mirror of https://gitlab.com/bashrc2/epicyon
Check html for spyware
Bob Mottram
parent
f5a7cbad6e
commit
40bf726eea
9
tests.py
9
tests.py
|
|
@ -3919,6 +3919,15 @@ def _test_danger_markup():
|
||||||
'<script src="https://evilsite/payload.js" /></p>'
|
'<script src="https://evilsite/payload.js" /></p>'
|
||||||
assert dangerous_markup(content, allow_local_network_access)
|
assert dangerous_markup(content, allow_local_network_access)
|
||||||
|
|
||||||
|
content = '<p>This is a valid-looking message. But it contains ' + \
|
||||||
|
'spyware. <amp-analytics type="gtag" ' + \
|
||||||
|
'data-credentials="include"></amp-analytics></p>'
|
||||||
|
assert dangerous_markup(content, allow_local_network_access)
|
||||||
|
|
||||||
|
content = '<p>This is a valid-looking message. But it contains ' + \
|
||||||
|
'<a href="something.googleapis.com/anotherthing">spyware.</a></p>'
|
||||||
|
assert dangerous_markup(content, allow_local_network_access)
|
||||||
|
|
||||||
content = '<p>This message embeds an evil frame.' + \
|
content = '<p>This message embeds an evil frame.' + \
|
||||||
'<iframe src="somesite"></iframe></p>'
|
'<iframe src="somesite"></iframe></p>'
|
||||||
assert dangerous_markup(content, allow_local_network_access)
|
assert dangerous_markup(content, allow_local_network_access)
|
||||||
|
|
|
||||||
63
utils.py
63
utils.py
|
|
@ -884,8 +884,8 @@ def is_local_network_address(ip_address: str) -> bool:
|
||||||
return False
|
return False
|
||||||
|
|
||||||
|
|
||||||
def _is_dangerous_string(content: str, allow_local_network_access: bool,
|
def _is_dangerous_string_tag(content: str, allow_local_network_access: bool,
|
||||||
separators: [], invalid_strings: []) -> bool:
|
separators: [], invalid_strings: []) -> bool:
|
||||||
"""Returns true if the given string is dangerous
|
"""Returns true if the given string is dangerous
|
||||||
"""
|
"""
|
||||||
for separator_style in separators:
|
for separator_style in separators:
|
||||||
|
|
@ -908,12 +908,48 @@ def _is_dangerous_string(content: str, allow_local_network_access: bool,
|
||||||
return True
|
return True
|
||||||
if ' ' not in markup:
|
if ' ' not in markup:
|
||||||
for bad_str in invalid_strings:
|
for bad_str in invalid_strings:
|
||||||
if bad_str in markup:
|
if not bad_str.endswith('-'):
|
||||||
return True
|
if bad_str in markup:
|
||||||
|
return True
|
||||||
|
else:
|
||||||
|
if markup.startswith(bad_str):
|
||||||
|
return True
|
||||||
else:
|
else:
|
||||||
for bad_str in invalid_strings:
|
for bad_str in invalid_strings:
|
||||||
if bad_str + ' ' in markup:
|
if not bad_str.endswith('-'):
|
||||||
return True
|
if bad_str + ' ' in markup:
|
||||||
|
return True
|
||||||
|
else:
|
||||||
|
if markup.startswith(bad_str):
|
||||||
|
return True
|
||||||
|
return False
|
||||||
|
|
||||||
|
|
||||||
|
def _is_dangerous_string_simple(content: str, allow_local_network_access: bool,
|
||||||
|
separators: [], invalid_strings: []) -> bool:
|
||||||
|
"""Returns true if the given string is dangerous
|
||||||
|
"""
|
||||||
|
for separator_style in separators:
|
||||||
|
start_char = separator_style[0]
|
||||||
|
end_char = separator_style[1]
|
||||||
|
if start_char not in content:
|
||||||
|
continue
|
||||||
|
if end_char not in content:
|
||||||
|
continue
|
||||||
|
content_sections = content.split(start_char)
|
||||||
|
invalid_partials = ()
|
||||||
|
if not allow_local_network_access:
|
||||||
|
invalid_partials = get_local_network_addresses()
|
||||||
|
for markup in content_sections:
|
||||||
|
if end_char not in markup:
|
||||||
|
continue
|
||||||
|
markup = markup.split(end_char)[0].strip()
|
||||||
|
for partial_match in invalid_partials:
|
||||||
|
if partial_match in markup:
|
||||||
|
return True
|
||||||
|
for bad_str in invalid_strings:
|
||||||
|
if bad_str in markup:
|
||||||
|
return True
|
||||||
return False
|
return False
|
||||||
|
|
||||||
|
|
||||||
|
|
@ -921,13 +957,20 @@ def dangerous_markup(content: str, allow_local_network_access: bool) -> bool:
|
||||||
"""Returns true if the given content contains dangerous html markup
|
"""Returns true if the given content contains dangerous html markup
|
||||||
"""
|
"""
|
||||||
separators = [['<', '>'], ['<', '>']]
|
separators = [['<', '>'], ['<', '>']]
|
||||||
|
invalid_strings = [
|
||||||
|
'analytics', 'ampproject', 'googleapis'
|
||||||
|
]
|
||||||
|
if _is_dangerous_string_simple(content, allow_local_network_access,
|
||||||
|
separators, invalid_strings):
|
||||||
|
return True
|
||||||
invalid_strings = [
|
invalid_strings = [
|
||||||
'script', 'noscript', 'code', 'pre',
|
'script', 'noscript', 'code', 'pre',
|
||||||
'canvas', 'style', 'abbr',
|
'canvas', 'style', 'abbr',
|
||||||
'frame', 'iframe', 'html', 'body',
|
'frame', 'iframe', 'html', 'body',
|
||||||
'hr', 'allow-popups', 'allow-scripts'
|
'hr', 'allow-popups', 'allow-scripts',
|
||||||
|
'amp-'
|
||||||
]
|
]
|
||||||
return _is_dangerous_string(content, allow_local_network_access,
|
return _is_dangerous_string_tag(content, allow_local_network_access,
|
||||||
separators, invalid_strings)
|
separators, invalid_strings)
|
||||||
|
|
||||||
|
|
||||||
|
|
@ -938,8 +981,8 @@ def dangerous_svg(content: str, allow_local_network_access: bool) -> bool:
|
||||||
invalid_strings = [
|
invalid_strings = [
|
||||||
'script'
|
'script'
|
||||||
]
|
]
|
||||||
return _is_dangerous_string(content, allow_local_network_access,
|
return _is_dangerous_string_tag(content, allow_local_network_access,
|
||||||
separators, invalid_strings)
|
separators, invalid_strings)
|
||||||
|
|
||||||
|
|
||||||
def get_display_name(base_dir: str, actor: str, person_cache: {}) -> str:
|
def get_display_name(base_dir: str, actor: str, person_cache: {}) -> str:
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue