From ad7c7f819d047a936a0ddd6918837b8d51d34a2a Mon Sep 17 00:00:00 2001 From: David Taylor Date: Thu, 15 Jul 2021 19:32:47 +0100 Subject: [PATCH] SECURITY: Sanitize YouTube Onebox data (stable) (#13749) CVE-2021-32764 --- .../initializers/{lazyYT.js.es6 => lazyYT.js} | 2 ++ .../assets/javascripts/{ => lib}/lazyYT.js | 16 +++++++++------- plugins/lazy-yt/plugin.rb | 18 +++++++++++++++--- 3 files changed, 26 insertions(+), 10 deletions(-) rename plugins/lazy-yt/assets/javascripts/initializers/{lazyYT.js.es6 => lazyYT.js} (92%) rename plugins/lazy-yt/assets/javascripts/{ => lib}/lazyYT.js (96%) diff --git a/plugins/lazy-yt/assets/javascripts/initializers/lazyYT.js.es6 b/plugins/lazy-yt/assets/javascripts/initializers/lazyYT.js similarity index 92% rename from plugins/lazy-yt/assets/javascripts/initializers/lazyYT.js.es6 rename to plugins/lazy-yt/assets/javascripts/initializers/lazyYT.js index 16c63d01d2..cbc4df3c68 100644 --- a/plugins/lazy-yt/assets/javascripts/initializers/lazyYT.js.es6 +++ b/plugins/lazy-yt/assets/javascripts/initializers/lazyYT.js @@ -1,9 +1,11 @@ import { withPluginApi } from "discourse/lib/plugin-api"; +import initLazyYt from "../lib/lazyYT"; export default { name: "apply-lazyYT", initialize() { withPluginApi("0.1", (api) => { + initLazyYt($); api.decorateCooked( ($elem) => { const iframes = $(".lazyYT", $elem); diff --git a/plugins/lazy-yt/assets/javascripts/lazyYT.js b/plugins/lazy-yt/assets/javascripts/lib/lazyYT.js similarity index 96% rename from plugins/lazy-yt/assets/javascripts/lazyYT.js rename to plugins/lazy-yt/assets/javascripts/lib/lazyYT.js index 8078671868..b6f3ddf669 100644 --- a/plugins/lazy-yt/assets/javascripts/lazyYT.js +++ b/plugins/lazy-yt/assets/javascripts/lib/lazyYT.js @@ -11,7 +11,9 @@ * */ -(function ($) { +import escape from "discourse-common/lib/escape"; + +export default function initLazyYt($) { "use strict"; function setUp($el, settings) { @@ -75,13 +77,13 @@ innerHtml.push('
'); innerHtml.push( '' ); if (title === undefined || title === null || title === "") { - innerHtml.push("youtube.com/watch?v=" + id); + innerHtml.push("youtube.com/watch?v=" + escape(id)); } else { - innerHtml.push(title); + innerHtml.push(escape(title)); } innerHtml.push(""); innerHtml.push("
"); // .html5-title @@ -121,7 +123,7 @@ $( [ '', @@ -143,7 +145,7 @@ $el .html( '' @@ -170,4 +172,4 @@ setUp($el, settings); }); }; -})(jQuery); +} diff --git a/plugins/lazy-yt/plugin.rb b/plugins/lazy-yt/plugin.rb index c2756080b2..1cb3a63cf1 100644 --- a/plugins/lazy-yt/plugin.rb +++ b/plugins/lazy-yt/plugin.rb @@ -5,12 +5,10 @@ # version: 1.0.1 # authors: Arpit Jalan # url: https://github.com/discourse/discourse/tree/master/plugins/lazy-yt +# transpile_js: true hide_plugin if self.respond_to?(:hide_plugin) -# javascript -register_asset "javascripts/lazyYT.js" - # stylesheet register_asset "stylesheets/lazyYT.css" register_asset "stylesheets/lazyYT_mobile.scss", :mobile @@ -55,6 +53,20 @@ class Onebox::Engine::YoutubeOnebox end end + alias_method :old_video_id, :video_id + alias_method :old_list_id, :list_id + + def video_id + sanitize_yt_id(old_video_id) + end + + def list_id + sanitize_yt_id(old_list_id) + end + + def sanitize_yt_id(raw) + raw&.match?(/\A[\w-]+\z/) ? raw : nil + end end after_initialize do