From bdba3ff9a9f98c1605c01c0e84f6bd6ed5c3efae Mon Sep 17 00:00:00 2001
From: Tobi Smethurst <31960611+tsmethurst@users.noreply.github.com>
Date: Tue, 13 Jul 2021 16:03:51 +0200
Subject: sanitize html for statuses + instance (#97)
* sanitize html for statuses + instance
* sanitization
---
internal/processing/account/create.go | 3 +-
internal/processing/account/update.go | 6 ++--
internal/processing/admin/createdomainblock.go | 5 +--
internal/processing/instance.go | 8 ++---
internal/processing/media/create.go | 3 +-
internal/processing/media/update.go | 3 +-
internal/processing/status/create.go | 2 +-
internal/processing/status/util.go | 6 +++-
internal/util/sanitize.go | 50 ++++++++++++++++++++++++++
9 files changed, 73 insertions(+), 13 deletions(-)
create mode 100644 internal/util/sanitize.go
(limited to 'internal')
diff --git a/internal/processing/account/create.go b/internal/processing/account/create.go
index a6bfb8a60..8b29f147f 100644
--- a/internal/processing/account/create.go
+++ b/internal/processing/account/create.go
@@ -23,6 +23,7 @@ import (
apimodel "github.com/superseriousbusiness/gotosocial/internal/api/model"
"github.com/superseriousbusiness/gotosocial/internal/gtsmodel"
+ "github.com/superseriousbusiness/gotosocial/internal/util"
"github.com/superseriousbusiness/oauth2/v4"
)
@@ -44,7 +45,7 @@ func (p *processor) Create(applicationToken oauth2.TokenInfo, application *gtsmo
}
l.Trace("creating new username and account")
- user, err := p.db.NewSignup(form.Username, reason, p.config.AccountsConfig.RequireApproval, form.Email, form.Password, form.IP, form.Locale, application.ID)
+ user, err := p.db.NewSignup(form.Username, util.RemoveHTML(reason), p.config.AccountsConfig.RequireApproval, form.Email, form.Password, form.IP, form.Locale, application.ID)
if err != nil {
return nil, fmt.Errorf("error creating new signup in the database: %s", err)
}
diff --git a/internal/processing/account/update.go b/internal/processing/account/update.go
index 830fec60a..fbe29ac86 100644
--- a/internal/processing/account/update.go
+++ b/internal/processing/account/update.go
@@ -50,7 +50,8 @@ func (p *processor) Update(account *gtsmodel.Account, form *apimodel.UpdateCrede
if err := util.ValidateDisplayName(*form.DisplayName); err != nil {
return nil, err
}
- if err := p.db.UpdateOneByID(account.ID, "display_name", *form.DisplayName, >smodel.Account{}); err != nil {
+ displayName := util.RemoveHTML(*form.DisplayName) // no html allowed in display name
+ if err := p.db.UpdateOneByID(account.ID, "display_name", displayName, >smodel.Account{}); err != nil {
return nil, err
}
}
@@ -59,7 +60,8 @@ func (p *processor) Update(account *gtsmodel.Account, form *apimodel.UpdateCrede
if err := util.ValidateNote(*form.Note); err != nil {
return nil, err
}
- if err := p.db.UpdateOneByID(account.ID, "note", *form.Note, >smodel.Account{}); err != nil {
+ note := util.SanitizeHTML(*form.Note) // html OK in note but sanitize it
+ if err := p.db.UpdateOneByID(account.ID, "note", note, >smodel.Account{}); err != nil {
return nil, err
}
}
diff --git a/internal/processing/admin/createdomainblock.go b/internal/processing/admin/createdomainblock.go
index a9c7094e6..78c830a43 100644
--- a/internal/processing/admin/createdomainblock.go
+++ b/internal/processing/admin/createdomainblock.go
@@ -28,6 +28,7 @@ import (
"github.com/superseriousbusiness/gotosocial/internal/gtserror"
"github.com/superseriousbusiness/gotosocial/internal/gtsmodel"
"github.com/superseriousbusiness/gotosocial/internal/id"
+ "github.com/superseriousbusiness/gotosocial/internal/util"
)
func (p *processor) DomainBlockCreate(account *gtsmodel.Account, domain string, obfuscate bool, publicComment string, privateComment string, subscriptionID string) (*apimodel.DomainBlock, gtserror.WithCode) {
