Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix: default frame renderer security improvements #506

Merged
merged 2 commits into from
Oct 8, 2024
Merged

fix: default frame renderer security improvements #506

merged 2 commits into from
Oct 8, 2024

Conversation

stephancill
Copy link
Contributor

@stephancill stephancill commented Oct 8, 2024
edited
Loading

Change Summary

  • fix: don't render data URIs that are SVG or not images
  • fix: enforce http(s) protocol on redirect URLs

Failing test is unrelated to this PR

Merge Checklist

  • PR has a Changeset
  • PR includes documentation if necessary
  • PR updates the boilerplates if necessary

@vercel Vercel
Copy link

vercel bot commented Oct 8, 2024
edited
Loading

The latest updates on your projects. Learn more about Vercel for Git ↗︎

Name Status Preview Comments Updated (UTC)
frames-js ✅ Ready (Inspect) Visit Preview 💬 Add feedback Oct 8, 2024 4:23pm
framesjs-debugger ✅ Ready (Inspect) Visit Preview 💬 Add feedback Oct 8, 2024 4:23pm
framesjs-examples ✅ Ready (Inspect) Visit Preview 💬 Add feedback Oct 8, 2024 4:23pm

@stephancill stephancill mentioned this pull request Oct 8, 2024
Merged
3 tasks
davidfurlong
davidfurlong requested changes Oct 8, 2024
View reviewed changes
packages/render/src/ui/index.tsx Outdated

// Don't allow SVG data URLs -- could contain malicious code
if (sanitizedSrc?.startsWith("data:image/svg")) {
sanitizedSrc = "";
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

sanitizedSrc is not passed in as src to the img element

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

fixed, ty

packages/render/src/ui/index.tsx Outdated
sanitizedSrc?.startsWith("data:") &&
!sanitizedSrc?.startsWith("data:image")
) {
sanitizedSrc = "";
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

empty string src is invalid afaik - might be better to throw some sort of error on the frame/display an error screen

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

replaced with undefined for now. we don't have error handling at this level so will have to refactor

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

could maybe move this check to ImageContainer and render an error there or return an error component here

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

could maybe move this check to ImageContainer and render an error there or return an error component here

would probably be best, as silent errors is not ideal + neither is logging here

@davidfurlong davidfurlong merged commit 0cde2d1 into dev Oct 8, 2024
6 of 8 checks passed
@davidfurlong davidfurlong deleted the fix/default-renderer-security-improvements branch October 8, 2024 17:21
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@davidfurlong davidfurlong davidfurlong approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@stephancill @davidfurlong