2021-05-11 09:36:58 +02:00
|
|
|
import {strict as assert} from "assert";
|
|
|
|
|
|
|
|
import type {Page} from "puppeteer";
|
|
|
|
|
|
|
|
import common from "../puppeteer_lib/common";
|
|
|
|
|
|
|
|
async function test_add_linkifier(page: Page): Promise<void> {
|
|
|
|
await page.waitForSelector(".admin-linkifier-form", {visible: true});
|
|
|
|
await common.fill_form(page, "form.admin-linkifier-form", {
|
|
|
|
pattern: "#(?P<id>[0-9]+)",
|
|
|
|
url_format_string: "https://trac.example.com/ticket/%(id)s",
|
|
|
|
});
|
|
|
|
await page.click("form.admin-linkifier-form button.button");
|
|
|
|
|
|
|
|
const admin_linkifier_status_selector = "div#admin-linkifier-status";
|
|
|
|
await page.waitForSelector(admin_linkifier_status_selector, {visible: true});
|
|
|
|
const admin_linkifier_status = await common.get_text_from_selector(
|
|
|
|
page,
|
|
|
|
admin_linkifier_status_selector,
|
|
|
|
);
|
|
|
|
assert.strictEqual(admin_linkifier_status, "Custom linkifier added!");
|
|
|
|
|
|
|
|
await page.waitForSelector(".linkifier_row", {visible: true});
|
|
|
|
assert.strictEqual(
|
|
|
|
await common.get_text_from_selector(page, ".linkifier_row span.linkifier_pattern"),
|
|
|
|
"#(?P<id>[0-9]+)",
|
|
|
|
);
|
|
|
|
assert.strictEqual(
|
|
|
|
await common.get_text_from_selector(
|
|
|
|
page,
|
|
|
|
".linkifier_row span.linkifier_url_format_string",
|
|
|
|
),
|
|
|
|
"https://trac.example.com/ticket/%(id)s",
|
|
|
|
);
|
|
|
|
}
|
|
|
|
|
|
|
|
async function test_delete_linkifier(page: Page): Promise<void> {
|
|
|
|
await page.click(".linkifier_row .delete");
|
|
|
|
await page.waitForSelector(".linkifier_row", {hidden: true});
|
|
|
|
}
|
|
|
|
|
|
|
|
async function test_add_invalid_linkifier_pattern(page: Page): Promise<void> {
|
|
|
|
await page.waitForSelector(".admin-linkifier-form", {visible: true});
|
|
|
|
await common.fill_form(page, "form.admin-linkifier-form", {
|
CVE-2021-41115: Use re2 for user-supplied linkifier patterns.
Zulip attempts to validate that the regular expressions that admins
enter for linkifiers are well-formatted, and only contain a specific
subset of regex grammar. The process of checking these
properties (via a regex!) can cause denial-of-service via
backtracking.
Furthermore, this validation itself does not prevent the creation of
linkifiers which themselves cause denial-of-service when they are
executed. As the validator accepts literally anything inside of a
`(?P<word>...)` block, any quadratic backtracking expression can be
hidden therein.
Switch user-provided linkifier patterns to be matched in the Markdown
processor by the `re2` library, which is guaranteed constant-time.
This somewhat limits the possible features of the regular
expression (notably, look-head and -behind, and back-references);
however, these features had never been advertised as working in the
context of linkifiers.
A migration removes any existing linkifiers which would not function
under re2, after printing them for posterity during the upgrade; they
are unlikely to be common, and are impossible to fix automatically.
The denial-of-service in the linkifier validator was discovered by
@erik-krogh and @yoff, as GHSL-2021-118.
2021-09-29 01:27:54 +02:00
|
|
|
pattern: "(foo",
|
2021-05-11 09:36:58 +02:00
|
|
|
url_format_string: "https://trac.example.com/ticket/%(id)s",
|
|
|
|
});
|
|
|
|
await page.click("form.admin-linkifier-form button.button");
|
|
|
|
|
2021-06-07 11:38:57 +02:00
|
|
|
await page.waitForSelector("div#admin-linkifier-status", {visible: true});
|
2021-05-11 09:36:58 +02:00
|
|
|
assert.strictEqual(
|
2021-06-07 11:38:57 +02:00
|
|
|
await common.get_text_from_selector(page, "div#admin-linkifier-status"),
|
CVE-2021-41115: Use re2 for user-supplied linkifier patterns.
