migrate google-caja to npm

Author: RRosio

nbclassic/static/base/js/security.js

@@ -3,24 +3,124 @@
 
 define([
     'jquery',
-    'components/sanitizer/index',
-], function($, sanitizer) {
+    'components/google-caja-sanitizer/sanitizer',
+], function($, sanitize) {
     "use strict";
 
     var noop = function (x) { return x; };
-    var defaultSanitizer = sanitizer.defaultSanitizer;
+
+    var caja;
+    if (window && window.html) {
+        caja = window.html;
+        caja.html4 = window.html4;
+        caja.sanitizeStylesheet = window.sanitizeStylesheet;
+    }
+
+    var sanitizeAttribs = function (tagName, attribs, opt_naiveUriRewriter, opt_nmTokenPolicy, opt_logger) {
+        /**
+         * add trusting data-attributes to the default sanitizeAttribs from caja
+         * this function is mostly copied from the caja source
+         */
+        var ATTRIBS = caja.html4.ATTRIBS;
+        for (var i = 0; i < attribs.length; i += 2) {
+            var attribName = attribs[i];
+            if (attribName.substr(0,5) == 'data-') {
+                var attribKey = '*::' + attribName;
+                if (!ATTRIBS.hasOwnProperty(attribKey)) {
+                    ATTRIBS[attribKey] = 0;
+                }
+            }
+        }
+        // Caja doesn't allow data uri for img::src, see
+        // https://github.com/google/caja/issues/1558
+        // This is not a security issue for browser post ie6 though, so we
+        // disable the check
+        // https://www.owasp.org/index.php/Script_in_IMG_tags
+        ATTRIBS['img::src'] = 0;
+        return caja.sanitizeAttribs(tagName, attribs, opt_naiveUriRewriter, opt_nmTokenPolicy, opt_logger);
+    };
+
+    var sanitize_css = function (css, tagPolicy) {
+        /**
+         * sanitize CSS
+         * like sanitize_html, but for CSS
+         * called by sanitize_stylesheets
+         */
+        return caja.sanitizeStylesheet(
+            window.location.pathname,
+            css,
+            {
+                containerClass: null,
+                idSuffix: '',
+                tagPolicy: tagPolicy,
+                virtualizeAttrName: noop
+            },
+            noop
+        );
+    };
+
+    var sanitize_stylesheets = function (html, tagPolicy) {
+        /**
+         * sanitize just the css in style tags in a block of html
+         * called by sanitize_html, if allow_css is true
+         */
+        var h = $("<div/>").append(html);
+        var style_tags = h.find("style");
+        if (!style_tags.length) {
+            // no style tags to sanitize
+            return html;
+        }
+        style_tags.each(function(i, style) {
+            style.innerHTML = sanitize_css(style.innerHTML, tagPolicy);
+        });
+        return h.html();
+    };
 
     var sanitize_html = function (html, allow_css) {
         /**
          * sanitize HTML
          * if allow_css is true (default: false), CSS is sanitized as well.
          * otherwise, CSS elements and attributes are simply removed.
          */
-         const options = {};
-         if (!allow_css) {
-             options.allowedStyles = {};
-         }
-        return defaultSanitizer.sanitize(html, options);
+        var html4 = caja.html4;
+
+        if (allow_css) {
+            // allow sanitization of style tags,
+            // not just scrubbing
+            html4.ELEMENTS.style &= ~html4.eflags.UNSAFE;
+            html4.ATTRIBS.style = html4.atype.STYLE;
+        } else {
+            // scrub all CSS
+            html4.ELEMENTS.style |= html4.eflags.UNSAFE;
+            html4.ATTRIBS.style = html4.atype.SCRIPT;
+        }
+
+        var record_messages = function (msg, opts) {
+            console.log("HTML Sanitizer", msg, opts);
+        };
+
+        var policy = function (tagName, attribs) {
+            if (!(html4.ELEMENTS[tagName] & html4.eflags.UNSAFE)) {
+                return {
+                    'attribs': sanitizeAttribs(tagName, attribs,
+                        noop, noop, record_messages)
+                    };
+            } else {
+                record_messages(tagName + " removed", {
+                  change: "removed",
+                  tagName: tagName
+                });
+            }
+        };
+
+        var sanitized = caja.sanitizeWithPolicy(html, policy);
+
+        if (allow_css) {
+            // sanitize style tags as stylesheets
+            sanitized = sanitize_stylesheets(sanitized, policy);
+        }
+
+        return sanitized;
     };
 
     var sanitize_html_and_parse = function (html, allow_css) {
@@ -43,6 +143,7 @@ define([
     };
 
     var security = {
+        caja: caja,
         sanitize_html_and_parse: sanitize_html_and_parse,
         sanitize_html: sanitize_html
     };

package.json

@@ -34,7 +34,7 @@
     "watch:css": "onchange 'nbclassic/static/**/*.less' -- npm run build:css",
     "watch:js": "onchange 'nbclassic/static/**/!(*.min).js' 'bower.json' -- npm run build:js",
     "watch": "npm-run-all --parallel watch:*",
-    "postinstall": "node postinstall.js"
+    "postinstall": "node postinstall.js && npx patch-package google-caja-sanitizer"
   },
   "devDependencies": {
     "@babel/core": "^7.15.0",
@@ -63,7 +63,7 @@
     "mathjax": "^2.7.4",
     "codemirror": "~5.58.2",
     "es6-promise": "~1.0",
-    "@bower_components/google-caja": "https://github.com/minrk/google-caja-bower/archive/refs/tags/5669.0.0.tar.gz",
+    "google-caja-sanitizer": "~1.0.4",
     "jed": "~1.1.1",
     "jquery": "~3.7.1",
     "jquery-typeahead": "~2.11.1",

