fix: webxdc: CSP bypass

This doesn't appear to fix an exploitable vulnerability because `host-rules` is already set to disable network access, so "XDC-01-002 WP1" from the Cure53 audit has not been brought back ever since the initial fix. Initially fixed in a9e5242 Reintroduced in fd1f8ce Related refactor commit 2cd310e Also bring back and improve the PDF comment about "XDC-01-005 WP1"
deltachat · Jul 5, 2024 · 5417b58 · 5417b58
1 parent 52df841
commit 5417b58
Show file tree

Hide file tree

Showing 2 changed files with 34 additions and 15 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -26,6 +26,7 @@
 - Fix the problem of Quit menu item on WebXDC apps closes the whole DC app #3995
 - minor performance improvements #3981
 - fix chat list items (e.g. Archive) and contacts not showing up sometimes #4004
+- fix CSP bypass in webxdc (not a vulnerability) #4011
 
 <a id="1_46_1"></a>
 

diff --git a/src/main/deltachat/webxdc.ts b/src/main/deltachat/webxdc.ts
@@ -123,24 +123,46 @@ export default class DCWebxdc extends SplitOut {
       if (!accounts_sessions.includes(accountId)) {
         accounts_sessions.push(accountId)
         ses.protocol.handle('webxdc', async request => {
-          const get_headers = (mime_type: string | undefined) => {
+          /**
+           * Make sure to only `return makeResponse()` because it sets headers
+           * that are important for security, namely `Content-Security-Policy`.
+           * Failing to set CSP might result in the app being able to create
+           * an <iframe> with no CSP, e.g. `<iframe src="/no_such_file.lol">`
+           * within which they can then do whatever
+           * through the parent frame, see
+           * "XDC-01-002 WP1: Full CSP bypass via desktop app webxdc.js"
+           * https://public.opentech.fund/documents/XDC-01-report_2_1.pdf
+           */
+          const makeResponse = (
+            body: BodyInit,
+            responseInit: Omit<ResponseInit, 'headers'>,
+            mime_type?: undefined | string
+          ) => {
             const headers = new Headers()
             if (!open_apps[id].internet_access) {
               headers.append('Content-Security-Policy', CSP)
             }
+            // Ensure that the client doesn't try to interpret a file as
+            // one with 'application/pdf' mime type and therefore open it
+            // in the PDF viewer, see
+            // "XDC-01-005 WP1: Full CSP bypass via desktop app PDF embed"
+            // https://public.opentech.fund/documents/XDC-01-report_2_1.pdf
             headers.append('X-Content-Type-Options', 'nosniff')
             if (mime_type) {
               headers.append('content-type', mime_type)
             }
-            return headers
+            return new Response(body, {
+              ...responseInit,
+              headers,
+            })
           }
 
           const url = new URL(request.url)
           const [account, msg] = url.hostname.split('.')
           const id = `${account}.${msg}`
 
           if (!open_apps[id]) {
-            return new Response('', { status: 500 })
+            return makeResponse('', { status: 500 })
           }
 
           let filename = url.pathname
@@ -164,11 +186,10 @@ export default class DCWebxdc extends SplitOut {
           }
 
           if (filename === WRAPPER_PATH) {
-            return new Response(
+            return makeResponse(
               await readFile(join(htmlDistDir(), '/webxdc_wrapper.html')),
-              {
-                headers: get_headers(mimeType),
-              }
+              {},
+              mimeType
             )
           } else if (filename === 'webxdc.js') {
             const displayName = Buffer.from(
@@ -179,15 +200,14 @@ export default class DCWebxdc extends SplitOut {
             )
 
             // initializes the preload script, the actual implementation of `window.webxdc` is found there: static/webxdc-preload.js
-            return new Response(
+            return makeResponse(
               Buffer.from(
                 `window.parent.webxdc_internal.setup("${selfAddr}","${displayName}")
                 window.webxdc = window.parent.webxdc
                 window.webxdc_custom = window.parent.webxdc_custom`
               ),
-              {
-                headers: get_headers(mimeType),
-              }
+              {},
+              mimeType
             )
           } else {
             try {
@@ -199,12 +219,10 @@ export default class DCWebxdc extends SplitOut {
                 ),
                 'base64'
               )
-              return new Response(blob, {
-                headers: get_headers(mimeType),
-              })
+              return makeResponse(blob, {}, mimeType)
             } catch (error) {
               log.error('webxdc: load blob:', error)
-              return new Response('', { status: 404 })
+              return makeResponse('', { status: 404 })
             }
           }
         })