fix: mitigate "sequential @import chaining" vulnerability (#5616)

* `test/e2e-cypress/tests/features/xss/` -> `test/e2e-cypress/tests/security` * add tests * filter <style> tags out of Markdown fields * initialize OAuth inputs without applying `value` attribute
2019-09-20 13:19:08 -07:00
parent c8ad396301
commit 5f6ec8ce1d
11 changed files with 143 additions and 7 deletions
--- a/test/e2e-cypress/static/documents/petstore-expanded.openapi.yaml
+++ b/test/e2e-cypress/static/documents/petstore-expanded.openapi.yaml
@@ -13,6 +13,8 @@ info:
    url: https://www.apache.org/licenses/LICENSE-2.0.html
 servers:
  - url: http://petstore.swagger.io/api
+security:
+  - Petstore: []
 paths:
  /pets:
    get:
@@ -152,4 +154,13 @@ components:
          type: integer
          format: int32
        message:
-          type: string
+          type: string
+  securitySchemes:
+    Petstore:
+      type: oauth2
+      flows: 
+        implicit:
+          authorizationUrl: https://example.com/api/oauth/dialog
+          scopes:
+            write:pets: modify pets in your account
+            read:pets: read your pets
--- a/test/e2e-cypress/static/documents/security/sequential-import-chaining/injection.css
+++ b/test/e2e-cypress/static/documents/security/sequential-import-chaining/injection.css
@@ -0,0 +1,7 @@
+* {
+  color: red !important; /* for humans */
+}
+
+h4 {
+  display: none; /* for machines, used to trace whether this sheet is applied */
+}
--- a/test/e2e-cypress/static/documents/security/sequential-import-chaining/openapi.yaml
+++ b/test/e2e-cypress/static/documents/security/sequential-import-chaining/openapi.yaml
@@ -0,0 +1,10 @@
+openapi: "3.0.0"
+
+info:
+  title: Sequential Import Chaining
+  description: >
+    <h4>This h4 would be hidden by the injected CSS</h4>
+
+    This document tests the ability of a `<style>` tag in a Markdown field to pull in a remote stylesheet using an `@import` directive.
+
+    <style>@import url(/documents/security/sequential-import-chaining/injection.css);</style>
--- a/test/e2e-cypress/static/documents/security/sequential-import-chaining/swagger.yaml
+++ b/test/e2e-cypress/static/documents/security/sequential-import-chaining/swagger.yaml
@@ -0,0 +1,10 @@
+swagger: "2.0"
+
+info:
+  title: Sequential Import Chaining
+  description: >
+    <h4>This h4 would be hidden by the injected CSS</h4>
+
+    This document tests the ability of a `<style>` tag in a Markdown field to pull in a remote stylesheet using an `@import` directive.
+
+    <style>@import url(/documents/security/sequential-import-chaining/injection.css);</style>
--- a/test/e2e-cypress/static/documents/security/xss-oauth2.yaml
+++ b/test/e2e-cypress/static/documents/security/xss-oauth2.yaml
--- a/test/e2e-cypress/tests/features/xss/oauth2.js
+++ b/test/e2e-cypress/tests/features/xss/oauth2.js
@@ -1,6 +1,6 @@
 describe("XSS: OAuth2 authorizationUrl sanitization", () => {
  it("should filter out a javascript URL", () => {
-    cy.visit("/?url=/documents/xss/oauth2.yaml")
+    cy.visit("/?url=/documents/security/xss-oauth2.yaml")
      .window()
      .then(win => {
        let args = null
--- a/test/e2e-cypress/tests/security/sequential-import-chaining.js
+++ b/test/e2e-cypress/tests/security/sequential-import-chaining.js
@@ -0,0 +1,58 @@
+describe("Security: CSS Sequential Import Chaining", () => {
+  describe("in OpenAPI 3.0", () => {
+    describe("CSS Injection via Markdown", () => {
+      it("should filter <style> tags out of Markdown fields", () => {
+        cy.visit("/?url=/documents/security/sequential-import-chaining/openapi.yaml")
+          .get("div.information-container")
+          .should("exist")
+          .and("not.have.descendants", "style")
+      })
+      it("should not apply `@import`ed CSS stylesheets", () => {
+        cy.visit("/?url=/documents/security/sequential-import-chaining/openapi.yaml")
+          .wait(500) // HACK: wait for CSS import to settle
+          .get("div.info h4")
+          .should("have.length", 1)
+          .and("not.be.hidden")
+      })
+    })
+    describe("Value Exfiltration via CSS", () => {
+      it("should not allow OAuth credentials to be visible via HTML `value` attribute", () => {
+        cy.visit("/?url=/documents/petstore-expanded.openapi.yaml")
+          .get(".scheme-container > .schemes > .auth-wrapper > .btn > span")
+          .click()
+          .get("div > div > .wrapper > .block-tablet > #client_id")
+          .clear()
+          .type("abc")
+          .should("not.have.attr", "value", "abc")
+      })
+    })
+  })
+  describe("in Swagger 2.0", () => {
+    describe("CSS Injection via Markdown", () => {
+      it("should filter <style> tags out of Markdown fields", () => {
+        cy.visit("/?url=/documents/security/sequential-import-chaining/swagger.yaml")
+          .get("div.information-container")
+          .should("exist")
+          .and("not.have.descendants", "style")
+      })
+      it("should not apply `@import`ed CSS stylesheets", () => {
+        cy.visit("/?url=/documents/security/sequential-import-chaining/swagger.yaml")
+          .wait(500) // HACK: wait for CSS import to settle
+          .get("div.info h4")
+          .should("have.length", 1)
+          .and("not.be.hidden")
+      })
+    })
+    describe("Value Exfiltration via CSS", () => {
+      it("should not allow OAuth credentials to be visible via HTML `value` attribute", () => {
+        cy.visit("/?url=/documents/petstore.swagger.yaml")
+          .get(".scheme-container > .schemes > .auth-wrapper > .btn > span")
+          .click()
+          .get("div > div > .wrapper > .block-tablet > #client_id")
+          .clear()
+          .type("abc")
+          .should("not.have.attr", "value", "abc")
+      })
+    })
+  })
+})