fix(compiler): disallow i18n of security-sensitive attributes #39554
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
josephperrott
added
the
area: compiler
bjarkler
force-pushed
the
i18n-attribute-security
branch
from
ee12e9f
to
7d0c6b1
Compare
petebacondarwin
added
the
target: major
14 tasks
bjarkler
force-pushed
the
i18n-attribute-security
branch
from
7d0c6b1
to
2898f35
Compare
bjarkler
changed the title
AndrewKushnir
approved these changes
Nov 19, 2020
AndrewKushnir
added
the
action: cleanup
bjarkler
force-pushed
the
i18n-attribute-security
branch
from
2898f35
to
d391b8d
Compare
IgorMinar
approved these changes
Nov 19, 2020
Create a schema with an associated function to classify Trusted Types sinks. Piggyback a typo fix.
Make it possible to report errors from the I18nMetaVisitor parser.
To minimize security risk (XSS in particular) in the i18n pipeline, disallow i18n translation of attributes that are Trusted Types sinks. Add integration tests to ensure that such sinks cannot be translated.
Previously all constant values of security-sensitive attributes and properties were promoted to Trusted Types. While this is not inherently bad, it is also not optimal. Use the newly added Trusted Types schema to restrict promotion to constants that are in a Trusted Types-relevant context.
Script tags, inline event handlers and other script contexts are forbidden or stripped from Angular templates by the compiler. In the context of Trusted Types, this leaves no sinks that require use of a TrustedScript. This means that trustConstantScript is never used, and can be removed.
bjarkler
force-pushed
the
i18n-attribute-security
branch
from
d391b8d
to
e676df2
Compare
|
Thanks for the comments everyone. I think all of them have been addressed now. Just started a global presubmit; will update the PR tomorrow with the results. |
IgorMinar
removed
the
action: cleanup
IgorMinar
added
action: merge
|
I'm unflagging this as a breaking change since we have no evidence that there is any valid use of this feature today. |
IgorMinar
removed
the
target: major
AndrewKushnir
added
the
action: presubmit
|
FYI, adding the "presubmit" label since we are waiting for TAP run results from @bjarkler. |
|
@bjarkler, please let us know once you get presubmit results so we can proceed with merging this PR. Thank you. |
AndrewKushnir
removed
the
action: presubmit
|
Just a quick note: we've discussed this offline with @bjarkler and this PR is ready to go. Thank you. |
AndrewKushnir
pushed a commit
that referenced
this pull request
Nov 23, 2020
Make it possible to report errors from the I18nMetaVisitor parser. PR Close #39554
AndrewKushnir
pushed a commit
that referenced
this pull request
Nov 23, 2020
To minimize security risk (XSS in particular) in the i18n pipeline, disallow i18n translation of attributes that are Trusted Types sinks. Add integration tests to ensure that such sinks cannot be translated. PR Close #39554
AndrewKushnir
pushed a commit
that referenced
this pull request
Nov 23, 2020
…#39554) Previously all constant values of security-sensitive attributes and properties were promoted to Trusted Types. While this is not inherently bad, it is also not optimal. Use the newly added Trusted Types schema to restrict promotion to constants that are in a Trusted Types-relevant context. PR Close #39554
AndrewKushnir
pushed a commit
that referenced
this pull request
Nov 23, 2020
…39554) Script tags, inline event handlers and other script contexts are forbidden or stripped from Angular templates by the compiler. In the context of Trusted Types, this leaves no sinks that require use of a TrustedScript. This means that trustConstantScript is never used, and can be removed. PR Close #39554
|
This issue has been automatically locked due to inactivity. Read more about our automatic conversation locking policy. This action has been performed automatically by a bot. |
pullapprove
bot
removed
the
area: compiler
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
PR Checklist
Please check if your PR fulfills the following requirements:
PR Type
What kind of change does this PR introduce?
What is the current behavior?
It is currently possible to mark security-sensitive attributes for i18n translation, e.g.:
This is a feature that should have very little use, but at the same time introduces complexity and security risk in the i18n pipeline.
What is the new behavior?
The above template now generates a parsing error:
(The same error occurs when using
ng extract-i18n.)Note that this only applies to attributes/properties that are relevant to Trusted Types, which are now enumerated in trusted_types_schema.ts:
frame.srcdoc*.innerHTML*.outerHTMLembed.srcobject.codebaseobject.dataThese can be considered the most risky attributes/properties in terms of XSS. (Note that the script tag, inline event handlers, and other attributes/properties of a script context are not relevant here as they are already forbidden or stripped out by the compiler.)
Piggyback:
trustConstScript, as it was never needed.Does this PR introduce a breaking change?
This seems to be used extremely rarely. Sifting through GitHub search results for i18n-src only reveals a single result that might be affected by this change. (Note that e.g.
<img i18n-srcis not affected, since it is not a security-sensitive attribute.)For applications that need to migrate away from this pattern, translation can be done in the corresponding TS file and regular interpolation used in the Angular template instead.
Other information