From 59ead5343a205428cea1b914718daecd4362add3 Mon Sep 17 00:00:00 2001 From: Cameron Dutro Date: Mon, 23 May 2022 17:42:56 +0000 Subject: [PATCH] Add additional content exfiltration prevention to form tags --- actionview/lib/action_view/helpers.rb | 2 + .../content_exfiltration_prevention_helper.rb | 68 +++++++++++++++++++ .../action_view/helpers/form_tag_helper.rb | 5 +- .../lib/action_view/helpers/url_helper.rb | 5 +- actionview/lib/action_view/railtie.rb | 6 ++ .../test/template/form_tag_helper_test.rb | 23 +++++++ actionview/test/template/url_helper_test.rb | 19 ++++++ guides/source/configuring.md | 5 ++ 8 files changed, 131 insertions(+), 2 deletions(-) create mode 100644 actionview/lib/action_view/helpers/content_exfiltration_prevention_helper.rb diff --git a/actionview/lib/action_view/helpers.rb b/actionview/lib/action_view/helpers.rb index bcd9d59e14..dc060c7898 100644 --- a/actionview/lib/action_view/helpers.rb +++ b/actionview/lib/action_view/helpers.rb @@ -12,6 +12,7 @@ require "action_view/helpers/asset_url_helper" require "action_view/helpers/atom_feed_helper" require "action_view/helpers/cache_helper" +require "action_view/helpers/content_exfiltration_prevention_helper" require "action_view/helpers/controller_helper" require "action_view/helpers/csp_helper" require "action_view/helpers/csrf_helper" @@ -45,6 +46,7 @@ def self.eager_load! include AtomFeedHelper include CacheHelper include CaptureHelper + include ContentExfiltrationPreventionHelper include ControllerHelper include CspHelper include CsrfHelper diff --git a/actionview/lib/action_view/helpers/content_exfiltration_prevention_helper.rb b/actionview/lib/action_view/helpers/content_exfiltration_prevention_helper.rb new file mode 100644 index 0000000000..ef37d0184f --- /dev/null +++ b/actionview/lib/action_view/helpers/content_exfiltration_prevention_helper.rb @@ -0,0 +1,68 @@ +# frozen_string_literal: true + +module ActionView + module Helpers + module ContentExfiltrationPreventionHelper + mattr_accessor :prepend_content_exfiltration_prevention, default: false + + # Close any open attributes before each form tag. This prevents attackers from + # injecting partial tags that could leak markup offsite. + # + # For example, an attacker might inject: + # + # ).html_safe.freeze + + # Close any open tags that support CDATA (textarea, xmp) before each form tag. + # This prevents attackers from injecting unclosed tags that could capture + # form contents. + # + # For example, an attacker might inject: + # + #
` or the end of + # the document would be captured by the attacker's -->".html_safe.freeze + + # Close any open option tags before each form tag. This prevents attackers + # from injecting unclosed options that could leak markup offsite. + # + # For example, an attacker might inject: + # + # ` or the end of + # the document would be captured by the attacker's ".html_safe.freeze + + # Close any open form tags before each new form tag. This prevents attackers + # from injecting unclosed forms that could leak markup offsite. + # + # For example, an attacker might inject: + # + # + # + # The form elements following this tag, up until the next `
` would be + # captured by the attacker's
. By closing any open form tags, we + # ensure that form contents are never exfiltrated. + CLOSE_FORM_TAG = "
".html_safe.freeze + + CONTENT_EXFILTRATION_PREVENTION_MARKUP = (CLOSE_QUOTES_COMMENT + CLOSE_CDATA_COMMENT + CLOSE_OPTION_TAG + CLOSE_FORM_TAG).freeze + + def prevent_content_exfiltration(html) + if prepend_content_exfiltration_prevention + CONTENT_EXFILTRATION_PREVENTION_MARKUP + html + else + html + end + end + end + end +end diff --git a/actionview/lib/action_view/helpers/form_tag_helper.rb b/actionview/lib/action_view/helpers/form_tag_helper.rb index 7d08cf8d01..6e9a6d913e 100644 --- a/actionview/lib/action_view/helpers/form_tag_helper.rb +++ b/actionview/lib/action_view/helpers/form_tag_helper.rb @@ -1,6 +1,7 @@ # frozen_string_literal: true require "cgi" +require "action_view/helpers/content_exfiltration_prevention_helper" require "action_view/helpers/url_helper" require "action_view/helpers/text_helper" require "active_support/core_ext/string/output_safety" @@ -19,6 +20,7 @@ module FormTagHelper include UrlHelper include TextHelper + include ContentExfiltrationPreventionHelper mattr_accessor :embed_authenticity_token_in_remote_forms self.embed_authenticity_token_in_remote_forms = nil @@ -955,7 +957,8 @@ def extra_tags_for_form(html_options) def form_tag_html(html_options) extra_tags = extra_tags_for_form(html_options) - tag(:form, html_options, true) + extra_tags + html = tag(:form, html_options, true) + extra_tags + prevent_content_exfiltration(html) end def form_tag_with_body(html_options, content) diff --git a/actionview/lib/action_view/helpers/url_helper.rb b/actionview/lib/action_view/helpers/url_helper.rb index 8a0154ce9c..2ae789a473 100644 --- a/actionview/lib/action_view/helpers/url_helper.rb +++ b/actionview/lib/action_view/helpers/url_helper.rb @@ -3,6 +3,7 @@ require "active_support/core_ext/array/access" require "active_support/core_ext/hash/keys" require "active_support/core_ext/string/output_safety" +require "action_view/helpers/content_exfiltration_prevention_helper" require "action_view/helpers/tag_helper" module ActionView @@ -22,6 +23,7 @@ module UrlHelper extend ActiveSupport::Concern include TagHelper + include ContentExfiltrationPreventionHelper module ClassMethods