-
Notifications
You must be signed in to change notification settings - Fork 26.1k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Route Loader Trusted Types Violation Fix (#34730)
Linked to issue #32209. ## Feature - [ ] Implements an existing feature request or RFC. Make sure the feature request has been accepted for implementation before opening a PR. - [x] Related issues linked using `fixes #number` - [ ] Integration tests added - [ ] Documentation added - [ ] Telemetry added. In case of a feature if it's used or not. - [ ] Errors have helpful link attached, see `contributing.md` ## Documentation There is one tsec violation that is fixed in this PR: ### 1. ban-script-src-assignment: route-loader.ts XSS can occur with the line script.src = src in appendScript(src, script) if src can be controlled by a malicious user. From tracing through the code, it was determined that src comes from the function `getFilesForRoute(route)`. The behaviour of this function differs depending on the environment (development vs. production), but in both cases the function will construct strings that lead to valid file paths. These strings depend on two variables: `assetPrefix` and `route`, but due to the nature of the constructed strings it was determined that the scripts here are safe to use. Thus, the solution was to promote these strings to `TrustedScriptURL`s. This is the Trusted Types way of declaring that the script URL passed to the DOM sink is safe from DOM XSS attacks. To create a `TrustedScriptURL`, a policy needs to be created. This policy was put in its own file: `client/trusted-types.ts`. This policy has the name `nextjs`. If this name should be changed to something else, feel free to change it now. However, once it is released to the public and application developers begin using it, it may be harder to change the value since any application developers with a custom policy name allowlist would now need to update their `next.config.js` headers to allow this new name. The code was tested in a sample application to ensure it behaved as expected.
- Loading branch information
Showing
5 changed files
with
65 additions
and
17 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,37 @@ | ||
/** | ||
* Stores the Trusted Types Policy. Starts as undefined and can be set to null | ||
* if Trusted Types is not supported in the browser. | ||
*/ | ||
let policy: TrustedTypePolicy | null | undefined | ||
|
||
/** | ||
* Getter for the Trusted Types Policy. If it is undefined, it is instantiated | ||
* here or set to null if Trusted Types is not supported in the browser. | ||
*/ | ||
function getPolicy() { | ||
if (typeof policy === 'undefined' && typeof window !== 'undefined') { | ||
policy = | ||
window.trustedTypes?.createPolicy('nextjs', { | ||
createHTML: (input) => input, | ||
createScript: (input) => input, | ||
createScriptURL: (input) => input, | ||
}) || null | ||
} | ||
|
||
return policy | ||
} | ||
|
||
/** | ||
* Unsafely promote a string to a TrustedScriptURL, falling back to strings | ||
* when Trusted Types are not available. | ||
* This is a security-sensitive function; any use of this function | ||
* must go through security review. In particular, it must be assured that the | ||
* provided string will never cause an XSS vulnerability if used in a context | ||
* that will cause a browser to load and execute a resource, e.g. when | ||
* assigning to script.src. | ||
*/ | ||
export function __unsafeCreateTrustedScriptURL( | ||
url: string | ||
): TrustedScriptURL | string { | ||
return getPolicy()?.createScriptURL(url) || url | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters