mj-saunders
/
epicyon
forked from indymedia/epicyon
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Don't allow local network access

main
Bob Mottram 2020-11-11 09:42:48 +00:00
parent 5c4181a9ab
commit cadd0de15c
2 changed files with 24 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
content.py
View File

@ -159,6 +159,7 @@ def dangerousMarkup(content: str) -> bool:
if '>' not in content: if '>' not in content:
return False return False
contentSections = content.split('<') contentSections = content.split('<')
invalidPartials = ('127.0.', '192.168', '10.0.')
invalidStrings = ('script', 'canvas', 'style', 'abbr', invalidStrings = ('script', 'canvas', 'style', 'abbr',
'frame', 'iframe', 'html', 'body', 'frame', 'iframe', 'html', 'body',
'hr') 'hr')
@ -166,6 +167,9 @@ def dangerousMarkup(content: str) -> bool:
if '>' not in markup: if '>' not in markup:
continue continue
markup = markup.split('>')[0].strip() markup = markup.split('>')[0].strip()
for partialMatch in invalidPartials:
if partialMatch in markup:
return True
if ' ' not in markup: if ' ' not in markup:
for badStr in invalidStrings: for badStr in invalidStrings:
if badStr in markup: if badStr in markup:

20
tests.py
View File

@ -1943,32 +1943,52 @@ def testDangerousMarkup():
print('testDangerousMarkup') print('testDangerousMarkup')
content = '<p>This is a valid message</p>' content = '<p>This is a valid message</p>'
assert(not dangerousMarkup(content)) assert(not dangerousMarkup(content))
content = 'This is a valid message without markup' content = 'This is a valid message without markup'
assert(not dangerousMarkup(content)) assert(not dangerousMarkup(content))
content = '<p>This is a valid-looking message. But wait... ' + \ content = '<p>This is a valid-looking message. But wait... ' + \
'<script>document.getElementById("concentrated")' + \ '<script>document.getElementById("concentrated")' + \
'.innerHTML = "evil";</script></p>' '.innerHTML = "evil";</script></p>'
assert(dangerousMarkup(content)) assert(dangerousMarkup(content))
content = '<p>This is a valid-looking message. But wait... ' + \ content = '<p>This is a valid-looking message. But wait... ' + \
'<script src="https://evilsite/payload.js" /></p>' '<script src="https://evilsite/payload.js" /></p>'
assert(dangerousMarkup(content)) assert(dangerousMarkup(content))
content = '<p>This message embeds an evil frame.' + \ content = '<p>This message embeds an evil frame.' + \
'<iframe src="somesite"></iframe></p>' '<iframe src="somesite"></iframe></p>'
assert(dangerousMarkup(content)) assert(dangerousMarkup(content))
content = '<p>This message tries to obfuscate an evil frame.' + \ content = '<p>This message tries to obfuscate an evil frame.' + \
'< iframe src = "somesite"></ iframe ></p>' '< iframe src = "somesite"></ iframe ></p>'
assert(dangerousMarkup(content)) assert(dangerousMarkup(content))
content = '<p>This message is not necessarily evil, but annoying.' + \ content = '<p>This message is not necessarily evil, but annoying.' + \
'<hr><br><br><br><br><br><br><br><hr><hr></p>' '<hr><br><br><br><br><br><br><br><hr><hr></p>'
assert(dangerousMarkup(content)) assert(dangerousMarkup(content))
content = '<p>This message contans a ' + \ content = '<p>This message contans a ' + \
'<a href="https://validsite/index.html">valid link.</a></p>' '<a href="https://validsite/index.html">valid link.</a></p>'
assert(not dangerousMarkup(content)) assert(not dangerousMarkup(content))
content = '<p>This message contans a ' + \ content = '<p>This message contans a ' + \
'<a href="https://validsite/iframe.html">' + \ '<a href="https://validsite/iframe.html">' + \
'valid link having invalid but harmless name.</a></p>' 'valid link having invalid but harmless name.</a></p>'
assert(not dangerousMarkup(content)) assert(not dangerousMarkup(content))
content = '<p>This message which <a href="127.0.0.1:8736">' + \
'tries to access the local network</a></p>'
assert(dangerousMarkup(content))
content = '<p>This message which <a href="http://192.168.5.10:7235">' + \
'tries to access the local network</a></p>'
assert(dangerousMarkup(content))
content = '<p>127.0.0.1 This message which does not access ' + \
'the local network</a></p>'
assert(not dangerousMarkup(content))
def runHtmlReplaceQuoteMarks(): def runHtmlReplaceQuoteMarks():
print('htmlReplaceQuoteMarks') print('htmlReplaceQuoteMarks')