diff --git a/pnpm-lock.yaml b/pnpm-lock.yaml index fd0ff755ef6..70ce7db4257 100644 --- a/pnpm-lock.yaml +++ b/pnpm-lock.yaml @@ -340,9 +340,6 @@ importers: rusty-store-kv: specifier: ^1.3.1 version: 1.3.1 - security: - specifier: 1.0.0 - version: 1.0.0 semver: specifier: ^7.8.4 version: 7.8.4 @@ -4991,9 +4988,6 @@ packages: secure-json-parse@4.1.0: resolution: {integrity: sha512-l4KnYfEyqYJxDwlNVyRfO2E4NTHfMKAWdUuA8J0yve2Dz/E/PdBepY03RvyJpssIpRFwJoCD55wA+mEDs6ByWA==} - security@1.0.0: - resolution: {integrity: sha512-5qfoAgfRWS1sUn+fUJtdbbqM1BD/LoQGa+smPTDjf9OqHyuJqi6ewtbYL0+V1S1RaU6OCOCMWGZocIfz2YK4uw==} - semver@6.3.1: resolution: {integrity: sha512-BR7VvDCVHO+q2xBEWskxS6DJE1qRnb7DxzUrogb71CWoSficBxYsiAGd+Kl0mmq/MprG9yArRkyrQxTO6XjMzA==} hasBin: true @@ -8419,7 +8413,7 @@ snapshots: '@rushstack/eslint-patch': 1.16.1 '@typescript-eslint/eslint-plugin': 7.18.0(@typescript-eslint/parser@7.18.0(eslint@10.5.0)(typescript@6.0.3))(eslint@10.5.0)(typescript@6.0.3) '@typescript-eslint/parser': 7.18.0(eslint@10.5.0)(typescript@6.0.3) - eslint-import-resolver-typescript: 3.9.1(eslint-plugin-import@2.32.0(@typescript-eslint/parser@7.18.0(eslint@10.5.0)(typescript@6.0.3))(eslint@10.5.0))(eslint@10.5.0) + eslint-import-resolver-typescript: 3.9.1(eslint-plugin-import@2.32.0)(eslint@10.5.0) eslint-plugin-cypress: 2.15.2(eslint@10.5.0) eslint-plugin-eslint-comments: 3.2.0(eslint@10.5.0) eslint-plugin-import: 2.32.0(@typescript-eslint/parser@7.18.0(eslint@10.5.0)(typescript@6.0.3))(eslint-import-resolver-typescript@3.9.1)(eslint@10.5.0) @@ -8443,7 +8437,7 @@ snapshots: transitivePeerDependencies: - supports-color - eslint-import-resolver-typescript@3.9.1(eslint-plugin-import@2.32.0(@typescript-eslint/parser@7.18.0(eslint@10.5.0)(typescript@6.0.3))(eslint@10.5.0))(eslint@10.5.0): + eslint-import-resolver-typescript@3.9.1(eslint-plugin-import@2.32.0)(eslint@10.5.0): dependencies: '@nolyfill/is-core-module': 1.0.39 debug: 4.4.3(supports-color@8.1.1) @@ -8458,14 +8452,14 @@ snapshots: transitivePeerDependencies: - supports-color - eslint-module-utils@2.12.1(@typescript-eslint/parser@7.18.0(eslint@10.5.0)(typescript@6.0.3))(eslint-import-resolver-node@0.3.10)(eslint-import-resolver-typescript@3.9.1(eslint-plugin-import@2.32.0(@typescript-eslint/parser@7.18.0(eslint@10.5.0)(typescript@6.0.3))(eslint@10.5.0))(eslint@10.5.0))(eslint@10.5.0): + eslint-module-utils@2.12.1(@typescript-eslint/parser@7.18.0(eslint@10.5.0)(typescript@6.0.3))(eslint-import-resolver-node@0.3.10)(eslint-import-resolver-typescript@3.9.1)(eslint@10.5.0): dependencies: debug: 3.2.7 optionalDependencies: '@typescript-eslint/parser': 7.18.0(eslint@10.5.0)(typescript@6.0.3) eslint: 10.5.0 eslint-import-resolver-node: 0.3.10 - eslint-import-resolver-typescript: 3.9.1(eslint-plugin-import@2.32.0(@typescript-eslint/parser@7.18.0(eslint@10.5.0)(typescript@6.0.3))(eslint@10.5.0))(eslint@10.5.0) + eslint-import-resolver-typescript: 3.9.1(eslint-plugin-import@2.32.0)(eslint@10.5.0) transitivePeerDependencies: - supports-color @@ -8498,7 +8492,7 @@ snapshots: doctrine: 2.1.0 eslint: 10.5.0 eslint-import-resolver-node: 0.3.10 - eslint-module-utils: 2.12.1(@typescript-eslint/parser@7.18.0(eslint@10.5.0)(typescript@6.0.3))(eslint-import-resolver-node@0.3.10)(eslint-import-resolver-typescript@3.9.1(eslint-plugin-import@2.32.0(@typescript-eslint/parser@7.18.0(eslint@10.5.0)(typescript@6.0.3))(eslint@10.5.0))(eslint@10.5.0))(eslint@10.5.0) + eslint-module-utils: 2.12.1(@typescript-eslint/parser@7.18.0(eslint@10.5.0)(typescript@6.0.3))(eslint-import-resolver-node@0.3.10)(eslint-import-resolver-typescript@3.9.1)(eslint@10.5.0) hasown: 2.0.2 is-core-module: 2.16.1 is-glob: 4.0.3 @@ -10605,8 +10599,6 @@ snapshots: secure-json-parse@4.1.0: {} - security@1.0.0: {} - semver@6.3.1: {} semver@7.8.4: {} diff --git a/src/node/utils/Minify.ts b/src/node/utils/Minify.ts index 8747ff04b14..5334de8a921 100644 --- a/src/node/utils/Minify.ts +++ b/src/node/utils/Minify.ts @@ -39,7 +39,6 @@ const ROOT_DIR = path.join(settings.root, 'src/static/'); const LIBRARY_WHITELIST = [ 'async', 'js-cookie', - 'security', 'split-grid', 'tinycon', 'underscore', diff --git a/src/package.json b/src/package.json index 3939840845b..c1991349bb2 100644 --- a/src/package.json +++ b/src/package.json @@ -79,7 +79,6 @@ "resolve": "1.22.12", "rethinkdb": "^2.4.2", "rusty-store-kv": "^1.3.1", - "security": "1.0.0", "semver": "^7.8.4", "socket.io": "^4.8.3", "socket.io-client": "^4.8.3", diff --git a/src/static/js/pad_utils.ts b/src/static/js/pad_utils.ts index 997dd2be6ee..b6f17e84c9d 100644 --- a/src/static/js/pad_utils.ts +++ b/src/static/js/pad_utils.ts @@ -24,7 +24,7 @@ import {binarySearch} from "./ace2_common"; * limitations under the License. */ -const Security = require('security'); +import * as Security from './security'; import jsCookie, {CookiesStatic} from 'js-cookie' /** diff --git a/src/static/js/security.ts b/src/static/js/security.ts index d5f9b726622..cae83bfdb54 100644 --- a/src/static/js/security.ts +++ b/src/static/js/security.ts @@ -1,20 +1,73 @@ -// @ts-nocheck 'use strict'; /** - * Copyright 2009 Google Inc. + * OWASP-style output-escaping helpers. * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at + * Vendored from the `security` npm package (v1.0.0), which has been + * unmaintained since 2012. The implementation below is reproduced verbatim + * (behaviour is byte-identical) so the dependency can be dropped from core. * - * http://www.apache.org/licenses/LICENSE-2.0 + * Original work Copyright (c) 2011 Chad Weider, MIT licensed: * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS-IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in + * all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. */ -module.exports = require('security'); +const HTML_ENTITY_MAP: {[c: string]: string} = { + '&': '&', + '<': '<', + '>': '>', + '"': '"', + "'": ''', + '/': '/', +}; + +// OWASP Guidelines: &, <, >, ", ' plus forward slash. +const HTML_CHARACTERS_EXPRESSION = /[&"'<>/]/gm; +export const escapeHTML = (text: string) => text && text.replace(HTML_CHARACTERS_EXPRESSION, + (c: string) => HTML_ENTITY_MAP[c] || c); + +// OWASP Guidelines: escape all non alphanumeric characters in ASCII space. +const HTML_ATTRIBUTE_CHARACTERS_EXPRESSION = /[\x00-\x2F\x3A-\x40\x5B-\x60\x7B-\xFF]/gm; +export const escapeHTMLAttribute = (text: string) => text && text.replace(HTML_ATTRIBUTE_CHARACTERS_EXPRESSION, + (c: string) => HTML_ENTITY_MAP[c] || `&#x${(`00${c.charCodeAt(0).toString(16)}`).slice(-2)};`); + +// OWASP Guidelines: escape all non alphanumeric characters in ASCII space. +// Also include line breaks (for literal). +const JAVASCRIPT_CHARACTERS_EXPRESSION = /[\x00-\x2F\x3A-\x40\x5B-\x60\x7B-\xFF\u2028\u2029]/gm; +export const encodeJavaScriptIdentifier = (text: string) => text && text.replace(JAVASCRIPT_CHARACTERS_EXPRESSION, + (c: string) => `\\u${(`0000${c.charCodeAt(0).toString(16)}`).slice(-4)}`); + +export const encodeJavaScriptString = (text: string) => text && `"${encodeJavaScriptIdentifier(text)}"`; + +// This is not great, but it is useful. +// NB: the original `security` package used /"(?:\\.|[^"])*"/, where `[^"]` also +// matches a backslash and so overlaps with `\\.`, causing exponential +// backtracking (ReDoS) on adversarial input. We exclude the backslash from the +// character class so the two alternatives are mutually exclusive — this matches +// exactly the same well-formed JSON string literals but in linear time. +const JSON_STRING_LITERAL_EXPRESSION = /"(?:[^"\\]|\\.)*"/gm; +export const encodeJavaScriptData = (object: any) => JSON.stringify(object).replace(JSON_STRING_LITERAL_EXPRESSION, + (string: string) => encodeJavaScriptString(JSON.parse(string))); + +// OWASP Guidelines: escape all non alphanumeric characters in ASCII space. +const CSS_CHARACTERS_EXPRESSION = /[\x00-\x2F\x3A-\x40\x5B-\x60\x7B-\xFF]/gm; +export const encodeCSSIdentifier = (text: string) => text && text.replace(CSS_CHARACTERS_EXPRESSION, + (c: string) => `\\${(`000000${c.charCodeAt(0).toString(16)}`).slice(-6)}`); + +export const encodeCSSString = (text: string) => text && `"${encodeCSSIdentifier(text)}"`; diff --git a/src/tests/backend/specs/security.ts b/src/tests/backend/specs/security.ts new file mode 100644 index 00000000000..47663e223cc --- /dev/null +++ b/src/tests/backend/specs/security.ts @@ -0,0 +1,78 @@ +'use strict'; + +const assert = require('assert').strict; +// The escaping helpers are a client module, but they are pure (no browser +// globals) so they can be exercised directly from a backend spec. This locks +// the byte-for-byte output of the helpers vendored from the (now removed) +// `security` npm package, so the vendoring can never silently drift. +const Security = require('../../../static/js/security'); + +describe(__filename, function () { + describe('public API', function () { + it('exposes the full set of helpers plugins may rely on', function () { + for (const fn of [ + 'escapeHTML', 'escapeHTMLAttribute', + 'encodeJavaScriptIdentifier', 'encodeJavaScriptString', 'encodeJavaScriptData', + 'encodeCSSIdentifier', 'encodeCSSString', + ]) { + assert.equal(typeof Security[fn], 'function', `Security.${fn} must be a function`); + } + }); + }); + + describe('escapeHTML', function () { + it('escapes &, <, >, ", \' and / per OWASP', function () { + assert.equal(Security.escapeHTML('/&\''), + '<a href="x">/&''); + }); + it('neutralises a script tag', function () { + assert.equal(Security.escapeHTML(''), + '<script>alert(1)</script>'); + }); + it('leaves plain alphanumerics untouched', function () { + assert.equal(Security.escapeHTML('Hello World 123'), 'Hello World 123'); + }); + it('passes falsy input straight through', function () { + assert.equal(Security.escapeHTML(''), ''); + }); + }); + + describe('escapeHTMLAttribute', function () { + it('hex-encodes non-alphanumeric ASCII not covered by named entities', function () { + assert.equal(Security.escapeHTMLAttribute('a b'), 'a b'); + // hex is lowercased, matching the original `security` package output. + assert.equal(Security.escapeHTMLAttribute('javascript:alert(1)'), + 'javascript:alert(1)'); + }); + it('prefers named entities for &, <, >, ", \', /', function () { + assert.equal(Security.escapeHTMLAttribute('<>&"\'/'), + '<>&"'/'); + }); + it('leaves alphanumerics untouched', function () { + assert.equal(Security.escapeHTMLAttribute('abcXYZ0189'), 'abcXYZ0189'); + }); + }); + + describe('javascript / css encoders', function () { + it('encodeJavaScriptString quotes and backslash-u-escapes specials', function () { + assert.equal(Security.encodeJavaScriptString('a', c: 'x"y', d: 'a\\b'}), + '{"a":"\\u003cb\\u003e","c":"x\\u0022y","d":"a\\u005cb"}'); + }); + it('encodeJavaScriptData regex is linear (ReDoS guard)', function () { + // The JSON-string-literal regex used to be /"(?:\\.|[^"])*"/, which + // backtracks exponentially on an unterminated string of `\!` repeats. + // Run the regex directly on adversarial input and assert it returns fast. + const evil = `"${'\\!'.repeat(50000)}`; // no closing quote + const start = Date.now(); + /"(?:[^"\\]|\\.)*"/gm.test(evil); + assert.ok(Date.now() - start < 1000, 'regex must not backtrack exponentially'); + }); + }); +});