[RFC] Make inserted marker text secure-by-default #2064
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Per the documentation, Overviewer configuration authors must take special precautions to escape user-generated HTML and/or JavaScript from marker signs. In mide/minecraft-overviewer#117 [1], we learned that: * This detail may escape the notice of downstream packagers and server deployments. * It is very straightforward to inject JavaScript into signs on Creative servers. It may also be possible on Survival servers. Overviewer should conform to MDN's recommendations for safely inserting external content [2]. Failure to protect against injected scripts may allow a malicious actor to gain control of other web resources on the same DNS name (i.e., via session hijacking). In all likelihood, of course, people will just make nuisances of themselves. A small change in the way text is handled in JavaScript can eliminate the need to invoke `html.escape()` at all in python. The Leaflet `bindPopup()` method can accept a DOM node instead of a text string [3]. The leaflet method inserts text strings via an *unsafe* `innerHTML` assignment. DOM nodes are inserted verbatim [4]. This patch creates a text-only DOM node that contains the marker text. Text nodes are not subject to further interpretation, and all HTML characters appear as literals. We use CSS to permit newline characters to render as line breaks. This preserves multi-line marker text. References 1. mide/minecraft-overviewer#117 2. https://developer.mozilla.org/en-US/docs/Mozilla/Add-ons/WebExtensions/Safely_inserting_external_content_into_a_page 3. https://leafletjs.com/reference.html#layer-bindpopup 4. https://github.com/Leaflet/Leaflet/blob/f10b44b3afcd079febe5219f84dc67c68b379b5e/src/layer/DivOverlay.js#L280
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Per the documentation, Overviewer configuration authors must take special precautions to escape user-generated HTML and/or JavaScript from marker signs. In mide/minecraft-overviewer#117, we learned that:
This detail may escape the notice of downstream packagers and server deployments.
It is very straightforward to inject JavaScript into signs on servers where players have permission to use command blocks. It may also be possible on other servers.
Overviewer should conform to MDN's recommendations for safely inserting external content. Failure to protect against injected scripts may allow a malicious actor to gain control of other web resources on the same DNS name (i.e., via session hijacking). In all likelihood, of course, people will just make nuisances of themselves.
A small change in the way text is handled in JavaScript can eliminate the need to invoke
html.escape()at all in python. The LeafletbindPopup()method can accept a DOM node instead of a text string.innerHTMLassignment...To insert content safely, this patch creates a text-only DOM node that contains the marker text. Text nodes are not subject to further interpretation, and all HTML characters appear as literals. We use CSS to permit newline characters to render as line breaks. This preserves multi-line sign text if the configuration author elects to keep it.
This patch is marked RFC because there are a number of outstanding considerations not yet addressed, including:
Documentation
Examples
API-breakage:
Configurations which previously escaped text in python will print slightly garbled, escaped output on the map. This is safe and will not error, but it will look wrong.
Deployments might want to insert safe HTML into the Leaflet popup.
textContent.In any event, we need to consider the upgrade path to the new behavior very carefully.
The following test demonstrates this PR:
Insert an abusive sign into a test world with Op commands:
/setblock ~1 ~ ~ minecraft:acacia_sign replace /data modify block ~1 ~ ~ Text1 set value '{"text":"<style onload=\\"alert(\'test\');\\"/>"}'Render and
--genpoiwith a configuration whichTest that you are protected against injection attacks by clicking on the sign marker in Leaflet.
As a bonus, this also harmonizes the look of mouseover tooltip text with the popup text itself. In the most straightforward configurations, python's escape would cause the tooltip to be garbled.