Zulip attempts to validate that the regular expressions that admins
enter for linkifiers are well-formatted, and only contain a specific
subset of regex grammar. The process of checking these
properties (via a regex!) can cause denial-of-service via
backtracking.
Furthermore, this validation itself does not prevent the creation of
linkifiers which themselves cause denial-of-service when they are
executed. As the validator accepts literally anything inside of a
`(?P<word>...)` block, any quadratic backtracking expression can be
hidden therein.
Switch user-provided linkifier patterns to be matched in the Markdown
processor by the `re2` library, which is guaranteed constant-time.
This somewhat limits the possible features of the regular
expression (notably, look-head and -behind, and back-references);
however, these features had never been advertised as working in the
context of linkifiers.
A migration removes any existing linkifiers which would not function
under re2, after printing them for posterity during the upgrade; they
are unlikely to be common, and are impossible to fix automatically.
The denial-of-service in the linkifier validator was discovered by
@erik-krogh and @yoff, as GHSL-2021-118.
2021-09-29 01:27:54 +02:00
|
|
|
"Failed: Bad regular expression: missing ): (foo",
|
2021-05-11 09:36:58 +02:00
|
|
|
);
|
|
|
|
}
|
|
|
|
|
|
|
|
async function test_edit_linkifier(page: Page): Promise<void> {
|
|
|
|
await page.click(".linkifier_row .edit");
|
2021-07-05 20:30:47 +02:00
|
|
|
await page.waitForFunction(() => document.activeElement?.id === "dialog_widget_modal");
|
2021-05-11 09:36:58 +02:00
|
|
|
await common.fill_form(page, "form.linkifier-edit-form", {
|
|
|
|
pattern: "(?P<num>[0-9a-f]{40})",
|
|
|
|
url_format_string: "https://trac.example.com/commit/%(num)s",
|
|
|
|
});
|
2021-07-05 20:30:47 +02:00
|
|
|
await page.click(".dialog_submit_button");
|
2021-05-11 09:36:58 +02:00
|
|
|
|
2021-07-05 20:30:47 +02:00
|
|
|
await page.waitForSelector("#dialog_widget_modal", {hidden: true});
|
2021-06-03 16:28:48 +02:00
|
|
|
await common.wait_for_modal_to_close(page);
|
2021-05-11 09:36:58 +02:00
|
|
|
|
|
|
|
await page.waitForSelector(".linkifier_row", {visible: true});
|
|
|
|
await page.waitForFunction(
|
|
|
|
() => document.querySelector(".linkifier_pattern")?.textContent === "(?P<num>[0-9a-f]{40})",
|
|
|
|
);
|
|
|
|
assert.strictEqual(
|
|
|
|
await common.get_text_from_selector(
|
|
|
|
page,
|
|
|
|
".linkifier_row span.linkifier_url_format_string",
|
|
|
|
),
|
|
|
|
"https://trac.example.com/commit/%(num)s",
|
|
|
|
);
|
|
|
|
}
|
|
|
|
|
|
|
|
async function test_edit_invalid_linkifier(page: Page): Promise<void> {
|
|
|
|
await page.click(".linkifier_row .edit");
|
2021-07-05 20:30:47 +02:00
|
|
|
await page.waitForFunction(() => document.activeElement?.id === "dialog_widget_modal");
|
2021-05-11 09:36:58 +02:00
|
|
|
await common.fill_form(page, "form.linkifier-edit-form", {
|
CVE-2021-41115: Use re2 for user-supplied linkifier patterns.
Zulip attempts to validate that the regular expressions that admins
enter for linkifiers are well-formatted, and only contain a specific
subset of regex grammar. The process of checking these
properties (via a regex!) can cause denial-of-service via
backtracking.
Furthermore, this validation itself does not prevent the creation of
linkifiers which themselves cause denial-of-service when they are
executed. As the validator accepts literally anything inside of a
`(?P<word>...)` block, any quadratic backtracking expression can be
hidden therein.
Switch user-provided linkifier patterns to be matched in the Markdown
processor by the `re2` library, which is guaranteed constant-time.
This somewhat limits the possible features of the regular
expression (notably, look-head and -behind, and back-references);
however, these features had never been advertised as working in the
context of linkifiers.
A migration removes any existing linkifiers which would not function
under re2, after printing them for posterity during the upgrade; they
are unlikely to be common, and are impossible to fix automatically.
The denial-of-service in the linkifier validator was discovered by
@erik-krogh and @yoff, as GHSL-2021-118.
