fix: anchor tag safety (via #4789)

shockey · web-flow · commit dd3afdc45656 · 2018-08-04T00:54:03.000-07:00
* v3.17.6

* release(3.17.6): rebuild dist

* add failing tests

* fix Link component

* fix OnlineValidatorBadge component

* switch from &lt;a&gt; to &lt;Link&gt; in operation components

* make Markdown inputs safe

* use Link component in Info block, for target safety

* add eslint rule for unsafe `target` usage
diff --git a/.eslintrc b/.eslintrc
@@ -24,6 +24,13 @@
     "import"
   ],
 
+  "settings": {
+    "react": {
+      "pragma": "React",
+      "version": "15.0"
+    }
+  },
+
   "rules": {
     "semi": [2, "never"],
     "strict": 0,
@@ -37,6 +44,7 @@
     "comma-dangle": 0,
     "no-console": ["error", { allow: ["warn", "error"] }],
     "react/jsx-no-bind": 1,
+    "react/jsx-no-target-blank": 2,
     "react/display-name": 0,
     "mocha/no-exclusive-tests": "error",
     "import/no-extraneous-dependencies": [2]
diff --git a/package-lock.json b/package-lock.json
diff --git a/package.json b/package.json
@@ -100,7 +100,7 @@
     "eslint": "^4.1.1",
     "eslint-plugin-import": "^2.13.0",
     "eslint-plugin-mocha": "^4.11.0",
-    "eslint-plugin-react": "~7.7.0",
+    "eslint-plugin-react": "^7.10.0",
     "expect": "^1.20.2",
     "extract-text-webpack-plugin": "^3.0.2",
     "file-loader": "^1.1.11",
diff --git a/src/core/components/info.jsx b/src/core/components/info.jsx
@@ -25,22 +25,25 @@ export class InfoBasePath extends React.Component {
 
 class Contact extends React.Component {
   static propTypes = {
-    data: PropTypes.object
+    data: PropTypes.object,
+    getComponent: PropTypes.func.isRequired
   }
 
   render(){
-    let { data } = this.props
+    let { data, getComponent } = this.props
     let name = data.get("name") || "the developer"
     let url = data.get("url")
     let email = data.get("email")
 
+    const Link = getComponent("Link")
+
     return (
       <div>
-        { url && <div><a href={ sanitizeUrl(url) } target="_blank">{ name } - Website</a></div> }
+        { url && <div><Link href={ sanitizeUrl(url) } target="_blank">{ name } - Website</Link></div> }
         { email &&
-          <a href={sanitizeUrl(`mailto:${email}`)}>
+          <Link href={sanitizeUrl(`mailto:${email}`)}>
             { url ? `Send email to ${name}` : `Contact ${name}`}
-          </a>
+          </Link>
         }
       </div>
     )
@@ -49,18 +52,23 @@ class Contact extends React.Component {
 
 class License extends React.Component {
   static propTypes = {
-    license: PropTypes.object
+    license: PropTypes.object,
+    getComponent: PropTypes.func.isRequired
+
   }
 
   render(){
-    let { license } = this.props
+    let { license, getComponent } = this.props
+
+    const Link = getComponent("Link")
+  
     let name = license.get("name") || "License"
     let url = license.get("url")
 
     return (
       <div>
         {
-          url ? <a target="_blank" href={ sanitizeUrl(url) }>{ name }</a>
+          url ? <Link target="_blank" href={ sanitizeUrl(url) }>{ name }</Link>
         : <span>{ name }</span>
         }
       </div>
@@ -70,12 +78,17 @@ class License extends React.Component {
 
 export class InfoUrl extends React.PureComponent {
   static propTypes = {
-    url: PropTypes.string.isRequired
+    url: PropTypes.string.isRequired,
+    getComponent: PropTypes.func.isRequired
   }
 
+  
   render() {
-    const { url } = this.props
-    return <a target="_blank" href={ sanitizeUrl(url) }><span className="url"> { url } </span></a>
+    const { url, getComponent } = this.props
+
+    const Link = getComponent("Link")
+
+    return <Link target="_blank" href={ sanitizeUrl(url) }><span className="url"> { url } </span></Link>
   }
 }
 
