diff options
author | Frédéric Guillot <fred@miniflux.net> | 2020-01-02 11:03:03 -0800 |
---|---|---|
committer | Frédéric Guillot <fred@miniflux.net> | 2020-01-02 11:03:51 -0800 |
commit | ac3c936820033f27e32c9a4490f2f33d6ffd6b05 (patch) | |
tree | e317c3b87fd2314467d8931eb84cd5fa51c2fd7c | |
parent | 08fc32b0e14cccb46819976f213678e2b68f5b02 (diff) |
Make sure whitelisted URI schemes are handled properly by the sanitizer
-rw-r--r-- | reader/sanitizer/sanitizer.go | 45 | ||||
-rw-r--r-- | reader/sanitizer/sanitizer_test.go | 228 | ||||
-rw-r--r-- | url/url_test.go | 2 |
3 files changed, 252 insertions, 23 deletions
diff --git a/reader/sanitizer/sanitizer.go b/reader/sanitizer/sanitizer.go index 642fedf..0092bed 100644 --- a/reader/sanitizer/sanitizer.go +++ b/reader/sanitizer/sanitizer.go @@ -111,7 +111,7 @@ func sanitizeAttributes(baseURL, tagName string, attributes []html.Attribute) ([ continue } - if !hasValidScheme(value) || isBlacklistedResource(value) { + if !hasValidURIScheme(value) || isBlacklistedResource(value) { continue } } @@ -221,17 +221,19 @@ func hasRequiredAttributes(tagName string, attributes []string) bool { return true } -func hasValidScheme(src string) bool { - // See https://www.iana.org/assignments/uri-schemes/uri-schemes.xhtml +// See https://www.iana.org/assignments/uri-schemes/uri-schemes.xhtml +func hasValidURIScheme(src string) bool { whitelist := []string{ - "apt://", - "bitcoin://", - "callto://", + "apt:", + "bitcoin:", + "callto:", + "dav:", + "davs:", "ed2k://", "facetime://", - "feed://", + "feed:", "ftp://", - "geo://", + "geo:", "gopher://", "git://", "http://", @@ -240,27 +242,24 @@ func hasValidScheme(src string) bool { "irc6://", "ircs://", "itms://", - "jabber://", - "magnet://", - "mailto://", - "maps://", - "news://", - "nfs://", - "nntp://", + "itms-apps://", + "magnet:", + "mailto:", + "news:", + "nntp:", "rtmp://", - "sip://", - "sips://", - "skype://", - "smb://", - "sms://", - "spotify://", + "sip:", + "sips:", + "skype:", + "spotify:", "ssh://", "sftp://", "steam://", "svn://", - "tel://", + "svn+ssh://", + "tel:", "webcal://", - "xmpp://", + "xmpp:", } for _, prefix := range whitelist { diff --git a/reader/sanitizer/sanitizer_test.go b/reader/sanitizer/sanitizer_test.go index 649b7f0..1dfa103 100644 --- a/reader/sanitizer/sanitizer_test.go +++ b/reader/sanitizer/sanitizer_test.go @@ -123,6 +123,234 @@ func TestInvalidURLScheme(t *testing.T) { } } +func TestAPTURIScheme(t *testing.T) { + input := `<p>This link is <a href="apt:some-package?channel=test">valid</a></p>` + expected := `<p>This link is <a href="apt:some-package?channel=test" rel="noopener noreferrer" target="_blank" referrerpolicy="no-referrer">valid</a></p>` + output := Sanitize("http://example.org/", input) + + if expected != output { + t.Errorf(`Wrong output: "%s" != "%s"`, expected, output) + } +} + +func TestBitcoinURIScheme(t *testing.T) { + input := `<p>This link is <a href="bitcoin:175tWpb8K1S7NmH4Zx6rewF9WQrcZv245W">valid</a></p>` + expected := `<p>This link is <a href="bitcoin:175tWpb8K1S7NmH4Zx6rewF9WQrcZv245W" rel="noopener noreferrer" target="_blank" referrerpolicy="no-referrer">valid</a></p>` + output := Sanitize("http://example.org/", input) + + if expected != output { + t.Errorf(`Wrong output: "%s" != "%s"`, expected, output) + } +} + +func TestCallToURIScheme(t *testing.T) { + input := `<p>This link is <a href="callto:12345679">valid</a></p>` + expected := `<p>This link is <a