From d4c5fca15b0f3a260907d3a0c0eebfe5c18969ae Mon Sep 17 00:00:00 2001
From: ed <s@ocv.me>
Date: Sat, 28 Jan 2023 21:24:40 +0000
Subject: [PATCH] sandbox readme.md / prologue / epilogue

---
 README.md                         | 10 +++--
 contrib/plugins/minimal-up2k.html |  4 ++
 copyparty/__main__.py             |  8 +++-
 copyparty/authsrv.py              | 16 ++++++++
 copyparty/httpcli.py              |  9 ++++-
 copyparty/svchub.py               |  4 +-
 copyparty/web/browser.css         | 10 +++++
 copyparty/web/browser.html        |  8 ++--
 copyparty/web/browser.js          | 63 +++++++++++++++++++++++++++++--
 9 files changed, 117 insertions(+), 15 deletions(-)

diff --git a/README.md b/README.md
index f8212027..62f61ff7 100644
--- a/README.md
+++ b/README.md
@@ -281,7 +281,7 @@ server-os-specific:
 
 upgrade notes
 
-* `1.6.0`:
+* `1.6.0` (2023-01-28):
   * http-api: delete/move is now `POST` instead of `GET`
   * everything other than `GET` and `HEAD` must pass [cors validation](#cors)
 * `1.5.0` (2022-12-03): [new chunksize formula](https://github.com/9001/copyparty/commit/54e1c8d261df) for files larger than 128 GiB
@@ -1252,7 +1252,6 @@ safety profiles:
   * `--no-robots` and `--force-js` makes life harder for crawlers, see [hiding from google](#hiding-from-google)
 
 * option `-ss` is a shortcut for the above plus:
-  * `--no-logues` and `--no-readme` disables support for readme's and prologues / epilogues in directory listings, which otherwise lets people upload arbitrary `<script>` tags
   * `--unpost 0`, `--no-del`, `--no-mv` disables all move/delete support
   * `--hardlink` creates hardlinks instead of symlinks when deduplicating uploads, which is less maintenance
     * however note if you edit one file it will also affect the other copies
@@ -1263,6 +1262,7 @@ safety profiles:
 
 * option `-sss` is a shortcut for the above plus:
   * `--no-dav` disables webdav support
+  * `--no-logues` and `--no-readme` disables support for readme's and prologues / epilogues in directory listings, which otherwise lets people upload arbitrary (but sandboxed) `<script>` tags
   * `-lo cpp-%Y-%m%d-%H%M%S.txt.xz` enables logging to disk
   * `-ls **,*,ln,p,r` does a scan on startup for any dangerous symlinks
 
@@ -1278,8 +1278,10 @@ other misc notes:
 behavior that might be unexpected
 
 * users without read-access to a folder can still see the `.prologue.html` / `.epilogue.html` / `README.md` contents, for the purpose of showing a description on how to use the uploader for example
-* anyone with write access can upload a `README.md` with a `<script>` which runs for all visitors unless `--no-readme`
-* anyone with move access can rename `some.html` to `.epilogue.html` so it'll run for all visitors unless either `--no-logues` or `--no-dot-ren`
+* users can submit `<script>`s which autorun for other visitors in a few ways;
+  * uploading a `README.md` -- avoid with `--no-readme`
+  * renaming `some.html` to `.epilogue.html` -- avoid with either `--no-logues` or `--no-dot-ren`
+  * the directory-listing embed is sandboxed (so any malicious scripts can't do any damage) but the markdown editor is not
 
 
 ## cors
diff --git a/contrib/plugins/minimal-up2k.html b/contrib/plugins/minimal-up2k.html
index 52d8675f..bd77857f 100644
--- a/contrib/plugins/minimal-up2k.html
+++ b/contrib/plugins/minimal-up2k.html
@@ -1,6 +1,10 @@
 <!--
   save this as .epilogue.html inside a write-only folder to declutter the UI,  makes it look like
   https://user-images.githubusercontent.com/241032/118311195-dd6ca380-b4ef-11eb-86f3-75a3ff2e1332.png
+
+  only works if you disable the prologue/epilogue sandbox with --no-sb-lg
+  which should probably be combined with --no-dot-ren to prevent damage
+  (`no_sb_lg` can also be set per-volume with volflags)
 -->
 
