Security - Possible stored XSS in watch list - Only permit HTTP/HTTP/FTP by default - override with env var SAFE_PROTOCOL_REGEX (#1359)

2023-01-29 11:12:06 +01:00
parent d47a25eb6d
commit f8e587c415
6 changed files with 99 additions and 33 deletions
--- a/changedetectionio/tests/test_security.py
+++ b/changedetectionio/tests/test_security.py
@@ -2,11 +2,9 @@ from flask import url_for
 from . util import set_original_response, set_modified_response, live_server_setup
 import time

-def test_setup(live_server):
+
+def test_bad_access(client, live_server):
    live_server_setup(live_server)
-
-def test_file_access(client, live_server):
-
    res = client.post(
        url_for("import_page"),
        data={"urls": 'https://localhost'},
@@ -19,18 +17,49 @@ def test_file_access(client, live_server):
    res = client.post(
        url_for("edit_page", uuid="first"),
        data={
-              "url": 'file:///etc/passwd',
+              "url": 'javascript:alert(document.domain)',
              "tag": "",
              "method": "GET",
              "fetch_backend": "html_requests",
              "body": ""},
        follow_redirects=True
    )
-    time.sleep(3)

-    res = client.get(
-        url_for("index", uuid="first"),
+    assert b'Watch protocol is not permitted by SAFE_PROTOCOL_REGEX' in res.data
+
+    res = client.post(
+        url_for("form_quick_watch_add"),
+        data={"url": '            javascript:alert(123)', "tag": ''},
        follow_redirects=True
    )

-    assert b'denied for security reasons' in res.data
+    assert b'Watch protocol is not permitted by SAFE_PROTOCOL_REGEX' in res.data
+
+    res = client.post(
+        url_for("form_quick_watch_add"),
+        data={"url": '%20%20%20javascript:alert(123)%20%20', "tag": ''},
+        follow_redirects=True
+    )
+
+    assert b'Watch protocol is not permitted by SAFE_PROTOCOL_REGEX' in res.data
+
+
+    res = client.post(
+        url_for("form_quick_watch_add"),
+        data={"url": ' source:javascript:alert(document.domain)', "tag": ''},
+        follow_redirects=True
+    )
+
+    assert b'Watch protocol is not permitted by SAFE_PROTOCOL_REGEX' in res.data
+
+    # file:// is permitted by default, but it will be caught by ALLOW_FILE_URI
+
+    client.post(
+        url_for("form_quick_watch_add"),
+        data={"url": 'file:///tasty/disk/drive', "tag": ''},
+        follow_redirects=True
+    )
+    time.sleep(1)
+    res = client.get(url_for("index"))
+
+    assert b'file:// type access is denied for security reasons.' in res.data