Don't allow local network access

2020-11-11 09:42:48 +00:00 · 2020-11-11 09:42:48 +00:00 · cadd0de15c
parent 5c4181a9ab
commit cadd0de15c
2 changed files with 24 additions and 0 deletions
--- a/content.py
+++ b/content.py
@ -159,6 +159,7 @@ def dangerousMarkup(content: str) -> bool:
    if '>' not in content:
        return False
    contentSections = content.split('<')
+    invalidPartials = ('127.0.', '192.168', '10.0.')
    invalidStrings = ('script', 'canvas', 'style', 'abbr',
                      'frame', 'iframe', 'html', 'body',
                      'hr')
@ -166,6 +167,9 @@ def dangerousMarkup(content: str) -> bool:
        if '>' not in markup:
            continue
        markup = markup.split('>')[0].strip()
+        for partialMatch in invalidPartials:
+            if partialMatch in markup:
+                return True
        if ' ' not in markup:
            for badStr in invalidStrings:
                if badStr in markup:
--- a/tests.py
+++ b/tests.py
@ -1943,32 +1943,52 @@ def testDangerousMarkup():
    print('testDangerousMarkup')
    content = '<p>This is a valid message</p>'
    assert(not dangerousMarkup(content))
+
    content = 'This is a valid message without markup'
    assert(not dangerousMarkup(content))
+
    content = '<p>This is a valid-looking message. But wait... ' + \
        '<script>document.getElementById("concentrated")' + \
        '.innerHTML = "evil";</script></p>'
    assert(dangerousMarkup(content))
+
    content = '<p>This is a valid-looking message. But wait... ' + \
        '<script src="https://evilsite/payload.js" /></p>'
    assert(dangerousMarkup(content))
+
    content = '<p>This message embeds an evil frame.' + \
        '<iframe src="somesite"></iframe></p>'
    assert(dangerousMarkup(content))
+
    content = '<p>This message tries to obfuscate an evil frame.' + \
        '<  iframe     src = "somesite"></    iframe  ></p>'
    assert(dangerousMarkup(content))
+
    content = '<p>This message is not necessarily evil, but annoying.' + \
        '<hr><br><br><br><br><br><br><br><hr><hr></p>'
    assert(dangerousMarkup(content))
+
    content = '<p>This message contans a ' + \
        '<a href="https://validsite/index.html">valid link.</a></p>'
    assert(not dangerousMarkup(content))
+
    content = '<p>This message contans a ' + \
        '<a href="https://validsite/iframe.html">' + \
        'valid link having invalid but harmless name.</a></p>'
    assert(not dangerousMarkup(content))

+    content = '<p>This message which <a href="127.0.0.1:8736">' + \
+        'tries to access the local network</a></p>'
+    assert(dangerousMarkup(content))
+
+    content = '<p>This message which <a href="http://192.168.5.10:7235">' + \
+        'tries to access the local network</a></p>'
+    assert(dangerousMarkup(content))
+
+    content = '<p>127.0.0.1 This message which does not access ' + \
+        'the local network</a></p>'
+    assert(not dangerousMarkup(content))
+

 def runHtmlReplaceQuoteMarks():
    print('htmlReplaceQuoteMarks')