Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix: webxdc: CSP bypass #4011

Merged
merged 3 commits into from
Jul 18, 2024
Merged

fix: webxdc: CSP bypass #4011

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
5417b58
fix: webxdc: CSP bypass
WofWca Jul 5, 2024
6aba3bb
Update changelog
nicodh Jul 18, 2024
6a14e4b
Merge branch 'main' into wofwca/fix-webxdc-csp-bypass
nicodh Jul 18, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions CHANGELOG.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -26,6 +26,7 @@
- Fix the problem of Quit menu item on WebXDC apps closes the whole DC app #3995
- minor performance improvements #3981
- fix chat list items (e.g. Archive) and contacts not showing up sometimes #4004
- fix CSP bypass in webxdc (not a vulnerability) #4011

<a id="1_46_1"></a>

Expand Down
48 changes: 33 additions & 15 deletions src/main/deltachat/webxdc.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -123,24 +123,46 @@ export default class DCWebxdc extends SplitOut {
if (!accounts_sessions.includes(accountId)) {
accounts_sessions.push(accountId)
ses.protocol.handle('webxdc', async request => {
const get_headers = (mime_type: string | undefined) => {
/**
* Make sure to only `return makeResponse()` because it sets headers
* that are important for security, namely `Content-Security-Policy`.
* Failing to set CSP might result in the app being able to create
* an <iframe> with no CSP, e.g. `<iframe src="/no_such_file.lol">`
* within which they can then do whatever
* through the parent frame, see
* "XDC-01-002 WP1: Full CSP bypass via desktop app webxdc.js"
* https://public.opentech.fund/documents/XDC-01-report_2_1.pdf
*/
const makeResponse = (
body: BodyInit,
responseInit: Omit<ResponseInit, 'headers'>,
mime_type?: undefined | string
) => {
const headers = new Headers()
if (!open_apps[id].internet_access) {
headers.append('Content-Security-Policy', CSP)
}
// Ensure that the client doesn't try to interpret a file as
// one with 'application/pdf' mime type and therefore open it
// in the PDF viewer, see
// "XDC-01-005 WP1: Full CSP bypass via desktop app PDF embed"
// https://public.opentech.fund/documents/XDC-01-report_2_1.pdf
headers.append('X-Content-Type-Options', 'nosniff')
if (mime_type) {
headers.append('content-type', mime_type)
}
return headers
return new Response(body, {
...responseInit,
headers,
})
}

const url = new URL(request.url)
const [account, msg] = url.hostname.split('.')
const id = `${account}.${msg}`

if (!open_apps[id]) {
return new Response('', { status: 500 })
return makeResponse('', { status: 500 })
}

let filename = url.pathname
Expand All @@ -164,11 +186,10 @@ export default class DCWebxdc extends SplitOut {
}

if (filename === WRAPPER_PATH) {
return new Response(
return makeResponse(
await readFile(join(htmlDistDir(), '/webxdc_wrapper.html')),
{
headers: get_headers(mimeType),
}
{},
mimeType
)
} else if (filename === 'webxdc.js') {
const displayName = Buffer.from(
Expand All @@ -179,15 +200,14 @@ export default class DCWebxdc extends SplitOut {
)

// initializes the preload script, the actual implementation of `window.webxdc` is found there: static/webxdc-preload.js
return new Response(
return makeResponse(
Buffer.from(
`window.parent.webxdc_internal.setup("${selfAddr}","${displayName}")
window.webxdc = window.parent.webxdc
window.webxdc_custom = window.parent.webxdc_custom`
),
{
headers: get_headers(mimeType),
}
{},
mimeType
)
} else {
try {
Expand All @@ -199,12 +219,10 @@ export default class DCWebxdc extends SplitOut {
),
'base64'
)
return new Response(blob, {
headers: get_headers(mimeType),
})
return makeResponse(blob, {}, mimeType)
} catch (error) {
log.error('webxdc: load blob:', error)
return new Response('', { status: 404 })
return makeResponse('', { status: 404 })
}
}
})
Expand Down
Loading