postinstall.js

@@ -98,7 +98,7 @@ ensureSymlink(
 ensureSymlink(
   "node_modules/codemirror",
   "nbclassic/static/components/codemirror"
- );
+);
 ensureSymlink(
   "node_modules/react",
   "nbclassic/static/components/react"
@@ -123,3 +123,7 @@ ensureSymlink(
   "node_modules/requirejs-text",
   "nbclassic/static/components/requirejs-text"
 );
+ensureSymlink(
+  "node_modules/google-caja-sanitizer",
+  "nbclassic/static/components/google-caja-sanitizer"
+);

pyproject.toml

@@ -129,7 +129,7 @@ artifacts = [
 "nbclassic/static/components/bootstrap-tour/build/js/bootstrap-tour.min.js" = "nbclassic/static/components/bootstrap-tour/build/js/bootstrap-tour.min.js"
 "nbclassic/static/components/bootstrap/dist/js/bootstrap.min.js" = "nbclassic/static/components/bootstrap/dist/js/bootstrap.min.js"
 "nbclassic/static/components/create-react-class/index.js" = "nbclassic/static/components/create-react-class/index.js"
-"nbclassic/static/components/google-caja/html-css-sanitizer-minified.js" = "nbclassic/static/components/google-caja/html-css-sanitizer-minified.js"
+"nbclassic/static/components/google-caja-sanitizer/sanitizer.js" = "nbclassic/static/components/google-caja-sanitizer/sanitizer.js"
 "nbclassic/static/components/jed/jed.js" = "nbclassic/static/components/jed/jed.js"
 "nbclassic/static/components/jquery/dist/jquery.min.js" = "nbclassic/static/components/jquery/dist/jquery.min.js"
 "nbclassic/static/components/jquery-typeahead/dist/jquery.typeahead.min.js" = "nbclassic/static/components/jquery-typeahead/dist/jquery.typeahead.min.js"

tools/security_deprecated.js

@@ -3,7 +3,7 @@
 
 define([
     'jquery',
-    'components/google-caja/html-css-sanitizer-minified',
+    'components/google-caja-sanitizer/sanitizer',
 ], function($, sanitize) {
     "use strict";
 

webpack.config.js

@@ -1,5 +1,7 @@
 const path = require('path');
 const crypto = require('crypto');
+const webpack = require('webpack');
+
 
 // Workaround for loaders using "md4" by default, which is not supported in FIPS-compliant OpenSSL
 // See https://github.com/jupyterlab/jupyterlab/issues/11248
@@ -30,5 +32,12 @@ module.exports = {
         }
       }
     ]
-  }
+  },
+  plugins: [
+    new webpack.BannerPlugin({
+      banner: 'var exports = {};',
+      raw: true,
+      entryOnly: true,
+    }),
+  ],
 }

yarn.lock

@@ -841,10 +841,6 @@
     classnames "^2.2"
     tslib "~2.3.1"
 
-"@bower_components/google-caja@https://github.com/minrk/google-caja-bower/archive/refs/tags/5669.0.0.tar.gz":
-  version "0.0.0"
-  resolved "https://github.com/minrk/google-caja-bower/archive/refs/tags/5669.0.0.tar.gz#6830582db17ef8087e38d3aa9703966fb9a86278"
-
 "@discoveryjs/json-ext@^0.5.0":
   version "0.5.7"
   resolved "https://registry.yarnpkg.com/@discoveryjs/json-ext/-/json-ext-0.5.7.tgz#1d572bfbbe14b7704e0ba0f39b74815b84870d70"
@@ -2077,6 +2073,11 @@ globals@^11.1.0:
   resolved "https://registry.yarnpkg.com/globals/-/globals-11.12.0.tgz#ab8795338868a0babd8525758018c2a7eb95c42e"
   integrity sha512-WOBp/EEGUiIsJSp7wcv/y6MO+lV9UoncWqxuFfm8eBwzWNgyfBd6Gz+IeKQ9jCmyhoH99g15M3T+QaVHFjizVA==
 
+google-caja-sanitizer@~1.0.4:
+  version "1.0.4"
+  resolved "https://registry.yarnpkg.com/google-caja-sanitizer/-/google-caja-sanitizer-1.0.4.tgz#614cf2c3d2e5e83ea961ab98d79318c03d8682e5"
+  integrity sha512-KEqGmAIbxvEZy4nPLpVoAlxQhEoq4H/0WMEQsEXlxjP+OxCT9nDYQi7Z7PVanwb77Jc+OJ9SoBQ6zw2OnmCvLw==
+
 gopd@^1.0.1, gopd@^1.2.0:
   version "1.2.0"
   resolved "https://registry.yarnpkg.com/gopd/-/gopd-1.2.0.tgz#89f56b8217bdbc8802bd299df6d7f1081d7e51a1"