2021-09-29 01:27:54 +02:00
|
|
|
pattern: "#(?P<id>d????)",
|
|
|
|
url_format_string: "????",
|
2021-05-11 09:36:58 +02:00
|
|
|
});
|
2021-07-05 20:30:47 +02:00
|
|
|
await page.click(".dialog_submit_button");
|
2021-05-11 09:36:58 +02:00
|
|
|
|
2021-07-05 20:30:47 +02:00
|
|
|
const edit_linkifier_pattern_status_selector = "div#dialog_error";
|
2021-05-11 09:36:58 +02:00
|
|
|
await page.waitForSelector(edit_linkifier_pattern_status_selector, {visible: true});
|
|
|
|
const edit_linkifier_pattern_status = await common.get_text_from_selector(
|
|
|
|
page,
|
|
|
|
edit_linkifier_pattern_status_selector,
|
|
|
|
);
|
|
|
|
assert.strictEqual(
|
|
|
|
edit_linkifier_pattern_status,
|
CVE-2021-41115: Use re2 for user-supplied linkifier patterns.
Zulip attempts to validate that the regular expressions that admins
enter for linkifiers are well-formatted, and only contain a specific
subset of regex grammar. The process of checking these
properties (via a regex!) can cause denial-of-service via
backtracking.
Furthermore, this validation itself does not prevent the creation of
linkifiers which themselves cause denial-of-service when they are
executed. As the validator accepts literally anything inside of a
`(?P<word>...)` block, any quadratic backtracking expression can be
hidden therein.
Switch user-provided linkifier patterns to be matched in the Markdown
processor by the `re2` library, which is guaranteed constant-time.
This somewhat limits the possible features of the regular
expression (notably, look-head and -behind, and back-references);
however, these features had never been advertised as working in the
context of linkifiers.
A migration removes any existing linkifiers which would not function
under re2, after printing them for posterity during the upgrade; they
are unlikely to be common, and are impossible to fix automatically.
The denial-of-service in the linkifier validator was discovered by
@erik-krogh and @yoff, as GHSL-2021-118.
2021-09-29 01:27:54 +02:00
|
|
|
"Failed: Bad regular expression: bad repetition operator: ????",
|
2021-05-11 09:36:58 +02:00
|
|
|
);
|
|
|
|
|
|
|
|
const edit_linkifier_format_status_selector = "div#edit-linkifier-format-status";
|
|
|
|
await page.waitForSelector(edit_linkifier_format_status_selector, {visible: true});
|
|
|
|
const edit_linkifier_format_status = await common.get_text_from_selector(
|
|
|
|
page,
|
|
|
|
edit_linkifier_format_status_selector,
|
|
|
|
);
|
2021-10-20 03:08:44 +02:00
|
|
|
assert.strictEqual(edit_linkifier_format_status, "Failed: Enter a valid URL.");
|
2021-05-11 09:36:58 +02:00
|
|
|
|
2021-07-05 20:30:47 +02:00
|
|
|
await page.click(".close-modal-btn");
|
|
|
|
await page.waitForSelector("#dialog_widget_modal", {hidden: true});
|
2021-05-11 09:36:58 +02:00
|
|
|
|
|
|
|
await page.waitForSelector(".linkifier_row", {visible: true});
|
|
|
|
assert.strictEqual(
|
|
|
|
await common.get_text_from_selector(page, ".linkifier_row span.linkifier_pattern"),
|
|
|
|
"(?P<num>[0-9a-f]{40})",
|
|
|
|
);
|
|
|
|
assert.strictEqual(
|
|
|
|
await common.get_text_from_selector(
|
|
|
|
page,
|
|
|
|
".linkifier_row span.linkifier_url_format_string",
|
|
|
|
),
|
|
|
|
"https://trac.example.com/commit/%(num)s",
|
|
|
|
);
|
|
|
|
}
|
|
|
|
|
|
|
|
async function linkifier_test(page: Page): Promise<void> {
|
|
|
|
await common.log_in(page);
|
|
|
|
await common.manage_organization(page);
|
|
|
|
await page.click("li[data-section='linkifier-settings']");
|
|
|
|
|
|
|
|
await test_add_linkifier(page);
|
|
|
|
await test_edit_linkifier(page);
|
|
|
|
await test_edit_invalid_linkifier(page);
|
|
|
|
await test_add_invalid_linkifier_pattern(page);
|
|
|
|
await test_delete_linkifier(page);
|
|
|
|
}
|
|
|
|
|
|
|
|
common.run_test(linkifier_test);
|