@@ -51,8 +52,8 @@ func (p *processor) DomainBlockCreate(account *gtsmodel.Account, domain string,
ID: blockID,
Domain: domain,
CreatedByAccountID: account.ID,
- PrivateComment: privateComment,
- PublicComment: publicComment,
+ PrivateComment: util.RemoveHTML(privateComment),
+ PublicComment: util.RemoveHTML(publicComment),
Obfuscate: obfuscate,
SubscriptionID: subscriptionID,
}
diff --git a/internal/processing/instance.go b/internal/processing/instance.go
index 0c1a54dc2..962b841a6 100644
--- a/internal/processing/instance.go
+++ b/internal/processing/instance.go
@@ -60,7 +60,7 @@ func (p *processor) InstancePatch(form *apimodel.InstanceSettingsUpdateRequest)
if err := util.ValidateSiteTitle(*form.Title); err != nil {
return nil, gtserror.NewErrorBadRequest(err, fmt.Sprintf("site title invalid: %s", err))
}
- i.Title = *form.Title
+ i.Title = util.RemoveHTML(*form.Title) // don't allow html in site title
}
// validate & update site contact account if it's set on the form
@@ -110,7 +110,7 @@ func (p *processor) InstancePatch(form *apimodel.InstanceSettingsUpdateRequest)
if err := util.ValidateSiteShortDescription(*form.ShortDescription); err != nil {
return nil, gtserror.NewErrorBadRequest(err, err.Error())
}
- i.ShortDescription = *form.ShortDescription
+ i.ShortDescription = util.SanitizeHTML(*form.ShortDescription) // html is OK in site description, but we should sanitize it
}
// validate & update site description if it's set on the form
@@ -118,7 +118,7 @@ func (p *processor) InstancePatch(form *apimodel.InstanceSettingsUpdateRequest)
if err := util.ValidateSiteDescription(*form.Description); err != nil {
return nil, gtserror.NewErrorBadRequest(err, err.Error())
}
- i.Description = *form.Description
+ i.Description = util.SanitizeHTML(*form.Description) // html is OK in site description, but we should sanitize it
}
// validate & update site terms if it's set on the form
@@ -126,7 +126,7 @@ func (p *processor) InstancePatch(form *apimodel.InstanceSettingsUpdateRequest)
if err := util.ValidateSiteTerms(*form.Terms); err != nil {
return nil, gtserror.NewErrorBadRequest(err, err.Error())
}
- i.Terms = *form.Terms
+ i.Terms = util.SanitizeHTML(*form.Terms) // html is OK in site terms, but we should sanitize it
}
// process avatar if provided
diff --git a/internal/processing/media/create.go b/internal/processing/media/create.go
index f9e383504..baf9f2918 100644
--- a/internal/processing/media/create.go
+++ b/internal/processing/media/create.go
@@ -26,6 +26,7 @@ import (
apimodel "github.com/superseriousbusiness/gotosocial/internal/api/model"
"github.com/superseriousbusiness/gotosocial/internal/gtsmodel"
+ "github.com/superseriousbusiness/gotosocial/internal/util"
)
func (p *processor) Create(account *gtsmodel.Account, form *apimodel.AttachmentRequest) (*apimodel.Attachment, error) {
@@ -53,7 +54,7 @@ func (p *processor) Create(account *gtsmodel.Account, form *apimodel.AttachmentR
// TODO: handle this inside mediaHandler.ProcessAttachment (just pass more params to it)
// first description
- attachment.Description = form.Description
+ attachment.Description = util.RemoveHTML(form.Description) // remove any HTML from the image description
// now parse the focus parameter
focusx, focusy, err := parseFocus(form.Focus)
diff --git a/internal/processing/media/update.go b/internal/processing/media/update.go
index aa3583054..b5ffc77d8 100644
--- a/internal/processing/media/update.go
+++ b/internal/processing/media/update.go
@@ -26,6 +26,7 @@ import (
"github.com/superseriousbusiness/gotosocial/internal/db"
"github.com/superseriousbusiness/gotosocial/internal/gtserror"
"github.com/superseriousbusiness/gotosocial/internal/gtsmodel"
+ "github.com/superseriousbusiness/gotosocial/internal/util"
)
func (p *processor) Update(account *gtsmodel.Account, mediaAttachmentID string, form *apimodel.AttachmentUpdateRequest) (*apimodel.Attachment, gtserror.WithCode) {