@@ -100,6 +113,7 @@ export default class Info extends React.Component {
     const { url:externalDocsUrl, description:externalDocsDescription } = (externalDocs || fromJS({})).toJS()
 
     const Markdown = getComponent("Markdown")
+    const Link = getComponent("Link")
     const VersionStamp = getComponent("VersionStamp")
     const InfoUrl = getComponent("InfoUrl")
     const InfoBasePath = getComponent("InfoBasePath")
@@ -111,7 +125,7 @@ export default class Info extends React.Component {
             { version && <VersionStamp version={version}></VersionStamp> }
           </h2>
           { host || basePath ? <InfoBasePath host={ host } basePath={ basePath } /> : null }
-          { url && <InfoUrl url={url} /> }
+          { url && <InfoUrl getComponent={getComponent} url={url} /> }
         </hgroup>
 
         <div className="description">
@@ -120,14 +134,14 @@ export default class Info extends React.Component {
 
         {
           termsOfService && <div>
-            <a target="_blank" href={ sanitizeUrl(termsOfService) }>Terms of service</a>
+            <Link target="_blank" href={ sanitizeUrl(termsOfService) }>Terms of service</Link>
           </div>
         }
 
-        { contact && contact.size ? <Contact data={ contact } /> : null }
-        { license && license.size ? <License license={ license } /> : null }
+        {contact && contact.size ? <Contact getComponent={getComponent} data={ contact } /> : null }
+        {license && license.size ? <License getComponent={getComponent} license={ license } /> : null }
         { externalDocsUrl ?
-            <a target="_blank" href={sanitizeUrl(externalDocsUrl)}>{externalDocsDescription || externalDocsUrl}</a>
+            <Link target="_blank" href={sanitizeUrl(externalDocsUrl)}>{externalDocsDescription || externalDocsUrl}</Link>
         : null }
 
       </div>
diff --git a/src/core/components/layout-utils.jsx b/src/core/components/layout-utils.jsx
@@ -196,7 +196,7 @@ export class Select extends React.Component {
 export class Link extends React.Component {
 
   render() {
-    return <a {...this.props} className={xclass(this.props.className, "link")}/>
+    return <a {...this.props} rel="noopener noreferrer" className={xclass(this.props.className, "link")}/>
   }
 
 }
diff --git a/src/core/components/online-validator-badge.jsx b/src/core/components/online-validator-badge.jsx
@@ -54,7 +54,7 @@ export default class OnlineValidatorBadge extends React.Component {
         }
 
         return (<span style={{ float: "right"}}>
-                <a target="_blank" href={`${ sanitizedValidatorUrl }/debug?url=${ encodeURIComponent(this.state.url) }`}>
+                <a target="_blank" rel="noopener noreferrer" href={`${ sanitizedValidatorUrl }/debug?url=${ encodeURIComponent(this.state.url) }`}>
                     <ValidatorImage src={`${ sanitizedValidatorUrl }?url=${ encodeURIComponent(this.state.url) }`} alt="Online validator badge"/>
                 </a>
             </span>)
diff --git a/src/core/components/operation-tag.jsx b/src/core/components/operation-tag.jsx
@@ -46,6 +46,7 @@ export default class OperationTag extends React.Component {
     const Collapse = getComponent("Collapse")
     const Markdown = getComponent("Markdown")
     const DeepLink = getComponent("DeepLink")
+    const Link = getComponent("Link")
 
     let tagDescription = tagObj.getIn(["tagDetails", "description"], null)
     let tagExternalDocsDescription = tagObj.getIn(["tagDetails", "externalDocs", "description"])
@@ -78,11 +79,11 @@ export default class OperationTag extends React.Component {
                     { tagExternalDocsDescription }
                       { tagExternalDocsUrl ? ": " : null }
                       { tagExternalDocsUrl ?
-                        <a
+                        <Link
                             href={sanitizeUrl(tagExternalDocsUrl)}
                             onClick={(e) => e.stopPropagation()}
-                            target={"_blank"}
-                            >{tagExternalDocsUrl}</a> : null
+                            target="_blank"
+                            >{tagExternalDocsUrl}</Link> : null
                           }
                   </small>
                 }
diff --git a/src/core/components/operation.jsx b/src/core/components/operation.jsx
@@ -99,6 +99,7 @@ export default class Operation extends PureComponent {
     const OperationServers = getComponent( "OperationServers" )
     const OperationExt = getComponent( "OperationExt" )
     const OperationSummary = getComponent( "OperationSummary" )
+    const Link = getComponent( "Link" )
 
     const { showExtensions } = getConfigs()
 
