Skip to content

fix(core): convert legacy-sanitized values to Trusted Types#39218

Closed
bjarkler wants to merge 4 commits into
angular:masterfrom
bjarkler:trusted-types-legacy-bypass
Closed

fix(core): convert legacy-sanitized values to Trusted Types#39218
bjarkler wants to merge 4 commits into
angular:masterfrom
bjarkler:trusted-types-legacy-bypass

Conversation

@bjarkler

@bjarkler bjarkler commented Oct 10, 2020

Copy link
Copy Markdown
Contributor

When an application uses a custom sanitizer or one of the
bypassSecurityTrust functions, Angular has no way of knowing whether
they are implemented in a secure way. (It doesn't even know if they're
introduced by the application or by a shady third-party dependency.)
Thus using Angular's main Trusted Types policy to bless values coming
from these two sources would undermine the security that Trusted Types
brings.

Instead, introduce a Trusted Types policy called
angular#unsafe-legacy-bypass specifically for blessing values from these
sources. (The term legacy is used as there will be a new way of
implementing sanitizers that support Trusted Types.) This allows an
application to enforce Trusted Types even when their sanitizer or
bypassSecurityTrust function calls have not been migrated, knowing that
compromises to either of these two sources may lead to arbitrary script
execution.

Applications that have migrated to the new Trusted Types compatible
sanitizers should not allow the angular#unsafe-legacy-bypass policy.

This is based on #39217. See the individual commits for more details.

PR Checklist

Please check if your PR fulfills the following requirements:

PR Type

What kind of change does this PR introduce?

  • Bugfix
  • Feature
  • Code style update (formatting, local variables)
  • Refactoring (no functional changes, no api changes)
  • Build related changes
  • CI related changes
  • Documentation content changes
  • angular.io application / infrastructure changes
  • Other... Please describe:

Does this PR introduce a breaking change?

  • Yes
  • No

Other information

This is part of an ongoing effort to add support for Trusted Types to Angular.

@google-cla google-cla Bot added the cla: yes label Oct 10, 2020
@bjarkler bjarkler mentioned this pull request Oct 10, 2020
Closed
14 tasks
@bjarkler bjarkler force-pushed the trusted-types-legacy-bypass branch 6 times, most recently from 5466312 to 12f1ebb Compare October 11, 2020 18:31
@bjarkler bjarkler mentioned this pull request Oct 11, 2020
Closed
23 tasks
@bjarkler bjarkler force-pushed the trusted-types-legacy-bypass branch 2 times, most recently from 4fb768d to ac3f614 Compare October 13, 2020 18:42
IgorMinar
IgorMinar suggested changes Oct 13, 2020
View reviewed changes

@IgorMinar IgorMinar left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

the rest looks good to me.

Comment thread packages/core/src/render3/interfaces/renderer.ts Outdated
@pullapprove pullapprove Bot requested a review from IgorMinar October 13, 2020 18:56
@bjarkler bjarkler force-pushed the trusted-types-legacy-bypass branch from ac3f614 to 8bd50c2 Compare October 13, 2020 21:15
IgorMinar
IgorMinar approved these changes Oct 13, 2020
View reviewed changes

@IgorMinar IgorMinar left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this looks great to me now!

Reviewed-for: global-approvers, fw-security

@IgorMinar IgorMinar added the target: minor This PR is targeted for the next minor release label Oct 13, 2020
@atscott atscott added the area: core Issues related to the framework runtime label Oct 13, 2020
@ngbot ngbot Bot added this to the needsTriage milestone Oct 13, 2020
@bjarkler

bjarkler commented Oct 13, 2020

Copy link
Copy Markdown
Contributor Author

There might still be typing issues with this PR (it modifies the ɵɵsanitize* instructions to return Trusted Types), so let's wait for the tests to pass before merging.

@bjarkler bjarkler force-pushed the trusted-types-legacy-bypass branch 2 times, most recently from 2149a01 to 6d7547a Compare October 14, 2020 23:21
@bjarkler
feat(core): allow returning Trusted Types from SanitizerFn
7c7a4a6 
Sanitizers in Angular currently return strings, which will then
eventually make their way down to the DOM, e.g. as the value of an
attribute or property. This may cause a Trusted Types violation. As a
step towards fixing that, make it possible to return Trusted Types from
the SanitizerFn interface, which represents the internal sanitization
pipeline. DOM renderer interfaces are also updated to reflect the fact
that setAttribute and setAttributeNS must be able to accept Trusted
Types.
@bjarkler
refactor(core): make HTML sanitizer return TrustedHTML
e51f402 
Make Angular's HTML sanitizer return a TrustedHTML, as its output is
trusted not to cause XSS vulnerabilities when used in a context where a
browser may parse and evaluate HTML. Also update tests to reflect the
new behaviour.
@bjarkler
feat(core): create a Trusted Types policy for bypass conversions
6971c7b 
When an application uses a custom sanitizer or one of the
bypassSecurityTrust functions, Angular has no way of knowing whether
they are implemented in a secure way. (It doesn't even know if they're
introduced by the application or by a shady third-party dependency.)
Thus using Angular's main Trusted Types policy to bless values coming
from these two sources would undermine the security that Trusted Types
brings.

Instead, introduce a Trusted Types policy called angular#unsafe-bypass
specifically for blessing values from these sources. This allows an
application to enforce Trusted Types even if their application uses a
custom sanitizer or the bypassSecurityTrust functions, knowing that
compromises to either of these two sources may lead to arbitrary script
execution. In the future Angular will provide a way to implement
custom sanitizers in a manner that makes better use of Trusted Types.
@bjarkler
fix(core): convert legacy-sanitized values to Trusted Types
15b75c8 
Use the bypass-specific Trusted Types policy for automatically upgrade
any values from custom sanitizers or the bypassSecurityTrust functions
to a Trusted Type. Update tests to reflect the new behavior.
@bjarkler bjarkler force-pushed the trusted-types-legacy-bypass branch from 6d7547a to 15b75c8 Compare October 15, 2020 17:44
@IgorMinar IgorMinar added the action: merge The PR is ready for merge by the caretaker label Oct 16, 2020
@IgorMinar IgorMinar mentioned this pull request Oct 16, 2020
Closed
14 tasks
AndrewKushnir pushed a commit that referenced this pull request Oct 16, 2020
@bjarkler @AndrewKushnir
refactor(core): make HTML sanitizer return TrustedHTML (#39218)
9ec2bad 
Make Angular's HTML sanitizer return a TrustedHTML, as its output is
trusted not to cause XSS vulnerabilities when used in a context where a
browser may parse and evaluate HTML. Also update tests to reflect the
new behaviour.

PR Close #39218
AndrewKushnir pushed a commit that referenced this pull request Oct 16, 2020
@bjarkler @AndrewKushnir
feat(core): create a Trusted Types policy for bypass conversions (#39218
49197d1 
)

When an application uses a custom sanitizer or one of the
bypassSecurityTrust functions, Angular has no way of knowing whether
they are implemented in a secure way. (It doesn't even know if they're
introduced by the application or by a shady third-party dependency.)
Thus using Angular's main Trusted Types policy to bless values coming
from these two sources would undermine the security that Trusted Types
brings.

Instead, introduce a Trusted Types policy called angular#unsafe-bypass
specifically for blessing values from these sources. This allows an
application to enforce Trusted Types even if their application uses a
custom sanitizer or the bypassSecurityTrust functions, knowing that
compromises to either of these two sources may lead to arbitrary script
execution. In the future Angular will provide a way to implement
custom sanitizers in a manner that makes better use of Trusted Types.

PR Close #39218
AndrewKushnir pushed a commit that referenced this pull request Oct 16, 2020
@bjarkler @AndrewKushnir
fix(core): convert legacy-sanitized values to Trusted Types (#39218)
81aa119 
Use the bypass-specific Trusted Types policy for automatically upgrade
any values from custom sanitizers or the bypassSecurityTrust functions
to a Trusted Type. Update tests to reflect the new behavior.

PR Close #39218
@angular-automatic-lock-bot

angular-automatic-lock-bot Bot commented Nov 17, 2020

Copy link
Copy Markdown

This issue has been automatically locked due to inactivity.
Please file a new issue if you are encountering a similar or related problem.

Read more about our automatic conversation locking policy.

This action has been performed automatically by a bot.

@angular-automatic-lock-bot angular-automatic-lock-bot Bot locked and limited conversation to collaborators Nov 17, 2020
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

1 more reviewer

@IgorMinar IgorMinar IgorMinar approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

action: merge The PR is ready for merge by the caretaker area: core Issues related to the framework runtime cla: yes target: minor This PR is targeted for the next minor release

Projects

None yet

Milestone

needsTriage

Development

Successfully merging this pull request may close these issues.

3 participants

@bjarkler @IgorMinar @atscott