@@ -43,7 +44,7 @@ func (p *processor) Update(account *gtsmodel.Account, mediaAttachmentID string,
}
if form.Description != nil {
- attachment.Description = *form.Description
+ attachment.Description = util.RemoveHTML(*form.Description)
if err := p.db.UpdateByID(mediaAttachmentID, attachment); err != nil {
return nil, gtserror.NewErrorInternalError(fmt.Errorf("database error updating description: %s", err))
}
diff --git a/internal/processing/status/create.go b/internal/processing/status/create.go
index aa7468ae5..37d7e6aab 100644
--- a/internal/processing/status/create.go
+++ b/internal/processing/status/create.go
@@ -29,7 +29,7 @@ func (p *processor) Create(account *gtsmodel.Account, application *gtsmodel.Appl
Local: true,
AccountID: account.ID,
AccountURI: account.URI,
- ContentWarning: form.SpoilerText,
+ ContentWarning: util.RemoveHTML(form.SpoilerText),
ActivityStreamsType: gtsmodel.ActivityStreamsNote,
Sensitive: form.Sensitive,
Language: form.Language,
diff --git a/internal/processing/status/util.go b/internal/processing/status/util.go
index 0a023eab6..eb83babb0 100644
--- a/internal/processing/status/util.go
+++ b/internal/processing/status/util.go
@@ -264,6 +264,10 @@ func (p *processor) processContent(form *apimodel.AdvancedStatusCreateForm, acco
// replace newlines with breaks
content = strings.ReplaceAll(content, "\n", "
")
- status.Content = content
+ // sanitize html to remove any dodgy scripts or other disallowed elements
+ clean := util.SanitizeHTML(content)
+
+ // set the content as the shiny clean parsed content
+ status.Content = clean
return nil
}
diff --git a/internal/util/sanitize.go b/internal/util/sanitize.go
new file mode 100644
index 000000000..ac1f4c651
--- /dev/null
+++ b/internal/util/sanitize.go
@@ -0,0 +1,50 @@
+/*
+ GoToSocial
+ Copyright (C) 2021 GoToSocial Authors admin@gotosocial.org
+
+ This program is free software: you can redistribute it and/or modify
+ it under the terms of the GNU Affero General Public License as published by
+ the Free Software Foundation, either version 3 of the License, or
+ (at your option) any later version.
+
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU Affero General Public License for more details.
+
+ You should have received a copy of the GNU Affero General Public License
+ along with this program. If not, see .
+*/
+
+package util
+
+import (
+ "github.com/microcosm-cc/bluemonday"
+)
+
+// '[A]llows a broad selection of HTML elements and attributes that are safe for user generated content.
+// Note that this policy does not allow iframes, object, embed, styles, script, etc.
+// An example usage scenario would be blog post bodies where a variety of formatting is expected along with the potential for TABLEs and IMGs.'
+//
+// Source: https://github.com/microcosm-cc/bluemonday#usage
+var regular *bluemonday.Policy = bluemonday.UGCPolicy().
+ RequireNoReferrerOnLinks(true).
+ RequireNoFollowOnLinks(true).
+ RequireCrossOriginAnonymous(true)
+
+// '[C]an be thought of as equivalent to stripping all HTML elements and their attributes as it has nothing on its allowlist.
+// An example usage scenario would be blog post titles where HTML tags are not expected at all
+// and if they are then the elements and the content of the elements should be stripped. This is a very strict policy.'
+//
+// Source: https://github.com/microcosm-cc/bluemonday#usage
+var strict *bluemonday.Policy = bluemonday.StrictPolicy()
+
+// SanitizeHTML cleans up HTML in the given string, allowing through only safe HTML elements.
+func SanitizeHTML(in string) string {
+ return regular.Sanitize(in)
+}
+
+// RemoveHTML removes all HTML from the given string.
+func RemoveHTML(in string) string {
+ return strict.Sanitize(in)
+}
--
cgit v1.2.3