amorfo77/sogo
1
0
Fork 0
mirror of https://github.com/inverse-inc/sogo.git synced 2026-03-10 09:21:23 +00:00
Code Issues Projects Releases Wiki Activity

fix(security): Security fix for WSTG-INPV-02. Add XSS protection on folders and mail title / content

Browse Source
This commit is contained in:
smizrahi
2022-11-22 10:09:41 +01:00
parent dcbfd830d4
commit 1e0f5f0089
1 changed files with 47 additions and 31 deletions
Download Patch File Download Diff File Expand all files Collapse all files

78
SoObjects/SOGo/NSString+Utilities.m
View File

@@ -898,35 +898,49 @@ static int cssEscapingCount;
*/
- (NSString *) stringWithoutHTMLInjection: (BOOL)stripHTMLCode
{
NSString *result, *text;
NSScanner *theScanner;
NSError *error;
// NSRegularExpression is not implemented in old GNUStep versions (ubuntu trusty)
if (NSClassFromString(@"NSRegularExpression")) {
NSString *result, *text;
NSScanner *theScanner;
NSError *error;
NSUInteger numberOfMatches;
NSRegularExpression *regex;
text = nil;
error = nil;
result = [NSString stringWithString: self];
text = nil;
error = nil;
result = [NSString stringWithString: self];
regex = nil;
if (stripHTMLCode) {
// Author : https://www.codercrunch.com/question/1251681838/how-remove-html-tags-string-ios
theScanner = [NSScanner scannerWithString: result];
while ([theScanner isAtEnd] == NO) {
// find start of tag
[theScanner scanUpToString: @"<" intoString: NULL];
// find end of tag
[theScanner scanUpToString: @">" intoString: &text];
// replace the found tag with a space
//(you can filter multi-spaces out later if you wish)
result = [result stringByReplacingOccurrencesOfString:
[NSString stringWithFormat: @"%@>", text]
withString: @" "];
}
} else {
// Clean XSS
// Examples of injection : https://cheatsheetseries.owasp.org/cheatsheets/XSS_Filter_Evasion_Cheat_Sheet.html#xss-locator-polygot
// NSRegularExpression is not implemented in old GNUStep versions (ubuntu trusty)
if (NSClassFromString(@"NSRegularExpression")) {
NSRegularExpression *regex = nil;
if (stripHTMLCode) {
// Author : https://www.codercrunch.com/question/1251681838/how-remove-html-tags-string-ios
theScanner = [NSScanner scannerWithString: result];
while ([theScanner isAtEnd] == NO) {
// find start of tag
[theScanner scanUpToString: @"<" intoString: NULL];
// find end of tag
[theScanner scanUpToString: @">" intoString: &text];
// Check that text is not <xxx@xx.net
regex = [NSRegularExpression regularExpressionWithPattern:@"^<[a-zA-Z.\\-_]+@[a-zA-Z.\\-_]+.[a-zA-Z]+$"
options: NSRegularExpressionCaseInsensitive error:&error];
numberOfMatches = 0;
if (text && !error) {
numberOfMatches = [regex numberOfMatchesInString: text
options:0
range:NSMakeRange(0, [text length])];
if (0 == numberOfMatches) {
// replace the found tag with a space
//(you can filter multi-spaces out later if you wish)
result = [result stringByReplacingOccurrencesOfString:
[NSString stringWithFormat: @"%@>", text]
withString: @" "];
}
}
}
} else {
// Clean XSS
// Examples of injection : https://cheatsheetseries.owasp.org/cheatsheets/XSS_Filter_Evasion_Cheat_Sheet.html#xss-locator-polygot
// Remove javascript:
regex = [NSRegularExpression regularExpressionWithPattern:@"j[\\s\\u200B&#x09;&#x0A;&#x0D;\\\\0]*a[\\s\\u200B&#x09;&#x0A;&#x0D;\\\\0]*v[\\s\\u200B&#x09;&#x0A;&#x0D;\\\\0]*a[\\s\\u200B&#x09;&#x0A;&#x0D;\\\\0]*s[\\s\\u200B&#x09;&#x0A;&#x0D;\\\\0]*c[\\s\\u200B&#x09;&#x0A;&#x0D;\\\\0]*r[\\s\\u200B&#x09;&#x0A;&#x0D;\\\\0]*i[\\s\\u200B&#x09;&#x0A;&#x0D;\\\\0]*p[\\s\\u200B&#x09;&#x0A;&#x0D;\\\\0]*t[\\s\\u200B&#x09;&#x0A;&#x0D;\\\\0]*:"
@@ -967,10 +981,12 @@ static int cssEscapingCount;
regex = [NSRegularExpression regularExpressionWithPattern:@"onmouseover="
options: NSRegularExpressionCaseInsensitive error:&error];
result = [regex stringByReplacingMatchesInString:result options:0 range:NSMakeRange(0, [result length]) withTemplate:@"onmouseo***="];
}
}
return result;
}
return result;
} else {
return self;
}
}
@end