Fixed potential injection by switching map container to PHP

Some HTML files were importing iframe_api.js automatically by detecting the referrer document.

While this was done in a safe way (the map container does not use cookies), it is not
a best practice to load a script originating from document.referrer.

This PR solves the issue by using PHP to inject the correct domain name in the HTML files.
This commit is contained in:
David Négrier 2021-11-29 19:05:13 +01:00
parent 233c3d1abe
commit 41fd848fa0
27 changed files with 167 additions and 204 deletions

View File

@ -101,7 +101,10 @@
"host": { "host": {
"url": "maps-"+url "url": "maps-"+url
}, },
"ports": [80] "ports": [80],
"env": {
"FRONT_URL": "https://play-"+url
}
}, },
"redis": { "redis": {
"image": "redis:6", "image": "redis:6",

View File

@ -92,11 +92,12 @@ services:
- "traefik.http.routers.pusher-ssl.service=pusher" - "traefik.http.routers.pusher-ssl.service=pusher"
maps: maps:
image: thecodingmachine/nodejs:12-apache image: thecodingmachine/php:8.1-v4-apache-node12
environment: environment:
DEBUG_MODE: "$DEBUG_MODE" DEBUG_MODE: "$DEBUG_MODE"
HOST: "0.0.0.0" HOST: "0.0.0.0"
NODE_ENV: development NODE_ENV: development
FRONT_URL: http://play.workadventure.localhost
#APACHE_DOCUMENT_ROOT: dist/ #APACHE_DOCUMENT_ROOT: dist/
#APACHE_EXTENSIONS: headers #APACHE_EXTENSIONS: headers
#APACHE_EXTENSION_HEADERS: 1 #APACHE_EXTENSION_HEADERS: 1

View File

@ -96,11 +96,12 @@ services:
- "traefik.http.routers.pusher-ssl.service=pusher" - "traefik.http.routers.pusher-ssl.service=pusher"
maps: maps:
image: thecodingmachine/nodejs:12-apache image: thecodingmachine/php:8.1-v4-apache-node12
environment: environment:
DEBUG_MODE: "$DEBUG_MODE" DEBUG_MODE: "$DEBUG_MODE"
HOST: "0.0.0.0" HOST: "0.0.0.0"
NODE_ENV: development NODE_ENV: development
FRONT_URL: http://play.workadventure.localhost
#APACHE_DOCUMENT_ROOT: dist/ #APACHE_DOCUMENT_ROOT: dist/
#APACHE_EXTENSIONS: headers #APACHE_EXTENSIONS: headers
#APACHE_EXTENSION_HEADERS: 1 #APACHE_EXTENSION_HEADERS: 1

View File

@ -12,7 +12,7 @@
{ {
"name":"openWebsite", "name":"openWebsite",
"type":"string", "type":"string",
"value":"website_in_map_script.html" "value":"website_in_map_script.php"
}, },
{ {
"name":"openWebsiteAllowApi", "name":"openWebsiteAllowApi",

View File

@ -1,12 +1,8 @@
<!doctype html> <!doctype html>
<html lang="en"> <html lang="en">
<head> <head>
<script src="<?php echo $_SERVER["FRONT_URL"] ?>/iframe_api.js"></script>
<script> <script>
var script = document.createElement('script');
// Don't do this at home kids! The "document.referrer" part is actually inserting a XSS security.
// We are OK in this precise case because the HTML page is hosted on the "maps" domain that contains only static files.
script.setAttribute('src', document.referrer + 'iframe_api.js');
document.head.appendChild(script);
window.addEventListener('load', () => { window.addEventListener('load', () => {
console.log('On load'); console.log('On load');
WA.onInit().then(() => { WA.onInit().then(() => {

View File

@ -1,18 +0,0 @@
<!doctype html>
<html lang="en">
<head>
<script>
var script = document.createElement('script');
// Don't do this at home kids! The "document.referrer" part is actually inserting a XSS security.
// We are OK in this precise case because the HTML page is hosted on the "maps" domain that contains only static files.
script.setAttribute('src', document.referrer + 'iframe_api.js');
document.head.appendChild(script);
window.addEventListener('load', () => {
WA.chat.sendChatMessage('The iframe opened by a script works !', 'Mr Robot');
})
</script>
</head>
<body>
<p>Website opened by script.</p>
</body>
</html>

View File

@ -1 +1 @@
WA.nav.openCoWebSite("cowebsiteAllowApi.html", true, ""); WA.nav.openCoWebSite("cowebsiteAllowApi.php", true, "");

View File

@ -0,0 +1,14 @@
<!doctype html>
<html lang="en">
<head>
<script src="<?php echo $_SERVER["FRONT_URL"] ?>/iframe_api.js"></script>
<script>
window.addEventListener('load', () => {
WA.chat.sendChatMessage('The iframe opened by a script works !', 'Mr Robot');
})
</script>
</head>
<body>
<p>Website opened by script.</p>
</body>
</html>

View File

@ -1,20 +0,0 @@
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<title>API in iframe menu</title>
<script>
var script = document.createElement('script');
// Don't do this at home kids! The "document.referrer" part is actually inserting a XSS security.
// We are OK in this precise case because the HTML page is hosted on the "maps" domain that contains only static files.
script.setAttribute('src', document.referrer + 'iframe_api.js');
document.head.appendChild(script);
window.addEventListener('load', () => {
WA.chat.sendChatMessage('The iframe opened by a script works !', 'Mr Robot');
})
</script>
</head>
<body style="text-align: center">
<p style="color: whitesmoke">This is an iframe in a custom menu.</p>
</body>
</html>

View File

@ -0,0 +1,16 @@
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<title>API in iframe menu</title>
<script src="<?php echo $_SERVER["FRONT_URL"] ?>/iframe_api.js"></script>
<script>
window.addEventListener('load', () => {
WA.chat.sendChatMessage('The iframe opened by a script works !', 'Mr Robot');
})
</script>
</head>
<body style="text-align: center">
<p style="color: whitesmoke">This is an iframe in a custom menu.</p>
</body>
</html>

View File

@ -1,18 +0,0 @@
<!doctype html>
<html lang="en">
<head>
<script>
var script = document.createElement('script');
// Don't do this at home kids! The "document.referrer" part is actually inserting a XSS security.
// We are OK in this precise case because the HTML page is hosted on the "maps" domain that contains only static files.
script.setAttribute('src', document.referrer + 'iframe_api.js');
document.head.appendChild(script);
window.addEventListener('load', () => {
WA.ui.registerMenuCommand('test', 'customIframeMenu.html', {autoClose: true});
})
</script>
</head>
<body>
<p>Add a custom menu</p>
</body>
</html>

View File

@ -7,7 +7,7 @@ WA.ui.registerMenuCommand('custom callback menu', () => {
WA.ui.registerMenuCommand('custom iframe menu', {iframe: 'customIframeMenu.html'}); WA.ui.registerMenuCommand('custom iframe menu', {iframe: 'customIframeMenu.html'});
WA.room.onEnterZone('iframeMenu', () => { WA.room.onEnterZone('iframeMenu', () => {
menuIframeApi = WA.ui.registerMenuCommand('IFRAME USE API', {iframe: 'customIframeMenuApi.html', allowApi: true}); menuIframeApi = WA.ui.registerMenuCommand('IFRAME USE API', {iframe: 'customIframeMenuApi.php', allowApi: true});
}) })
WA.room.onLeaveZone('iframeMenu', () => { WA.room.onLeaveZone('iframeMenu', () => {

View File

@ -54,7 +54,7 @@
{ {
"name":"openWebsite", "name":"openWebsite",
"type":"string", "type":"string",
"value":"customMenu.html" "value":"customMenu.php"
}, },
{ {
"name":"openWebsiteAllowApi", "name":"openWebsiteAllowApi",

View File

@ -0,0 +1,14 @@
<!doctype html>
<html lang="en">
<head>
<script src="<?php echo $_SERVER["FRONT_URL"] ?>/iframe_api.js"></script>
<script>
window.addEventListener('load', () => {
WA.ui.registerMenuCommand('test', 'customIframeMenu.html', {autoClose: true});
})
</script>
</head>
<body>
<p>Add a custom menu</p>
</body>
</html>

View File

@ -1,18 +0,0 @@
<!doctype html>
<html lang="en">
<head>
<script>
var script = document.createElement('script');
// Don't do this at home kids! The "document.referrer" part is actually inserting a XSS security.
// We are OK in this precise case because the HTML page is hosted on the "maps" domain that contains only static files.
script.setAttribute('src', document.referrer + 'iframe_api.js');
document.head.appendChild(script);
window.addEventListener('load', () => {
WA.player.onPlayerMove(console.log);
})
</script>
</head>
<body>
<p>Log in the console the movement of the current player in the zone of the iframe</p>
</body>
</html>

View File

@ -36,7 +36,7 @@
{ {
"name":"openWebsite", "name":"openWebsite",
"type":"string", "type":"string",
"value":"playerMove.html" "value":"playerMove.php"
}, },
{ {
"name":"openWebsiteAllowApi", "name":"openWebsiteAllowApi",

View File

@ -0,0 +1,14 @@
<!doctype html>
<html lang="en">
<head>
<script src="<?php echo $_SERVER["FRONT_URL"] ?>/iframe_api.js"></script>
<script>
window.addEventListener('load', () => {
WA.player.onPlayerMove(console.log);
})
</script>
</head>
<body>
<p>Log in the console the movement of the current player in the zone of the iframe</p>
</body>
</html>

View File

@ -36,7 +36,7 @@
{ {
"name":"openWebsite", "name":"openWebsite",
"type":"string", "type":"string",
"value":"setProperty.html" "value":"setProperty.php"
}, },
{ {
"name":"openWebsiteAllowApi", "name":"openWebsiteAllowApi",

