feat(core): create a Trusted Types policy for bypass conversions (#39218)
When an application uses a custom sanitizer or one of the bypassSecurityTrust functions, Angular has no way of knowing whether they are implemented in a secure way. (It doesn't even know if they're introduced by the application or by a shady third-party dependency.) Thus using Angular's main Trusted Types policy to bless values coming from these two sources would undermine the security that Trusted Types brings. Instead, introduce a Trusted Types policy called angular#unsafe-bypass specifically for blessing values from these sources. This allows an application to enforce Trusted Types even if their application uses a custom sanitizer or the bypassSecurityTrust functions, knowing that compromises to either of these two sources may lead to arbitrary script execution. In the future Angular will provide a way to implement custom sanitizers in a manner that makes better use of Trusted Types. PR Close #39218
This commit is contained in:
Bjarki
Andrew Kushnir
parent
9ec2bad4dc
commit
49197d12a0
|
|
@ -0,0 +1,89 @@
|
|||
/**
|
||||
* @license
|
||||
* Copyright Google LLC All Rights Reserved.
|
||||
*
|
||||
* Use of this source code is governed by an MIT-style license that can be
|
||||
* found in the LICENSE file at https://angular.io/license
|
||||
*/
|
||||
|
||||
/**
|
||||
* @fileoverview
|
||||
* A module to facilitate use of a Trusted Types policy internally within
|
||||
* Angular specifically for bypassSecurityTrust* and custom sanitizers. It
|
||||
* lazily constructs the Trusted Types policy, providing helper utilities for
|
||||
* promoting strings to Trusted Types. When Trusted Types are not available,
|
||||
* strings are used as a fallback.
|
||||
* @security All use of this module is security-sensitive and should go through
|
||||
* security review.
|
||||
*/
|
||||
|
||||
import {global} from '../global';
|
||||
import {TrustedHTML, TrustedScript, TrustedScriptURL, TrustedTypePolicy, TrustedTypePolicyFactory} from './trusted_type_defs';
|
||||
|
||||
/**
|
||||
* The Trusted Types policy, or null if Trusted Types are not
|
||||
* enabled/supported, or undefined if the policy has not been created yet.
|
||||
*/
|
||||
let policy: TrustedTypePolicy|null|undefined;
|
||||
|
||||
/**
|
||||
* Returns the Trusted Types policy, or null if Trusted Types are not
|
||||
* enabled/supported. The first call to this function will create the policy.
|
||||
*/
|
||||
function getPolicy(): TrustedTypePolicy|null {
|
||||
if (policy === undefined) {
|
||||
policy = null;
|
||||
if (global.trustedTypes) {
|
||||
try {
|
||||
policy = (global.trustedTypes as TrustedTypePolicyFactory)
|
||||
.createPolicy('angular#unsafe-bypass', {
|
||||
createHTML: (s: string) => s,
|
||||
createScript: (s: string) => s,
|
||||
createScriptURL: (s: string) => s,
|
||||
});
|
||||
} catch {
|
||||
// trustedTypes.createPolicy throws if called with a name that is
|
||||
// already registered, even in report-only mode. Until the API changes,
|
||||
// catch the error not to break the applications functionally. In such
|
||||
// cases, the code will fall back to using strings.
|
||||
}
|
||||
}
|
||||
}
|
||||
return policy;
|
||||
}
|
||||
|
||||
/**
|
||||
* Unsafely promote a string to a TrustedHTML, falling back to strings when
|
||||
* Trusted Types are not available.
|
||||
* @security This is a security-sensitive function; any use of this function
|
||||
* must go through security review. In particular, it must be assured that it
|
||||
* is only passed strings that come directly from custom sanitizers or the
|
||||
* bypassSecurityTrust* functions.
|
||||
*/
|
||||
export function trustedHTMLFromStringBypass(html: string): TrustedHTML|string {
|
||||
return getPolicy()?.createHTML(html) || html;
|
||||
}
|
||||
|
||||
/**
|
||||
* Unsafely promote a string to a TrustedScript, falling back to strings when
|
||||
* Trusted Types are not available.
|
||||
* @security This is a security-sensitive function; any use of this function
|
||||
* must go through security review. In particular, it must be assured that it
|
||||
* is only passed strings that come directly from custom sanitizers or the
|
||||
* bypassSecurityTrust* functions.
|
||||
*/
|
||||
export function trustedScriptFromStringBypass(script: string): TrustedScript|string {
|
||||
return getPolicy()?.createScript(script) || script;
|
||||
}
|
||||
|
||||
/**
|
||||
* Unsafely promote a string to a TrustedScriptURL, falling back to strings
|
||||
* when Trusted Types are not available.
|
||||
* @security This is a security-sensitive function; any use of this function
|
||||
* must go through security review. In particular, it must be assured that it
|
||||
* is only passed strings that come directly from custom sanitizers or the
|
||||
* bypassSecurityTrust* functions.
|
||||
*/
|
||||
export function trustedScriptURLFromStringBypass(url: string): TrustedScriptURL|string {
|
||||
return getPolicy()?.createScriptURL(url) || url;
|
||||
}
|
||||
Loading…
Reference in New Issue