href="callto:12345679" rel="noopener noreferrer" target="_blank" referrerpolicy="no-referrer">valid</a></p>` + output := Sanitize("http://example.org/", input) + + if expected != output { + t.Errorf(`Wrong output: "%s" != "%s"`, expected, output) + } +} + +func TestFeedURIScheme(t *testing.T) { + input := `<p>This link is <a href="feed://example.com/rss.xml">valid</a></p>` + expected := `<p>This link is <a href="feed://example.com/rss.xml" rel="noopener noreferrer" target="_blank" referrerpolicy="no-referrer">valid</a></p>` + output := Sanitize("http://example.org/", input) + + if expected != output { + t.Errorf(`Wrong output: "%s" != "%s"`, expected, output) + } + + input = `<p>This link is <a href="feed:https://example.com/rss.xml">valid</a></p>` + expected = `<p>This link is <a href="feed:https://example.com/rss.xml" rel="noopener noreferrer" target="_blank" referrerpolicy="no-referrer">valid</a></p>` + output = Sanitize("http://example.org/", input) + + if expected != output { + t.Errorf(`Wrong output: "%s" != "%s"`, expected, output) + } +} + +func TestGeoURIScheme(t *testing.T) { + input := `<p>This link is <a href="geo:13.4125,103.8667">valid</a></p>` + expected := `<p>This link is <a href="geo:13.4125,103.8667" rel="noopener noreferrer" target="_blank" referrerpolicy="no-referrer">valid</a></p>` + output := Sanitize("http://example.org/", input) + + if expected != output { + t.Errorf(`Wrong output: "%s" != "%s"`, expected, output) + } +} + +func TestItunesURIScheme(t *testing.T) { + input := `<p>This link is <a href="itms://itunes.com/apps/my-app-name">valid</a></p>` + expected := `<p>This link is <a href="itms://itunes.com/apps/my-app-name" rel="noopener noreferrer" target="_blank" referrerpolicy="no-referrer">valid</a></p>` + output := Sanitize("http://example.org/", input) + + if expected != output { + t.Errorf(`Wrong output: "%s" != "%s"`, expected, output) + } + + input = `<p>This link is <a href="itms-apps://itunes.com/apps/my-app-name">valid</a></p>` + expected = `<p>This link is <a href="itms-apps://itunes.com/apps/my-app-name" rel="noopener noreferrer" target="_blank" referrerpolicy="no-referrer">valid</a></p>` + output = Sanitize("http://example.org/", input) + + if expected != output { + t.Errorf(`Wrong output: "%s" != "%s"`, expected, output) + } +} + +func TestMagnetURIScheme(t *testing.T) { + input := `<p>This link is <a href="magnet:?xt.1=urn:sha1:YNCKHTQCWBTRNJIV4WNAE52SJUQCZO5C&xt.2=urn:sha1:TXGCZQTH26NL6OUQAJJPFALHG2LTGBC7">valid</a></p>` + expected := `<p>This link is <a href="magnet:?xt.1=urn:sha1:YNCKHTQCWBTRNJIV4WNAE52SJUQCZO5C&xt.2=urn:sha1:TXGCZQTH26NL6OUQAJJPFALHG2LTGBC7" rel="noopener noreferrer" target="_blank" referrerpolicy="no-referrer">valid</a></p>` + output := Sanitize("http://example.org/", input) + + if expected != output { + t.Errorf(`Wrong output: "%s" != "%s"`, expected, output) + } +} + +func TestMailtoURIScheme(t *testing.T) { + input := `<p>This link is <a href="mailto:jsmith@example.com?subject=A%20Test&body=My%20idea%20is%3A%20%0A">valid</a></p>` + expected := `<p>This link is <a href="mailto:jsmith@example.com?subject=A%20Test&body=My%20idea%20is%3A%20%0A" rel="noopener noreferrer" target="_blank" referrerpolicy="no-referrer">valid</a></p>` + output := Sanitize("http://example.org/", input) + + if expected != output { + t.Errorf(`Wrong output: "%s" != "%s"`, expected, output) + } +} + +func TestNewsURIScheme(t *testing.T) { + input := `<p>This link is <a href="news://news.server.example/*">valid</a></p>` + expected := `<p>This link is <a href="news://news.server.example/*" rel="noopener noreferrer" target="_blank" referrerpolicy="no-referrer">valid</a></p>` + output := Sanitize("http://example.org/", input) + + if expected != output { + t.Errorf(`Wrong output: "%s" != "%s"`, expected, output) + } + + input = `<p>This link is <a href="news:example.group.this">valid</a></p>` + expected = `<p>This link is <a href="news:example.group.this" rel="noopener noreferrer" target="_blank" referrerpolicy="no-referrer">valid</a></p>` + output = Sanitize("http://example.org/", input) + + if expected != output { + t.Errorf(`Wrong output: "%s" != "%s"`, expected, output) + } + + input = `<p>This link is <a href="nntp://news.server.example/example.group.this">valid</a></p>` + expected = `<p>This link is <a href="nntp://news.server.example/example.group.this" rel="noopener noreferrer" target="_blank" referrerpolicy="no-referrer">valid</a></p>` + output = Sanitize("http://example.org/", input) + + if expected != output { + t.Errorf(`Wrong output: "%s" != "%s"`, expected, output) + } +} + +func TestRTMPURIScheme(t *testing.T) { + input := `<p>This link is <a href="rtmp://mycompany.com/vod/mp4:mycoolvideo.mov">valid</a></p>` + expected := `<p>This link is <a href="rtmp://mycompany.com/vod/mp4:mycoolvideo.mov" rel="noopener noreferrer" target="_blank" referrerpolicy="no-referrer">valid</a></p>` + output := Sanitize("http://example.org/", input) + + if expected != output { + t.Errorf(`Wrong output: "%s" != "%s"`, expected, output) + } +} + +func TestSIPURIScheme(t *testing.T) { + input := `<p>This link is <a href="sip:+1-212-555-1212:1234@gateway.com;user=phone">valid</a></p>` + expected := `<p>This link is <a href="sip:+1-212-555-1212:1234@gateway.com;user=phone" rel="noopener noreferrer" target="_blank" referrerpolicy="no-referrer">valid</a></p>` + output := Sanitize("http://example.org/", input) + + if expected != output { + t.Errorf(`Wrong output: "%s" != "%s"`, expected, output) + } + + input = `<p>This link is <a href="sips:alice@atlanta.com?subject=project%20x&priority=urgent">valid</a></p>` + expected = `<p>This link is <a href="sips:alice@atlanta.com?subject=project%20x&priority=urgent" rel="noopener noreferrer" target="_blank" referrerpolicy="no-referrer">valid</a></p>` + output = Sanitize("http://example.org/", input) + + if expected != output { + t.Errorf(`Wrong output: "%s" != "%s"`, expected, output) + } +} + +func TestSkypeURIScheme(t *testing.T) { + input := `<p>This link is <a href="skype:echo123?call">valid</a></p>` + expected := `<p>This link is <a href="skype:echo123?call" rel="noopener noreferrer" target="_blank" referrerpolicy="no-referrer">valid</a></p>` + output := Sanitize("http://example.org/", input) + + if expected != output { + t.Errorf(`Wrong output: "%s" != "%s"`, expected, output) + } +} + +func TestSpotifyURIScheme(t *testing.T) { + input := `<p>This link is <a href="spotify:track:2jCnn1QPQ3E8ExtLe6INsx">valid</a></p>` + expected := `<p>This link is <a href="spotify:track:2jCnn1QPQ3E8ExtLe6INsx" rel="noopener noreferrer" target="_blank" referrerpolicy="no-referrer">valid</a></p>` + output := Sanitize("http://example.org/", input) + + if expected != output { + t.Errorf(`Wrong output: "%s" != "%s"`, expected, output) + } +} + +func TestSteamURIScheme(t *testing.T) { + input := `<p>This link is <a href="steam://settings/account">valid</a></p>` + expected := `<p>This link is <a href="steam://settings/account" rel="noopener noreferrer" target="_blank" referrerpolicy="no-referrer">valid</a></p>` + output := Sanitize("http://example.org/", input) + + if expected != output { + t.Errorf(`Wrong output: "%s" != "%s"`, expected, output) + } +} + +func TestSubversionURIScheme(t *testing.T) { + input := `<p>This link is <a href="svn://example.org">valid</a></p>` + expected := `<p>This link is <a href="svn://example.org" rel="noopener noreferrer" target="_blank" referrerpolicy="no-referrer">valid</a></p>` + output := Sanitize("http://example.org/", input) + + if expected != output { + t.Errorf(`Wrong output: "%s" != "%s"`, expected, output) + } + + input = `<p>This link is <a href="svn+ssh://example.org">valid</a></p>` + expected = `<p>This link is <a href="svn+ssh://example.org" rel="noopener noreferrer" target="_blank" referrerpolicy="no-referrer">valid</a></p>` + output = Sanitize("http://example.org/", input) + + if expected != output { + t.Errorf(`Wrong output: "%s" != "%s"`, expected, output) + } +} + +func TestTelURIScheme(t *testing.T) { + input := `<p>This link is <a href="tel:+1-201-555-0123">valid</a></p>` + expected := `<p>This link is <a href="tel:+1-201-555-0123" rel="noopener noreferrer" target="_blank" referrerpolicy="no-referrer">valid</a></p>` + output := Sanitize("http://example.org/", input) + + if expected != output { + t.Errorf(`Wrong output: "%s" != "%s"`, expected, output) + } +} + +func TestWebcalURIScheme(t *testing.T) { + input := `<p>This link is <a href="webcal://example.com/calendar.ics">valid</a></p>` + expected := `<p>This link is <a href="webcal://example.com/calendar.ics" rel="noopener noreferrer" target="_blank" referrerpolicy="no-referrer">valid</a></p>` + output := Sanitize("http://example.org/", input) + + if expected != output { + t.Errorf(`Wrong output: "%s" != "%s"`, expected, output) + } +} + +func TestXMPPURIScheme(t *testing.T) { + input := `<p>This link is <a href="xmpp:user@host?subscribe&type=subscribed">valid</a></p>` + expected := `<p>This link is <a href="xmpp:user@host?subscribe&type=subscribed" rel="noopener noreferrer" target="_blank" referrerpolicy="no-referrer">valid</a></p>` + output := Sanitize("http://example.org/", input) + + if expected != output { + t.Errorf(`Wrong output: "%s" != "%s"`, expected, output) + } +} + func TestBlacklistedLink(t *testing.T) { input := `<p>This image is not valid <img src="https://stats.wordpress.com/some-tracker"></p>` expected := `<p>This image is not valid </p>` diff --git a/url/url_test.go b/url/url_test.go index 54868a9..56b6e13 100644 --- a/url/url_test.go +++ b/url/url_test.go @@ -13,6 +13,8 @@ func TestAbsoluteURL(t *testing.T) { []string{"https://example.org/path/file.ext", "https://example.org/folder", "path/file.ext"}, []string{"https://example.org/path/file.ext", "https://example.org/folder/", "https://example.org/path/file.ext"}, []string{"https://static.example.org/path/file.ext", "https://www.example.org/", "//static.example.org/path/file.ext"}, + []string{"magnet:?xt=urn:btih:c12fe1c06bba254a9dc9f519b335aa7c1367a88a", "https://www.example.org/", "magnet:?xt=urn:btih:c12fe1c06bba254a9dc9f519b335aa7c1367a88a"}, + []string{"magnet:?xt.1=urn:sha1:YNCKHTQCWBTRNJIV4WNAE52SJUQCZO5C&xt.2=urn:sha1:TXGCZQTH26NL6OUQAJJPFALHG2LTGBC7", "https://www.example.org/", "magnet:?xt.1=urn:sha1:YNCKHTQCWBTRNJIV4WNAE52SJUQCZO5C&xt.2=urn:sha1:TXGCZQTH26NL6OUQAJJPFALHG2LTGBC7"}, } for _, scenario := range scenarios { |