[23073] Add Angular expression escaping

Gemfile

@@ -95,6 +95,9 @@ gem 'rack-protection', git: 'https://github.com/finnlabs/rack-protection.git', r
 # https://github.com/kickstarter/rack-attack
 gem 'rack-attack'
 
+# Patch Rails HTML whitelisting for Angular curly braces
+gem 'rails-angular-xss', github: 'opf/rails-angular-xss'
+
 gem "syck", '~> 1.0.5', require: false
 gem 'gon', '~> 4.0'
 

Gemfile.lock

@@ -22,6 +22,13 @@ GIT
       hashie (>= 1.2, < 4)
       rack (>= 1.0, < 3)
 
+GIT
+  remote: git://github.com/opf/rails-angular-xss.git
+  revision: e149647a0d303114ee40f03141f9b5cc097bdf43
+  specs:
+    rails-angular-xss (0.1.0)
+      rails (>= 4.2.0, < 5.0)
+
 GIT
   remote: git://github.com/why-el/svg-graph.git
   revision: e79abffa66639ab203d099250c5d2656a4ebf917
@@ -88,15 +95,15 @@ GIT
 GEM
   remote: https://rubygems.org/
   specs:
-    actionmailer (4.2.5.2)
-      actionpack (= 4.2.5.2)
-      actionview (= 4.2.5.2)
-      activejob (= 4.2.5.2)
+    actionmailer (4.2.6)
+      actionpack (= 4.2.6)
+      actionview (= 4.2.6)
+      activejob (= 4.2.6)
       mail (~> 2.5, >= 2.5.4)
       rails-dom-testing (~> 1.0, >= 1.0.5)
-    actionpack (4.2.5.2)
-      actionview (= 4.2.5.2)
-      activesupport (= 4.2.5.2)
+    actionpack (4.2.6)
+      actionview (= 4.2.6)
+      activesupport (= 4.2.6)
       rack (~> 1.6)
       rack-test (~> 0.6.2)
       rails-dom-testing (~> 1.0, >= 1.0.5)
@@ -105,29 +112,29 @@ GEM
       actionpack (>= 4.0.0, < 5.0)
     actionpack-xml_parser (1.0.2)
       actionpack (>= 4.0.0, < 5)
-    actionview (4.2.5.2)
-      activesupport (= 4.2.5.2)
+    actionview (4.2.6)
+      activesupport (= 4.2.6)
       builder (~> 3.1)
       erubis (~> 2.7.0)
       rails-dom-testing (~> 1.0, >= 1.0.5)
       rails-html-sanitizer (~> 1.0, >= 1.0.2)
-    activejob (4.2.5.2)
-      activesupport (= 4.2.5.2)
+    activejob (4.2.6)
+      activesupport (= 4.2.6)
       globalid (>= 0.3.0)
-    activemodel (4.2.5.2)
-      activesupport (= 4.2.5.2)
+    activemodel (4.2.6)
+      activesupport (= 4.2.6)
       builder (~> 3.1)
-    activerecord (4.2.5.2)
-      activemodel (= 4.2.5.2)
-      activesupport (= 4.2.5.2)
+    activerecord (4.2.6)
+      activemodel (= 4.2.6)
+      activesupport (= 4.2.6)
       arel (~> 6.0)
     activerecord-session_store (0.1.1)
       actionpack (>= 4.0.0, < 5)
       activerecord (>= 4.0.0, < 5)
       railties (>= 4.0.0, < 5)
     activerecord-tableless (1.3.4)
       activerecord (>= 2.3.0)
-    activesupport (4.2.5.2)
+    activesupport (4.2.6)
       i18n (~> 0.7)
       json (~> 1.7, >= 1.7.7)
       minitest (~> 5.1)
@@ -311,12 +318,12 @@ GEM
       launchy (~> 2.2)
     loofah (2.0.3)
       nokogiri (>= 1.5.9)
-    mail (2.6.3)
-      mime-types (>= 1.16, < 3)
+    mail (2.6.4)
+      mime-types (>= 1.16, < 4)
     method_source (0.8.2)
-    mime-types (1.25.1)
+    mime-types (2.99.2)
     mini_portile2 (2.1.0)
-    minitest (5.8.0)
+    minitest (5.9.0)
     mixlib-shellout (2.1.0)
     multi_json (1.11.3)
     multi_test (0.1.2)
@@ -389,16 +396,16 @@ GEM
     rack_session_access (0.1.1)
       builder (>= 2.0.0)
       rack (>= 1.0.0)
-    rails (4.2.5.2)
-      actionmailer (= 4.2.5.2)
-      actionpack (= 4.2.5.2)
-      actionview (= 4.2.5.2)
-      activejob (= 4.2.5.2)
-      activemodel (= 4.2.5.2)
-      activerecord (= 4.2.5.2)
-      activesupport (= 4.2.5.2)
+    rails (4.2.6)
+      actionmailer (= 4.2.6)
+      actionpack (= 4.2.6)
+      actionview (= 4.2.6)
+      activejob (= 4.2.6)
+      activemodel (= 4.2.6)
+      activerecord (= 4.2.6)
+      activesupport (= 4.2.6)
       bundler (>= 1.3.0, < 2.0)
-      railties (= 4.2.5.2)
+      railties (= 4.2.6)
       sprockets-rails
     rails-deprecated_sanitizer (1.0.3)
       activesupport (>= 4.2.0.alpha)
@@ -417,14 +424,14 @@ GEM
       rails (> 3.1)
     rails_serve_static_assets (0.0.4)
     rails_stdout_logging (0.0.4)
-    railties (4.2.5.2)
-      actionpack (= 4.2.5.2)
-      activesupport (= 4.2.5.2)
+    railties (4.2.6)
+      actionpack (= 4.2.6)
+      activesupport (= 4.2.6)
       rake (>= 0.8.7)
       thor (>= 0.18.1, < 2.0)
     rainbow (2.0.0)
     raindrops (0.13.0)
-    rake (10.5.0)
+    rake (11.2.2)
     rb-readline (0.5.2)
     rdoc (4.2.0)
       json (~> 1.4)
@@ -640,6 +647,7 @@ DEPENDENCIES
   rack-test (~> 0.6.2)
   rack_session_access
   rails (~> 4.2.5)
+  rails-angular-xss!
   rails-observers
   rails_12factor
   rails_autolink (~> 1.1.6)

frontend/app/openproject-app.js

@@ -254,6 +254,11 @@ openprojectApp
              KeyboardShortcutService) {
       $http.defaults.headers.common.Accept = 'application/json';
 
+      // Set the escaping target of opening double curly braces
+      // This is what returned by rails-angular-xss when it discoveres double open curly braces
+      // See https://github.com/opf/rails-angular-xss for more information.
+      $rootScope.DOUBLE_LEFT_CURLY_BRACE = '{{';
+
       $rootScope.showNavigation =
         $window.sessionStorage.getItem('openproject:navigation-toggle') !==
         'collapsed';

spec/features/security/angular_xss_spec.rb

@@ -0,0 +1,71 @@
+#-- copyright
+# OpenProject is a project management system.
+# Copyright (C) 2012-2015 the OpenProject Foundation (OPF)
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of the GNU General Public License version 3.
+#
+# OpenProject is a fork of ChiliProject, which is a fork of Redmine. The copyright follows:
+# Copyright (C) 2006-2013 Jean-Philippe Lang
+# Copyright (C) 2010-2013 the ChiliProject Team
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of the GNU General Public License
+# as published by the Free Software Foundation; either version 2
+# of the License, or (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
+#
+# See doc/COPYRIGHT.rdoc for more details.
+#++
+
+require 'spec_helper'
+
+describe 'Angular expression escaping', type: :feature do
+  let(:login_field) { find('#username') }
+
+  before do
+    visit signin_path
+    within('#login-form') do
+      fill_in('username', with: login_string)
+      click_link_or_button I18n.t(:button_login)
+    end
+
+    expect(current_path).to eq signin_path
+  end
+
+  describe 'Simple expression' do
+    let(:login_string) { '{{ 3 + 5 }}' }
+
+    it 'does not evaluate the expression' do
+      expect(login_field.value).to eq('{{ DOUBLE_LEFT_CURLY_BRACE }} 3 + 5 }}')
+    end
+  end
+
+  context 'With JavaScript evaluation', js: true do
+    describe 'Simple expression' do
+      let(:login_string) { '{{ 3 + 5 }}' }
+
+      it 'does not evaluate the expression' do
+        expect(login_field.value).to eq(login_string)
+      end
+    end
+
+    describe 'Angular 1.3 Sandbox evading' do
+      let(:login_string) { "{{'a'.constructor.prototype.charAt=[].join;$eval('x=alert(1)'); }" }
+
+      it 'does not evaluate the expression' do
+        expect(login_field.value).to eq(login_string)
+        expect { page.driver.browser.switch_to.alert }
+          .to raise_error(::Selenium::WebDriver::Error::NoAlertPresentError)
+      end
+    end
+  end
+end