JS to create a blob, you can turn it into a URL object only if it is in the blob-types whitelist.
However, if you take a native blob (as a result of a fetch response for example) you can turn it into a URL object with no limitations.
- This allows attackers to fetch malicious content and turn into a Blob, which is why Snow must be integrated with strong cross origin CSP
Also, this opens up @arxenix awesome bypass https://github.com/LavaMoat/snow/pull/45#issuecomment-1368517357, therefore Worker protection was also introduced at #89

weizman commented 1 year ago

Currently this is only a PoC, which will probably end up quite similar to this. I,

made sure to not only hook Blob/File/MediaSource constructor but to also make sure they inherit the prototypes of the original constructors (this solves the issue seen on whatwg-fetch - see #87 section#1)
made sure Blobs/Files/MediaSources that are created are saved into an array, so when someone is trying to make a URL object out of them, they are being verified to be known against that array (this solves #87 section#2)
no longer disallowing all types of blobs to URL objects - from now on we allow specific whitelisted types (e.g. no reason to disallow text/javascript as those cannot serve an iframe)

weizman commented 1 year ago

refactored blobs and url creation hooks to look better
still needs to:
- make error handling clearer
- write more tests to test new and more complex logic
- test against popular sites

weizman commented 1 year ago

PROBLEM: This implementation reopens @arxenix brilliant bypass so this work isn't done yet.

weizman commented 1 year ago

revert 3dbc5aa test improvement, so I could handle this correctly on a different PR #89

weizman commented 1 year ago

Merged Worker protection so this solution is actually hermetic ac7a51a (this addresses https://github.com/LavaMoat/snow/pull/88#issuecomment-1587182457)

weizman commented 1 year ago

Update, had to change direction a bit 6ee2c98 Some apps do expect to be able to fetch a resource as a native Blob and use JS to turn it into a URL obj (which I decided to block). Therefore, instead of having an allowed-blobs list so that only JS crafted blobs are allowed to become URL objs, new approach differentiate "artificial blobs" (blobs made with JS) vs "native blobs" (blobs fetched remotely and handed by the browser). If a blob is artificial, only allow it to become a URL object if its type is in the types whitelist. If a blob is native, let it do whatever it wants. This allows attackers to use XHR to fetch the malicious HTML they want as a blob and turn it into an object URL easily - which is just another reason why we MUST promote Snow as a solution that is almost irrelevant without CSP...