View File

@ -1,12 +1,8 @@
<!doctype html> <!doctype html>
<html lang="en"> <html lang="en">
<head> <head>
<script src="<?php echo $_SERVER["FRONT_URL"] ?>/iframe_api.js"></script>
<script> <script>
var script = document.createElement('script');
// Don't do this at home kids! The "document.referrer" part is actually inserting a XSS security.
// We are OK in this precise case because the HTML page is hosted on the "maps" domain that contains only static files.
script.setAttribute('src', document.referrer + 'iframe_api.js');
document.head.appendChild(script);
window.addEventListener('load', () => { window.addEventListener('load', () => {
WA.room.setProperty('iframeTest', 'openWebsite', 'https://www.wikipedia.org/'); WA.room.setProperty('iframeTest', 'openWebsite', 'https://www.wikipedia.org/');
WA.room.setProperty('metadata', 'openWebsite', 'https://www.wikipedia.org/'); WA.room.setProperty('metadata', 'openWebsite', 'https://www.wikipedia.org/');

View File

@ -1,12 +1,8 @@
<!doctype html> <!doctype html>
<html lang="en"> <html lang="en">
<head> <head>
<script src="<?php echo $_SERVER["FRONT_URL"] ?>/iframe_api.js"></script>
<script> <script>
var script = document.createElement('script');
// Don't do this at home kids! The "document.referrer" part is actually inserting a XSS security.
// We are OK in this precise case because the HTML page is hosted on the "maps" domain that contains only static files.
script.setAttribute('src', document.referrer + 'iframe_api.js');
document.head.appendChild(script);
window.addEventListener('load', () => { window.addEventListener('load', () => {
WA.room.setTiles([ WA.room.setTiles([

View File

@ -43,7 +43,7 @@
{ {
"name":"openWebsite", "name":"openWebsite",
"type":"string", "type":"string",
"value":"setTiles.html" "value":"setTiles.php"
}, },
{ {
"name":"openWebsiteAllowApi", "name":"openWebsiteAllowApi",

View File

@ -1,12 +1,8 @@
<!doctype html> <!doctype html>
<html lang="en"> <html lang="en">
<head> <head>
<script src="<?php echo $_SERVER["FRONT_URL"] ?>/iframe_api.js"></script>
<script> <script>
var script = document.createElement('script');
// Don't do this at home kids! The "document.referrer" part is actually inserting a XSS security.
// We are OK in this precise case because the HTML page is hosted on the "maps" domain that contains only static files.
script.setAttribute('src', document.referrer + 'iframe_api.js');
document.head.appendChild(script);
window.addEventListener('load', () => { window.addEventListener('load', () => {
document.getElementById('show/hideLayer').onclick = () => { document.getElementById('show/hideLayer').onclick = () => {
if (document.getElementById('show/hideLayer').checked) { if (document.getElementById('show/hideLayer').checked) {

View File

@ -48,7 +48,7 @@
{ {
"name":"openWebsite", "name":"openWebsite",
"type":"string", "type":"string",
"value":"showHideLayer.html" "value":"showHideLayer.php"
}, },
{ {
"name":"openWebsiteAllowApi", "name":"openWebsiteAllowApi",

View File

@ -12,7 +12,7 @@
{ {
"name":"openWebsite", "name":"openWebsite",
"type":"string", "type":"string",
"value":"shared_variables.html" "value":"shared_variables.php"
}, },
{ {
"name":"openWebsiteAllowApi", "name":"openWebsiteAllowApi",

View File

@ -1,12 +1,8 @@
<!doctype html> <!doctype html>
<html lang="en"> <html lang="en">
<head> <head>
<script src="<?php echo $_SERVER["FRONT_URL"] ?>/iframe_api.js"></script>
<script> <script>
var script = document.createElement('script');
// Don't do this at home kids! The "document.referrer" part is actually inserting a XSS security.
// We are OK in this precise case because the HTML page is hosted on the "maps" domain that contains only static files.
script.setAttribute('src', document.referrer + 'iframe_api.js');
document.head.appendChild(script);
window.addEventListener('load', () => { window.addEventListener('load', () => {
console.log('On load'); console.log('On load');
WA.onInit().then(() => { WA.onInit().then(() => {

View File

@ -1,13 +1,7 @@
<!doctype html> <!doctype html>
<html lang="en"> <html lang="en">
<head> <head>
<script> <script src="<?php echo $_SERVER["FRONT_URL"] ?>/iframe_api.js"></script>
var script = document.createElement('script');
// Don't do this at home kids! The "document.referrer" part is actually inserting a XSS security.
// We are OK in this precise case because the HTML page is hosted on the "maps" domain that contains only static files.
script.setAttribute('src', document.referrer + 'iframe_api.js');
document.head.appendChild(script);
</script>
</head> </head>
<body> <body>
<button id="sendchat">Send chat message</button> <button id="sendchat">Send chat message</button>

View File

@ -43,7 +43,7 @@
{ {
"name":"openWebsite", "name":"openWebsite",
"type":"string", "type":"string",
"value":"iframe.html" "value":"iframe.php"
}, },
{ {
"name":"openWebsiteAllowApi", "name":"openWebsiteAllowApi",