diff --git a/changelog/unreleased/fix-email-xsite-scripting.md b/changelog/unreleased/fix-email-xsite-scripting.md new file mode 100644 index 00000000000..a8783f6215f --- /dev/null +++ b/changelog/unreleased/fix-email-xsite-scripting.md @@ -0,0 +1,6 @@ +Enhancement: Fix to prevent the email X-Site scripting + +Fix to prevent the email notification X-Site scripting + +https://github.com/owncloud/ocis/pull/6386 +https://github.com/owncloud/ocis/issues/6429 diff --git a/go.sum b/go.sum index 037214eef2d..d00fd4ca468 100644 --- a/go.sum +++ b/go.sum @@ -629,8 +629,6 @@ github.com/crewjam/httperr v0.2.0 h1:b2BfXR8U3AlIHwNeFFvZ+BV1LFvKLlzMjzaTnZMybNo github.com/crewjam/httperr v0.2.0/go.mod h1:Jlz+Sg/XqBQhyMjdDiC+GNNRzZTD7x39Gu3pglZ5oH4= github.com/crewjam/saml v0.4.13 h1:TYHggH/hwP7eArqiXSJUvtOPNzQDyQ7vwmwEqlFWhMc= github.com/crewjam/saml v0.4.13/go.mod h1:igEejV+fihTIlHXYP8zOec3V5A8y3lws5bQBFsTm4gA= -github.com/cs3org/reva/v2 v2.13.4-0.20230531095732-bc9a3b635ec3 h1:T+W3zPmlPAaHlKhzBcW809PvcGUJJ+v1QF+JzdPRegU= -github.com/cs3org/reva/v2 v2.13.4-0.20230531095732-bc9a3b635ec3/go.mod h1:vMQqSn30fEPHO/GKC2WmGimlOPqvfSy4gdhRSpbvrWc= github.com/cs3org/reva/v2 v2.13.4-0.20230531122629-be4a2122a96c h1:gv0m1qVAkUtF/9PAP9xwp+jkjtajCAeGEhiO6dDOMcI= github.com/cs3org/reva/v2 v2.13.4-0.20230531122629-be4a2122a96c/go.mod h1:vMQqSn30fEPHO/GKC2WmGimlOPqvfSy4gdhRSpbvrWc= github.com/cubewise-code/go-mime v0.0.0-20200519001935-8c5762b177d8 h1:Z9lwXumT5ACSmJ7WGnFl+OMLLjpz5uR2fyz7dC255FI= diff --git a/services/notifications/pkg/email/composer.go b/services/notifications/pkg/email/composer.go index 3342cdbea5a..8a9c61bc522 100644 --- a/services/notifications/pkg/email/composer.go +++ b/services/notifications/pkg/email/composer.go @@ -9,7 +9,7 @@ import ( ) // NewTextTemplate replace the body message template placeholders with the translated template -func NewTextTemplate(mt MessageTemplate, locale string, translationPath string, vars map[string]interface{}) (MessageTemplate, error) { +func NewTextTemplate(mt MessageTemplate, locale string, translationPath string, vars map[string]string) (MessageTemplate, error) { var err error t := l10n.NewTranslator(locale, translationPath) mt.Subject, err = composeMessage(t.Translate(mt.Subject), vars) @@ -32,7 +32,7 @@ func NewTextTemplate(mt MessageTemplate, locale string, translationPath string, } // NewHTMLTemplate replace the body message template placeholders with the translated template -func NewHTMLTemplate(mt MessageTemplate, locale string, translationPath string, vars map[string]interface{}) (MessageTemplate, error) { +func NewHTMLTemplate(mt MessageTemplate, locale string, translationPath string, vars map[string]string) (MessageTemplate, error) { var err error t := l10n.NewTranslator(locale, translationPath) mt.Subject, err = composeMessage(t.Translate(mt.Subject), vars) @@ -55,7 +55,7 @@ func NewHTMLTemplate(mt MessageTemplate, locale string, translationPath string, } // composeMessage renders the message based on template -func composeMessage(tmpl string, vars map[string]interface{}) (string, error) { +func composeMessage(tmpl string, vars map[string]string) (string, error) { tpl, err := template.New("").Parse(replacePlaceholders(tmpl)) if err != nil { return "", err diff --git a/services/notifications/pkg/email/email.go b/services/notifications/pkg/email/email.go index e4779779f21..733f86388d9 100644 --- a/services/notifications/pkg/email/email.go +++ b/services/notifications/pkg/email/email.go @@ -6,6 +6,7 @@ package email import ( "bytes" "embed" + "html" "html/template" "io/fs" "os" @@ -23,7 +24,7 @@ var ( ) // RenderEmailTemplate renders the email template for a new share -func RenderEmailTemplate(mt MessageTemplate, locale string, emailTemplatePath string, translationPath string, vars map[string]interface{}) (*channels.Message, error) { +func RenderEmailTemplate(mt MessageTemplate, locale string, emailTemplatePath string, translationPath string, vars map[string]string) (*channels.Message, error) { textMt, err := NewTextTemplate(mt, locale, translationPath, vars) if err != nil { return nil, err @@ -36,8 +37,7 @@ func RenderEmailTemplate(mt MessageTemplate, locale string, emailTemplatePath st if err != nil { return nil, err } - - htmlMt, err := NewHTMLTemplate(mt, locale, translationPath, vars) + htmlMt, err := NewHTMLTemplate(mt, locale, translationPath, escapeStringMap(vars)) if err != nil { return nil, err } @@ -135,3 +135,10 @@ func validateMime(incipit []byte) bool { } return false } + +func escapeStringMap(vars map[string]string) map[string]string { + for k := range vars { + vars[k] = html.EscapeString(vars[k]) + } + return vars +} diff --git a/services/notifications/pkg/email/templates/html/email.html.tmpl b/services/notifications/pkg/email/templates/html/email.html.tmpl index f7345fe96c6..f36f0766693 100644 --- a/services/notifications/pkg/email/templates/html/email.html.tmpl +++ b/services/notifications/pkg/email/templates/html/email.html.tmpl @@ -11,9 +11,8 @@ {{ .Greeting }}