def _url_for_modules @@ -380,7 +382,8 @@ def button_to(name = nil, options = nil, html_options = nil, &block) autocomplete: "off") end end - content_tag("form", inner_tags, form_options) + html = content_tag("form", inner_tags, form_options) + prevent_content_exfiltration(html) end # Creates a link tag of the given +name+ using a URL created by the set of diff --git a/actionview/lib/action_view/railtie.rb b/actionview/lib/action_view/railtie.rb index 74f5f17422..8ceebfb7de 100644 --- a/actionview/lib/action_view/railtie.rb +++ b/actionview/lib/action_view/railtie.rb @@ -13,6 +13,7 @@ class Railtie < Rails::Engine # :nodoc: config.action_view.image_loading = nil config.action_view.image_decoding = nil config.action_view.apply_stylesheet_media_default = true + config.action_view.prepend_content_exfiltration_prevention = false config.eager_load_namespaces << ActionView @@ -40,6 +41,11 @@ class Railtie < Rails::Engine # :nodoc: end end + config.after_initialize do |app| + prepend_content_exfiltration_prevention = app.config.action_view.delete(:prepend_content_exfiltration_prevention) + ActionView::Helpers::ContentExfiltrationPreventionHelper.prepend_content_exfiltration_prevention = prepend_content_exfiltration_prevention + end + config.after_initialize do |app| button_to_generates_button_tag = app.config.action_view.delete(:button_to_generates_button_tag) unless button_to_generates_button_tag.nil? diff --git a/actionview/test/template/form_tag_helper_test.rb b/actionview/test/template/form_tag_helper_test.rb index cf86dbdb88..e628464318 100644 --- a/actionview/test/template/form_tag_helper_test.rb +++ b/actionview/test/template/form_tag_helper_test.rb @@ -906,6 +906,20 @@ def test_image_label_tag_options_symbolize_keys_side_effects assert_equal({ option: "random_option" }, options) end + def test_content_exfiltration_prevention + with_prepend_content_exfiltration_prevention(true) do + actual = form_tag + expected = %(#{whole_form}) + assert_dom_equal expected, actual + end + end + + def test_form_with_content_exfiltration_prevention_is_html_safe + with_prepend_content_exfiltration_prevention(true) do + assert_equal true, form_tag.html_safe? + end + end + def protect_against_forgery? false end @@ -923,4 +937,13 @@ def with_default_enforce_utf8(value) ensure ActionView::Helpers::FormTagHelper.default_enforce_utf8 = old_value end + + def with_prepend_content_exfiltration_prevention(value) + old_value = ActionView::Helpers::ContentExfiltrationPreventionHelper.prepend_content_exfiltration_prevention + ActionView::Helpers::ContentExfiltrationPreventionHelper.prepend_content_exfiltration_prevention = value + + yield + ensure + ActionView::Helpers::ContentExfiltrationPreventionHelper.prepend_content_exfiltration_prevention = old_value + end end diff --git a/actionview/test/template/url_helper_test.rb b/actionview/test/template/url_helper_test.rb index 0c56f39724..d84dcd1b7d 100644 --- a/actionview/test/template/url_helper_test.rb +++ b/actionview/test/template/url_helper_test.rb @@ -402,6 +402,15 @@ def test_button_to_generates_input_when_button_to_generates_button_tag_false ActionView::Helpers::UrlHelper.button_to_generates_button_tag = old_value end + def test_button_to_with_content_exfiltration_prevention + with_prepend_content_exfiltration_prevention(true) do + assert_dom_equal( + %{
}, + button_to("Hello", "http://www.example.com") + ) + end + end + class FakeParams def initialize(permitted = true) @permitted = permitted @@ -1036,6 +1045,16 @@ def form_authenticity_token(**) def request_forgery_protection_token "form_token" end + + private + def with_prepend_content_exfiltration_prevention(value) + old_value = ActionView::Helpers::ContentExfiltrationPreventionHelper.prepend_content_exfiltration_prevention + ActionView::Helpers::ContentExfiltrationPreventionHelper.prepend_content_exfiltration_prevention = value + + yield + ensure + ActionView::Helpers::ContentExfiltrationPreventionHelper.prepend_content_exfiltration_prevention = old_value + end end class UrlHelperControllerTest < ActionController::TestCase diff --git a/guides/source/configuring.md b/guides/source/configuring.md index 96ad75833e..e4113251ac 100644 --- a/guides/source/configuring.md +++ b/guides/source/configuring.md @@ -66,6 +66,7 @@ Below are the default values associated with each target version. In cases of co - [`config.active_support.default_message_verifier_serializer`](#config-active-support-default-message-verifier-serializer): `:json` - [`config.action_controller.allow_deprecated_parameters_hash_equality`](#config-action-controller-allow-deprecated-parameters-hash-equality): `false` - [`config.log_file_size`](#config-log-file-size): `100.megabytes` +- [`config.action_view.prepend_content_exfiltration_prevention`](#config-action_view-prepend-content-exfiltration-prevention): `true` #### Default Values for Target Version 7.0 @@ -1527,6 +1528,10 @@ The default value depends on the `config.load_defaults` target version: | (original) | `true` | | 7.0 | `false` | +#### `config.action_view.prepend_content_exfiltration_prevention` + +Determines whether or not the `form_tag` and `button_to` helpers will produce HTML tags prepended with browser-safe (but technically invalid) HTML that guarantees their contents cannot be captured by any preceding unclosed tags. The default value is `false`. + ### Configuring Action Mailbox `config.action_mailbox` provides the following configuration options: