Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[vulnerability][acl] Worker scripts with irregular extensions must be blocked #318

Closed
t2ym opened this issue Aug 28, 2019 · 0 comments
Closed

[vulnerability][acl] Worker scripts with irregular extensions must be blocked #318

t2ym opened this issue Aug 28, 2019 · 0 comments
Labels
vulnerability

Comments

@t2ym
Copy link
Owner

t2ym commented Aug 28, 2019

[vulnerability][acl] Worker scripts with irregular extensions must be blocked

Root Cause

  • Extensions for Worker are not checked in ACL

Fix

diff --git a/demo/hook-callback.js b/demo/hook-callback.js
index 7daaba6f..1014aafd 100644
--- a/demo/hook-callback.js
+++ b/demo/hook-callback.js
@@ -1360,8 +1360,11 @@ else {
                                                    applyAcl /* for recursive application of ACL */) {
           let opType = aclArgs[4];
           if (opType === 'x') {
-            let url = normalizedArgs[0].trim().toLowerCase();
-            if (url.startsWith('blob:') || url.startsWith('data:')) {
+            let url = new URL(normalizedArgs[0], hook.parameters.baseURI);
+            if (url.protocol === 'blob:' || url.protocol === 'data:') {
+              return false;
+            }
+            if (!url.pathname.match(/\.m?js$/)) {
               return false;
             }
           }
@@ -1389,8 +1392,11 @@ else {
                                                           applyAcl /* for recursive application of ACL */) {
           let opType = aclArgs[4];
           if (opType === 'x') {
-            let url = normalizedArgs[0].trim().toLowerCase();
-            if (url.startsWith('blob:') || url.startsWith('data:')) {
+            let url = new URL(normalizedArgs[0], hook.parameters.baseURI);
+            if (url.protocol === 'blob:' || url.protocol === 'data:') {
+              return false;
+            }
+            if (!url.pathname.match(/\.m?js$/)) {
               return false;
             }
           }
t2ym added a commit that referenced this issue Aug 28, 2019
@t2ym
[README] Add a note for Fix #318 Check extensions for Worker/SharedWo…
aef432d 
…rker URLs
t2ym added a commit that referenced this issue Aug 28, 2019
@t2ym
0.3.6 with [vulnerability][acl] Fix #318 Check extensions for Worker/…
b7ece1d 
…ShareWorker URLs
@t2ym t2ym closed this as completed in b9a1561 Aug 28, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
vulnerability
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@t2ym