{{ .MessageBody }} - {{if ne .CallToAction "" }} -

{{ .CallToAction }} - {{end}} + {{if ne .CallToAction "" }}

+ {{ .CallToAction }}{{end}} diff --git a/services/notifications/pkg/service/service.go b/services/notifications/pkg/service/service.go index e5f67a3925a..b187f81ddbd 100644 --- a/services/notifications/pkg/service/service.go +++ b/services/notifications/pkg/service/service.go @@ -98,7 +98,7 @@ func (s eventsNotifier) Run() error { } func (s eventsNotifier) render(ctx context.Context, template email.MessageTemplate, - granteeFieldName string, fields map[string]interface{}, granteeList []*user.User, sender string) ([]*channels.Message, error) { + granteeFieldName string, fields map[string]string, granteeList []*user.User, sender string) ([]*channels.Message, error) { // Render the Email Template for each user messageList := make([]*channels.Message, len(granteeList)) for i, usr := range granteeList { diff --git a/services/notifications/pkg/service/service_test.go b/services/notifications/pkg/service/service_test.go index fdc64410c9f..925fcc4bbf7 100644 --- a/services/notifications/pkg/service/service_test.go +++ b/services/notifications/pkg/service/service_test.go @@ -82,7 +82,7 @@ var _ = Describe("Notifications", func() { Entry("Share Created", testChannel{ expectedReceipients: []string{sharee.GetMail()}, expectedSubject: "Dr. S. Harer shared 'secrets of the board' with you", - expectedMessage: `Hello Eric Expireling + expectedTextBody: `Hello Eric Expireling Dr. S. Harer has shared "secrets of the board" with you. @@ -107,7 +107,7 @@ https://owncloud.com Entry("Share Expired", testChannel{ expectedReceipients: []string{sharee.GetMail()}, expectedSubject: "Share to 'secrets of the board' expired at 2023-04-17 16:42:00", - expectedMessage: `Hello Eric Expireling, + expectedTextBody: `Hello Eric Expireling, Your share to secrets of the board has expired at 2023-04-17 16:42:00 @@ -132,7 +132,7 @@ https://owncloud.com Entry("Added to Space", testChannel{ expectedReceipients: []string{sharee.GetMail()}, expectedSubject: "Dr. S. Harer invited you to join secret space", - expectedMessage: `Hello Eric Expireling, + expectedTextBody: `Hello Eric Expireling, Dr. S. Harer has invited you to join "secret space". @@ -157,7 +157,7 @@ https://owncloud.com Entry("Removed from Space", testChannel{ expectedReceipients: []string{sharee.GetMail()}, expectedSubject: "Dr. S. Harer removed you from secret space", - expectedMessage: `Hello Eric Expireling, + expectedTextBody: `Hello Eric Expireling, Dr. S. Harer has removed you from "secret space". @@ -183,7 +183,7 @@ https://owncloud.com Entry("Space Expired", testChannel{ expectedReceipients: []string{sharee.GetMail()}, expectedSubject: "Membership of 'secret space' expired at 2023-04-17 16:42:00", - expectedMessage: `Hello Eric Expireling, + expectedTextBody: `Hello Eric Expireling, Your membership of space secret space has expired at 2023-04-17 16:42:00 @@ -208,11 +208,209 @@ https://owncloud.com ) }) +var _ = Describe("Notifications X-Site Scripting", func() { + var ( + gwc *cs3mocks.GatewayAPIClient + vs *settingssvc.MockValueService + sharer = &user.User{ + Id: &user.UserId{ + OpaqueId: "sharer", + }, + Mail: "sharer@owncloud.com", + DisplayName: "Dr. O'reilly", + } + sharee = &user.User{ + Id: &user.UserId{ + OpaqueId: "sharee", + }, + Mail: "sharee@owncloud.com", + DisplayName: "", + } + resourceid = &provider.ResourceId{ + StorageId: "storageid", + SpaceId: "spaceid", + OpaqueId: "itemid", + } + ) + + BeforeEach(func() { + gwc = &cs3mocks.GatewayAPIClient{} + gwc.On("GetUser", mock.Anything, mock.Anything).Return(&user.GetUserResponse{Status: &rpc.Status{Code: rpc.Code_CODE_OK}, User: sharer}, nil).Once() + gwc.On("GetUser", mock.Anything, mock.Anything).Return(&user.GetUserResponse{Status: &rpc.Status{Code: rpc.Code_CODE_OK}, User: sharee}, nil).Once() + gwc.On("Authenticate", mock.Anything, mock.Anything).Return(&gateway.AuthenticateResponse{Status: &rpc.Status{Code: rpc.Code_CODE_OK}, User: sharer}, nil) + gwc.On("Stat", mock.Anything, mock.Anything).Return(&provider.StatResponse{ + Status: &rpc.Status{Code: rpc.Code_CODE_OK}, + Info: &provider.ResourceInfo{ + Name: "", + Space: &provider.StorageSpace{Name: ""}}, + }, nil) + vs = &settingssvc.MockValueService{} + vs.GetValueByUniqueIdentifiersFunc = func(ctx context.Context, req *settingssvc.GetValueByUniqueIdentifiersRequest, opts ...client.CallOption) (*settingssvc.GetValueResponse, error) { + return nil, nil + } + }) + + DescribeTable("Sending notifications", + func(tc testChannel, ev events.Event) { + cfg := defaults.FullDefaultConfig() + cfg.GRPCClientTLS = &shared.GRPCClientTLS{} + _ = ogrpc.Configure(ogrpc.GetClientOptions(cfg.GRPCClientTLS)...) + ch := make(chan events.Event) + evts := service.NewEventsNotifier(ch, tc, log.NewLogger(), gwc, vs, "", "", "") + go evts.Run() + + ch <- ev + select { + case <-tc.done: + // finished + case <-time.Tick(3 * time.Second): + Fail("timeout waiting for notification") + } + }, + + Entry("Share Created", testChannel{ + expectedReceipients: []string{sharee.GetMail()}, + expectedSubject: "Dr. O'reilly shared '' with you", + expectedTextBody: `Hello + +Dr. O'reilly has shared "" with you. + +Click here to view it: files/shares/with-me + + +--- +ownCloud - Store. Share. Work. +https://owncloud.com +`, + expectedHTMLBody: ` + + + + + + +
+ + + + + + + + + + + + + + + +
  + Hello <script>alert('Eric Expireling');</script> +

+ Dr. O'reilly has shared "<script>alert('secrets of the board');</script>" with you. +

+ Click here to view it: files/shares/with-me +
 
  + +
 
+
+ + +`, + expectedSender: sharer.GetDisplayName(), + + done: make(chan struct{}), + }, events.Event{ + Event: events.ShareCreated{ + Sharer: sharer.GetId(), + GranteeUserID: sharee.GetId(), + CTime: utils.TimeToTS(time.Date(2023, 4, 17, 16, 42, 0, 0, time.UTC)), + ItemID: resourceid, + }, + }), + + Entry("Added to Space", testChannel{ + expectedReceipients: []string{sharee.GetMail()}, + expectedSubject: "Dr. O'reilly invited you to join ", + expectedTextBody: `Hello , + +Dr. O'reilly has invited you to join "". + +Click here to view it: f/spaceid + + +--- +ownCloud - Store. Share. Work. +https://owncloud.com +`, + expectedSender: sharer.GetDisplayName(), + expectedHTMLBody: ` + + + + + + +
+ + + + + + + + + + + + + + + +
  + Hello <script>alert('Eric Expireling');</script>, +

+ Dr. O'reilly has invited you to join "<script>alert('secret space');</script>". +

+ Click here to view it: f/spaceid +
 
  + +
 
+
+ + +`, + done: make(chan struct{}), + }, events.Event{ + Event: events.SpaceShared{ + Executant: sharer.GetId(), + Creator: sharer.GetId(), + GranteeUserID: sharee.GetId(), + ID: &provider.StorageSpaceId{OpaqueId: "spaceid"}, + }, + }), + ) +}) + // NOTE: This is explictitly not testing the message itself. Should we? type testChannel struct { expectedReceipients []string expectedSubject string - expectedMessage string + expectedTextBody string + expectedHTMLBody string expectedSender string done chan struct{} } @@ -220,10 +418,13 @@ type testChannel struct { func (tc testChannel) SendMessage(ctx context.Context, m *channels.Message) error { defer GinkgoRecover() - Expect(m.Recipient).To(Equal(tc.expectedReceipients)) - Expect(m.Subject).To(Equal(tc.expectedSubject)) - Expect(m.TextBody).To(Equal(tc.expectedMessage)) - Expect(m.Sender).To(Equal(tc.expectedSender)) + Expect(tc.expectedReceipients).To(Equal(m.Recipient)) + Expect(tc.expectedSubject).To(Equal(m.Subject)) + Expect(tc.expectedTextBody).To(Equal(m.TextBody)) + Expect(tc.expectedSender).To(Equal(m.Sender)) + if tc.expectedHTMLBody != "" { + Expect(tc.expectedHTMLBody).To(Equal(m.HTMLBody)) + } tc.done <- struct{}{} return nil } diff --git a/services/notifications/pkg/service/shares.go b/services/notifications/pkg/service/shares.go index 1182ea38ee5..c4349436ecd 100644 --- a/services/notifications/pkg/service/shares.go +++ b/services/notifications/pkg/service/shares.go @@ -44,7 +44,7 @@ func (s eventsNotifier) handleShareCreated(e events.ShareCreated) { sharerDisplayName := owner.GetDisplayName() recipientList, err := s.render(ownerCtx, email.ShareCreated, "ShareGrantee", - map[string]interface{}{ + map[string]string{ "ShareSharer": sharerDisplayName, "ShareFolder": resourceInfo.Name, "ShareLink": shareLink, @@ -84,7 +84,7 @@ func (s eventsNotifier) handleShareExpired(e events.ShareExpired) { recipientList, err := s.render(ownerCtx, email.ShareExpired, "ShareGrantee", - map[string]interface{}{ + map[string]string{ "ShareFolder": resourceInfo.GetName(), "ExpiredAt": e.ExpiredAt.Format("2006-01-02 15:04:05"), }, granteeList, owner.GetDisplayName()) diff --git a/services/notifications/pkg/service/spaces.go b/services/notifications/pkg/service/spaces.go index 37af8171330..d764e9f5a86 100644 --- a/services/notifications/pkg/service/spaces.go +++ b/services/notifications/pkg/service/spaces.go @@ -57,7 +57,7 @@ func (s eventsNotifier) handleSpaceShared(e events.SpaceShared) { sharerDisplayName := executant.GetDisplayName() recipientList, err := s.render(executantCtx, email.SharedSpace, "SpaceGrantee", - map[string]interface{}{ + map[string]string{ "SpaceSharer": sharerDisplayName, "SpaceName": resourceInfo.GetSpace().GetName(), "ShareLink": shareLink, @@ -117,7 +117,7 @@ func (s eventsNotifier) handleSpaceUnshared(e events.SpaceUnshared) { sharerDisplayName := executant.GetDisplayName() recipientList, err := s.render(executantCtx, email.UnsharedSpace, "SpaceGrantee", - map[string]interface{}{ + map[string]string{ "SpaceSharer": sharerDisplayName, "SpaceName": resourceInfo.GetSpace().Name, "ShareLink": shareLink, @@ -149,7 +149,7 @@ func (s eventsNotifier) handleSpaceMembershipExpired(e events.SpaceMembershipExp recipientList, err := s.render(ownerCtx, email.MembershipExpired, "SpaceGrantee", - map[string]interface{}{ + map[string]string{ "SpaceName": e.SpaceName, "ExpiredAt": e.ExpiredAt.Format("2006-01-02 15:04:05"), }, granteeList, owner.GetDisplayName())