@@ -134,7 +135,7 @@ export default class Operation extends PureComponent {
                     <span className="opblock-external-docs__description">
                       <Markdown source={ externalDocs.description } />
                     </span>
-                    <a target="_blank" className="opblock-external-docs__link" href={ sanitizeUrl(externalDocs.url) }>{ externalDocs.url }</a>
+                    <Link target="_blank" className="opblock-external-docs__link" href={sanitizeUrl(externalDocs.url)}>{externalDocs.url}</Link>
                   </div>
                 </div> : null
               }
diff --git a/src/core/components/providers/markdown.jsx b/src/core/components/providers/markdown.jsx
@@ -4,6 +4,17 @@ import Remarkable from "remarkable"
 import DomPurify from "dompurify"
 import cx from "classnames"
 
+DomPurify.addHook("beforeSanitizeElements", function (current, ) {
+  // Attach safe `rel` values to all elements that contain an `href`,
+  // i.e. all anchors that are links.
+  // We _could_ just look for elements that have a non-self target,
+  // but applying it more broadly shouldn't hurt anything, and is safer.
+  if (current.href) {
+    current.setAttribute("rel", "noopener noreferrer")
+  }
+  return current
+})
+
 // eslint-disable-next-line no-useless-escape
 const isPlainText = (str) => /^[A-Z\s0-9!?\.]+$/gi.test(str)
 
@@ -15,13 +26,16 @@ function Markdown({ source, className = "" }) {
         {source}
       </div>
     }
-    const html = new Remarkable({
+
+    const md = new Remarkable({
         html: true,
         typographer: true,
         breaks: true,
         linkify: true,
         linkTarget: "_blank"
-    }).render(source)
+    })
+    
+    const html = md.render(source)
     const sanitized = sanitizer(html)
 
     if ( !source || !html || !sanitized ) {
diff --git a/src/core/plugins/oas3/wrap-components/markdown.js b/src/core/plugins/oas3/wrap-components/markdown.js
@@ -7,6 +7,8 @@ import { sanitizer } from "core/components/providers/markdown"
 
 const parser = new Remarkable("commonmark")
 
+parser.set({ linkTarget: "_blank" })
+
 export const Markdown = ({ source, className = "" }) => {
   if ( source ) {
     const html = parser.render(source)
diff --git a/test/components/markdown.js b/test/components/markdown.js
@@ -52,7 +52,7 @@ describe("Markdown component", function() {
         it("allows links", function() {
             const str = `[Link](https://example.com/)`
             const el = render(<Markdown source={str} />)
-            expect(el.html()).toEqual(`<div class="markdown"><p><a target="_blank" href="https://example.com/">Link</a></p>\n</div>`)
+            expect(el.html()).toEqual(`<div class="markdown"><p><a rel="noopener noreferrer" target="_blank" href="https://example.com/">Link</a></p>\n</div>`)
         })
     })
 
diff --git a/test/xss/anchor-target-rel/info.js b/test/xss/anchor-target-rel/info.js
diff --git a/test/xss/anchor-target-rel/link.js b/test/xss/anchor-target-rel/link.js
diff --git a/test/xss/anchor-target-rel/markdown.js b/test/xss/anchor-target-rel/markdown.js
diff --git a/test/xss/anchor-target-rel/online-validator-badge.js b/test/xss/anchor-target-rel/online-validator-badge.js

Original file line number	Diff line number	Diff line change
`@@ -196,7 +196,7 @@ export class Select extends React.Component {`
`196`	`196`	`export class Link extends React.Component {`
`197`	`197`
`198`	`198`	`render() {`
`199`		`- return <a {...this.props} className={xclass(this.props.className, "link")}/>`
	`199`	`+ return <a {...this.props} rel="noopener noreferrer" className={xclass(this.props.className, "link")}/>`
`200`	`200`	`}`
`201`	`201`
`202`	`202`	`}`
Original file line number	Diff line number	Diff line change
`@@ -54,7 +54,7 @@ export default class OnlineValidatorBadge extends React.Component {`
`54`	`54`	`}`
`55`	`55`
`56`	`56`	`return (<span style={{ float: "right"}}>`
`57`		- <a target="_blank" href={`${ sanitizedValidatorUrl }/debug?url=${ encodeURIComponent(this.state.url) }`}>
	`57`	+ <a target="_blank" rel="noopener noreferrer" href={`${ sanitizedValidatorUrl }/debug?url=${ encodeURIComponent(this.state.url) }`}>
`58`	`58`	<ValidatorImage src={`${ sanitizedValidatorUrl }?url=${ encodeURIComponent(this.state.url) }`} alt="Online validator badge"/>
`59`	`59`	`</a>`
`60`	`60`	`</span>)`