goodcui / owaspantisamy

Automatically exported from code.google.com/p/owaspantisamy
0 stars 0 forks source link

No error messages for removed IFRAME tags. Childless IFRAME, SCRIPT, LINK tags always removed despite policy configuration. #44

Closed GoogleCodeExporter closed 9 years ago

GoogleCodeExporter commented 9 years ago
I was looking for ways to throw an exception on a validation failure (ie
remove or truncate).  I was hoping that all validation failures would be
logged to errorMessages, but this does not seem to be the case. 
Specifically, the anchor tag below throws an exception but the iframe tag
does not.  

Exception from line 5
<a href="javascript:alert('hacked!');">click me</a>

No Exception
<iframe src='http://www.google.com'></iframe>

1.    AntiSamy antiSamy = new AntiSamy();
2.    CleanResults cleanResults = antiSamy.scan(canonical, SLASHDOT_POLICY);
3.
4.    if(!cleanResults.getErrorMessages().isEmpty()) {
5.        throw getException(name);
6.    }

After further testing, it seems that iframe, link, and script tags without
child nodes are removed without an error message.  Specifically, these tags
are not in the allowedEmptyTags array, so they are nuked.  This also means
that these tags will always be removed despite the policy setting.

No Error Message
<iframe src='http://www.hacker.com/fishing.html'></iframe>
<link rel="stylesheet" type="text/css"
href="http://www.hacker.com/takeover.css"/>
<script src='http://www.hacker.com/takeover.js'></script>

Error Message
<iframe src='http://www.hacker.com/fishing.html'>&nbsp;</iframe>
<script src='http://www.hacker.com/takeover.js'>&nbsp;</script>

Original issue reported on code.google.com by wmlu...@gmail.com on 13 May 2009 at 6:07

GoogleCodeExporter commented 9 years ago

Original comment by arshan.d...@gmail.com on 11 Jun 2009 at 1:18

GoogleCodeExporter commented 9 years ago

Original comment by arshan.d...@gmail.com on 11 Jun 2009 at 1:18

GoogleCodeExporter commented 9 years ago
I also noticed that if I included the AntiSamy-bin.1.3.jar from inside the
AntiSamyDemoWarApp.war that it worked correctly.  Script injections were 
correctly
flagged as errors.  

Doing a diff on the two jar files shows that something was changed in
AntiSamyDOMScanner AntiSamy and Policy.  I wonder if the jar included in
AntiSamyDemoWarApp was a pre-release of 1.3 or a more current build since 1.3.

Original comment by cam.morris@gmail.com on 2 Jul 2009 at 5:07

GoogleCodeExporter commented 9 years ago
I have some additional junit tests that I was using to debug (Attached).  Maybe 
this
can help.

Original comment by cam.morris@gmail.com on 2 Jul 2009 at 5:09

Attachments:

GoogleCodeExporter commented 9 years ago
I just checked out from subversion the latest and re-ran the tests and they 
still
fail.  So I'm assuming that the version inside of the AntiSamyDemoWarApp is a
pre-release version of 1.3

Original comment by cam.morris@gmail.com on 2 Jul 2009 at 8:11

GoogleCodeExporter commented 9 years ago
One more note.  The 1.2 build of antisamy works correctly for this issue also.

Original comment by cam.morris@gmail.com on 2 Jul 2009 at 8:27

GoogleCodeExporter commented 9 years ago

Original comment by arshan.d...@gmail.com on 3 Aug 2009 at 2:50

GoogleCodeExporter commented 9 years ago

Original comment by arshan.d...@gmail.com on 3 Aug 2009 at 3:16

GoogleCodeExporter commented 9 years ago
How has this been fixed?  I didn't see any related check-ins while browsing the
repository.

Original comment by wmlu...@gmail.com on 17 Aug 2009 at 6:36

GoogleCodeExporter commented 9 years ago
This does appear to be a real issue, can it be reopened?

Original comment by lanc...@gmail.com on 3 Sep 2009 at 10:14

GoogleCodeExporter commented 9 years ago
Yes I agree that this is still an issue.  I made my own build to get around it. 
 I
just commented out where empty elements are removed in AntiSamyDOMScanner.  
Attached
is the diff if you want to do the same.

Original comment by cam.morris@gmail.com on 3 Sep 2009 at 10:35

Attachments:

GoogleCodeExporter commented 9 years ago
There is another issue, if you try and clean the fragment:

<iframe src="http://www.google.com></frame>

It will show no errors, but the clean string returned is an empty string.  The 
reason
it is not showing errors is that string is parses to an empty dom object it 
looks
like so then the AntiSamyDOMScanner never gets to look at it.  That string will 
still
render as an iframe however so it should show as an error

Original comment by lanc...@gmail.com on 15 Sep 2009 at 4:43