WIP(core): introduce TrustedSanitizer interface#39219
Closed
bjarkler wants to merge 11 commits into
Closed
Conversation
To facilitate the upcoming Trusted Types support being added to Angular, add the TypeScript type definitions for the Trusted Types browser API as a dependency - in the root package.json and types.d.ts since they're needed for compiling the Angular packages, - in packages/core/package.json since the type definitions are required for compiling Angular applications, and - in integration tests as a result of updating packages/core/package.json.
ebde246 to
1009ea0
Compare
Add a module that provides a Trusted Types policy for use internally by Angular. The policy is created lazily and stored in a module-local variable. For now the module does not allow configuring custom policies or policy names, and instead creates its own policy with 'angular' as a fixed policy name. This is to more easily support tree-shakability. Helper functions for unsafely converting strings to each of the three Trusted Types are also introduced, with names that make it clear that their use requires a security review. When Trusted Types are not available, these helper functions fall back to returning strings.
Sanitizers in Angular currently return strings, which will then eventually make their way down to the DOM, e.g. as the value of an attribute or property. This may cause a Trusted Types violation. As a step towards fixing that, make it possible to return Trusted Types from the SanitizerFn interface, which represents the internal sanitization pipeline. DOM renderer interfaces are also updated to reflect the fact that setAttribute and setAttributeNS must be able to accept Trusted Types.
SafeValue objects are black boxes used to carry around strings that the application trusts not to be sanitized. These strings will eventually make their way unsanitized to the DOM, e.g. as the value of an attribute or property. This may cause a Trusted Types violation. As a step towards fixing that, add the ability to store Trusted Types in SafeValue objects. Also update the DomSanitizer interface to allow passing Trusted Types to the bypassSecurityTrust functions.
Make Angular's HTML sanitizer return a TrustedHTML, as its output is trusted not to cause XSS vulnerabilities when used in a context where a browser may parse and evaluate HTML. Also update tests to reflect the new behaviour.
When an application uses a custom sanitizer or one of the bypassSecurityTrust functions, Angular has no way of knowing whether they are implemented in a secure way. (It doesn't even know if they're introduced by the application or by a shady third-party dependency.) Thus using Angular's main Trusted Types policy to bless values coming from these two sources would undermine the security that Trusted Types brings. Instead, introduce a Trusted Types policy called angular#unsafe-legacy-bypass specifically for blessing values from these sources. (The term legacy is used as there will be a new way of implementing sanitizers that support Trusted Types.) This allows an application to enforce Trusted Types even their sanitizer or bypassSecurityTrust function calls have not been migrated, knowing that compromises to either of these two sources may lead to arbitrary script execution. Applications that have migrated to the new Trusted Types compatible sanitizers should not allow the angular#unsafe-legacy-bypass policy.
Use the Trusted Types policy for legacy conversions to automatically upgrade any values from custom sanitizers or the bypassSecurityTrust functions to a Trusted Type, provided they are not a Trusted Type already. Update tests to reflect the new behavior.
1009ea0 to
aeee7da
Compare
Create a new interface for sanitizers that support Trusted Types, called TrustedSanitizer. It is almost the same as the existing Sanitizer interface, but lets the sanitize function return a Trusted Type in addition to string and null. Also update Ivy's sanitization functions to pass sanitized values from TrustedSanitizers directly through.
When an application provides a TrustedSanitizer, make Ivy and ViewEngine prefer it over any Sanitizer that has been provided. Update associated types to accommodate the new TrustedSanitizer interface.
aeee7da to
f742407
Compare
23 tasks
Introduce a TrustedDomSanitizer interface for TrustedSanitizer, similar to the DomSanitizer that exists for Sanitizer, except that it allows the sanitizer to return Trusted Types and does not provide the bypassSecurityTrust functions. Also introduce a TrustedDomSanitizerImpl that behaves the same as TrustedDomSanitizer, except that it returns Trusted Types. The TrustedDomSanitizer is not used within Angular, but applications can depend on it to provide their own custom TrustedSanitizer that uses a Trusted Types polyfill to mark values that should not be sanitized.
…izerImpl To reduce code duplication, make DomSanitizerImpl use TrustedDomSanitizerImpl to perform any sanitization. The resulting Trusted Type is then converted to a string to satisfy the DomSanitizer interface.
14 tasks
Contributor
|
@bjarkler Is this PR still needed or can it be closed? |
Contributor
Author
|
@atscott, let's close it. We can always resurrect it if we realize we need it. :) |
|
This issue has been automatically locked due to inactivity. Read more about our automatic conversation locking policy. This action has been performed automatically by a bot. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Create a new interface for sanitizers that support Trusted Types, called
TrustedSanitizer. It is almost the same as the existing Sanitizer
interface, but lets the sanitize function return a Trusted Type in
addition to string and null.
Also update Ivy's sanitization functions to pass sanitized values
from TrustedSanitizers directly through.
When an application provides a TrustedSanitizer, make Ivy and ViewEngine
prefer it over any Sanitizer that has been provided. Update associated
types to accommodate the new TrustedSanitizer interface.
This is based on #39218. See the individual commits for more details.
PR Checklist
Please check if your PR fulfills the following requirements:
PR Type
What kind of change does this PR introduce?
Does this PR introduce a breaking change?
Other information
This is part of an ongoing effort to add support for Trusted Types to Angular.