Discource-C
/
discourse
mirror of https://github.com/discourse/discourse.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

SECURITY: Sanitize YouTube Onebox data (#13748) 

CVE-2021-32764
This commit is contained in:
David Taylor 2021-07-15 19:31:50 +01:00 committed by GitHub
parent 55bed48917
commit 8b89787426
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
5 changed files with 34 additions and 15 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

16
lib/onebox/engine/youtube_onebox.rb
View File

@ -89,25 +89,31 @@ module Onebox
def video_id def video_id
@video_id ||= begin @video_id ||= begin
id = nil
# http://youtu.be/afyK1HSFfgw # http://youtu.be/afyK1HSFfgw
if uri.host["youtu.be"] if uri.host["youtu.be"]
id = uri.path[/\/([\w\-]+)/, 1] id = uri.path[/\/([\w\-]+)/, 1]
return id if id
end end
# https://www.youtube.com/embed/vsF0K3Ou1v0 # https://www.youtube.com/embed/vsF0K3Ou1v0
if uri.path["/embed/"] if uri.path["/embed/"]
id = uri.path[/\/embed\/([\w\-]+)/, 1] id ||= uri.path[/\/embed\/([\w\-]+)/, 1]
return id if id
end end
# https://www.youtube.com/watch?v=Z0UISCEe52Y # https://www.youtube.com/watch?v=Z0UISCEe52Y
params['v'] id ||= params['v']
sanitize_yt_id(id)
end end
end end
def list_id def list_id
@list_id ||= params['list'] @list_id ||= sanitize_yt_id(params['list'])
end
def sanitize_yt_id(raw)
raw&.match?(/\A[\w-]+\z/) ? raw : nil
end end
def embed_params def embed_params

2
plugins/lazy-yt/assets/javascripts/initializers/lazyYT.js.es6 → plugins/lazy-yt/assets/javascripts/initializers/lazyYT.js
View File

@ -1,9 +1,11 @@
import { withPluginApi } from "discourse/lib/plugin-api"; import { withPluginApi } from "discourse/lib/plugin-api";
import initLazyYt from "../lib/lazyYT";
export default { export default {
name: "apply-lazyYT", name: "apply-lazyYT",
initialize() { initialize() {
withPluginApi("0.1", (api) => { withPluginApi("0.1", (api) => {
initLazyYt($);
api.decorateCooked( api.decorateCooked(
($elem) => { ($elem) => {
const iframes = $(".lazyYT", $elem); const iframes = $(".lazyYT", $elem);

16
plugins/lazy-yt/assets/javascripts/lazyYT.js → plugins/lazy-yt/assets/javascripts/lib/lazyYT.js
View File

@ -11,7 +11,9 @@
* *
*/ */
(function ($) { import escape from "discourse-common/lib/escape";
export default function initLazyYt($) {
"use strict"; "use strict";
function setUp($el, settings) { function setUp($el, settings) {
@ -75,13 +77,13 @@
innerHtml.push('<div class="html5-title-text-wrapper">'); innerHtml.push('<div class="html5-title-text-wrapper">');
innerHtml.push( innerHtml.push(
'<a class="html5-title-text" target="_blank" tabindex="3100" href="https://www.youtube.com/watch?v=', '<a class="html5-title-text" target="_blank" tabindex="3100" href="https://www.youtube.com/watch?v=',
id, escape(id),
'">' '">'
); );
if (title === undefined || title === null || title === "") { if (title === undefined || title === null || title === "") {
innerHtml.push("youtube.com/watch?v=" + id); innerHtml.push("youtube.com/watch?v=" + escape(id));
} else { } else {
innerHtml.push(title); innerHtml.push(escape(title));
} }
innerHtml.push("</a>"); innerHtml.push("</a>");
innerHtml.push("</div>"); // .html5-title innerHtml.push("</div>"); // .html5-title
@ -121,7 +123,7 @@
$( $(
[ [
'<img class="ytp-thumbnail-image" src="https://img.youtube.com/vi/', '<img class="ytp-thumbnail-image" src="https://img.youtube.com/vi/',
id, escape(id),
"/", "/",
thumb_img, thumb_img,
'">', '">',
@ -143,7 +145,7 @@
$el $el
.html( .html(
'<iframe src="//www.youtube.com/embed/' + '<iframe src="//www.youtube.com/embed/' +
id + escape(id) +
"?autoplay=1&" + "?autoplay=1&" +
youtube_parameters + youtube_parameters +
'" frameborder="0" allowfullscreen></iframe>' '" frameborder="0" allowfullscreen></iframe>'
@ -170,4 +172,4 @@
setUp($el, settings); setUp($el, settings);
}); });
}; };
})(jQuery); }

4
plugins/lazy-yt/plugin.rb
View File

@ -5,14 +5,12 @@
# version: 1.0.1 # version: 1.0.1
# authors: Arpit Jalan # authors: Arpit Jalan
# url: https://github.com/discourse/discourse/tree/master/plugins/lazy-yt # url: https://github.com/discourse/discourse/tree/master/plugins/lazy-yt
# transpile_js: true
hide_plugin if self.respond_to?(:hide_plugin) hide_plugin if self.respond_to?(:hide_plugin)
require "onebox" require "onebox"
# javascript
register_asset "javascripts/lazyYT.js"
# stylesheet # stylesheet
register_asset "stylesheets/lazyYT.css" register_asset "stylesheets/lazyYT.css"
register_asset "stylesheets/lazyYT_mobile.scss", :mobile register_asset "stylesheets/lazyYT_mobile.scss", :mobile

11
spec/lib/onebox/engine/youtube_onebox_spec.rb
View File

@ -65,6 +65,17 @@ describe Onebox::Engine::YoutubeOnebox do
expect(Onebox.preview('https://www.youtube.com/watch?v=21Lk4YiASMo&potential[]=exploit&potential[]=fun').to_s).not_to match(/potential|exploit|fun/) expect(Onebox.preview('https://www.youtube.com/watch?v=21Lk4YiASMo&potential[]=exploit&potential[]=fun').to_s).not_to match(/potential|exploit|fun/)
end end
it "ignores video_id with unacceptable characters" do
# (falls back to generic onebox)
Onebox::Engine::AllowlistedGenericOnebox.any_instance.stubs(:to_html).returns(+"allowlisted_html")
expect(Onebox.preview('https://www.youtube.com/watch?v=%3C%3E21Lk4YiASMo').to_s).to eq("allowlisted_html")
end
it "ignores list_id with unacceptable characters" do
# (falls back to video-only onebox)
expect(Onebox.preview('https://www.youtube.com/watch?v=21Lk4YiASMo&list=%3C%3EUUQau-O2C0kGJpR3_CHBTGbw').to_s).not_to include("UUQau-O2C0kGJpR3_CHBTGbw")
end
it "converts time strings into a &start= parameter" do it "converts time strings into a &start= parameter" do
expect(Onebox.preview('https://www.youtube.com/watch?v=21Lk4YiASMo&start=3782').to_s).to match(/start=3782/) expect(Onebox.preview('https://www.youtube.com/watch?v=21Lk4YiASMo&start=3782').to_s).to match(/start=3782/)
expect(Onebox.preview('https://www.youtube.com/watch?start=1h3m2s&v=21Lk4YiASMo').to_s).to match(/start=3782/) expect(Onebox.preview('https://www.youtube.com/watch?start=1h3m2s&v=21Lk4YiASMo').to_s).to match(/start=3782/)