 <style>
diff --git a/copyparty/__main__.py b/copyparty/__main__.py
index 5be2a88c..30452e28 100755
--- a/copyparty/__main__.py
+++ b/copyparty/__main__.py
@@ -841,8 +841,8 @@ def add_optouts(ap):
 def add_safety(ap, fk_salt):
     ap2 = ap.add_argument_group('safety options')
     ap2.add_argument("-s", action="count", default=0, help="increase safety: Disable thumbnails / potentially dangerous software (ffmpeg/pillow/vips), hide partial uploads, avoid crawlers.\n └─Alias of\033[32m --dotpart --no-thumb --no-mtag-ff --no-robots --force-js")
-    ap2.add_argument("-ss", action="store_true", help="further increase safety: Prevent js-injection, accidental move/delete, broken symlinks, webdav, 404 on 403, ban on excessive 404s.\n └─Alias of\033[32m -s --no-dot-mv --no-dot-ren --unpost=0 --no-del --no-mv --hardlink --vague-403 --ban-404=50,60,1440 -nih")
-    ap2.add_argument("-sss", action="store_true", help="further increase safety: Enable logging to disk, scan for dangerous symlinks.\n └─Alias of\033[32m -ss --no-dav -lo=cpp-%%Y-%%m%%d-%%H%%M%%S.txt.xz --ls=**,*,ln,p,r")
+    ap2.add_argument("-ss", action="store_true", help="further increase safety: Prevent js-injection, accidental move/delete, broken symlinks, webdav, 404 on 403, ban on excessive 404s.\n └─Alias of\033[32m -s --unpost=0 --no-del --no-mv --hardlink --vague-403 --ban-404=50,60,1440 -nih")
+    ap2.add_argument("-sss", action="store_true", help="further increase safety: Enable logging to disk, scan for dangerous symlinks.\n └─Alias of\033[32m -ss --no-dav --no-logues --no-readme -lo=cpp-%%Y-%%m%%d-%%H%%M%%S.txt.xz --ls=**,*,ln,p,r")
     ap2.add_argument("--ls", metavar="U[,V[,F]]", type=u, help="do a sanity/safety check of all volumes on startup; arguments \033[33mUSER\033[0m,\033[33mVOL\033[0m,\033[33mFLAGS\033[0m; example [\033[32m**,*,ln,p,r\033[0m]")
     ap2.add_argument("--salt", type=u, default="hunter2", help="up2k file-hash salt; used to generate unpredictable internal identifiers for uploads -- doesn't really matter")
     ap2.add_argument("--fk-salt", metavar="SALT", type=u, default=fk_salt, help="per-file accesskey salt; used to generate unpredictable URLs for hidden files -- this one DOES matter")
@@ -979,6 +979,10 @@ def add_ui(ap, retry):
     ap2.add_argument("--txt-max", metavar="KiB", type=int, default=64, help="max size of embedded textfiles on ?doc= (anything bigger will be lazy-loaded by JS)")
     ap2.add_argument("--doctitle", metavar="TXT", type=u, default="copyparty", help="title / service-name to show in html documents")
     ap2.add_argument("--pb-url", metavar="URL", type=u, default="https://github.com/9001/copyparty", help="powered-by link; disable with -np")
+    ap2.add_argument("--md-sbf", metavar="FLAGS", type=u, default="downloads forms modals popups scripts top-navigation-by-user-activation", help="list of capabilities to ALLOW for README.md docs (volflag=md_sbf); see https://developer.mozilla.org/en-US/docs/Web/HTML/Element/iframe#attr-sandbox")
+    ap2.add_argument("--lg-sbf", metavar="FLAGS", type=u, default="downloads forms modals popups scripts top-navigation-by-user-activation", help="list of capabilities to ALLOW for prologue/epilogue docs  (volflag=lg_sbf)")
+    ap2.add_argument("--no-sb-md", action="store_true", help="don't sandbox README.md documents (volflags: no_sb_md | sb_md)")
+    ap2.add_argument("--no-sb-lg", action="store_true", help="don't sandbox prologue/epilogue docs (volflags: no_sb_lg | sb_lg); enables non-js support")
 
 
 def add_debug(ap):
diff --git a/copyparty/authsrv.py b/copyparty/authsrv.py
index 75751420..f6f9c1b9 100644
--- a/copyparty/authsrv.py
+++ b/copyparty/authsrv.py
@@ -1119,6 +1119,8 @@ class AuthSrv(object):
                     vol.flags[k] = True
 
             for ga, vf in (
+                ("no_sb_md", "no_sb_md"),
+                ("no_sb_lg", "no_sb_lg"),
                 ("no_forget", "noforget"),
                 ("no_dupe", "nodupe"),
                 ("hardlink", "hardlink"),
@@ -1130,6 +1132,20 @@ class AuthSrv(object):
                 if getattr(self.args, ga):
                     vol.flags[vf] = True
 
+            for ve, vd in (
+                ("sb_md", "no_sb_md"),
+                ("sb_lg", "no_sb_lg"),
+            ):
+                if ve in vol.flags:
+                    vol.flags.pop(vd, None)
+
+            for ga, vf in (
+                ("md_sbf", "md_sbf"),
+                ("lg_sbf", "lg_sbf"),
+            ):
+                if vf not in vol.flags:
+                    vol.flags[vf] = getattr(self.args, ga)
+
             for k1, k2 in IMPLICATIONS:
                 if k1 in vol.flags:
                     vol.flags[k2] = True
diff --git a/copyparty/httpcli.py b/copyparty/httpcli.py
index 6cd46908..9968a858 100644
--- a/copyparty/httpcli.py
+++ b/copyparty/httpcli.py
@@ -649,7 +649,11 @@ class HttpCli(object):
         ih = self.headers
         origin = ih.get("origin")
         if not origin:
-            return True
+            sfsite = ih.get("sec-fetch-site")
+            if sfsite and sfsite.lower().startswith("cross"):
+                origin = ":|"  # sandboxed iframe
+            else:
+                return True
 
         oh = self.out_headers
         origin = origin.lower()
@@ -3356,6 +3360,7 @@ class HttpCli(object):
                         readme = f.read().decode("utf-8")
                         break
 
+        vf = vn.flags
         ls_ret = {
             "dirs": [],
             "files": [],
@@ -3388,6 +3393,8 @@ class HttpCli(object):
             "have_zip": (not self.args.no_zip),
             "have_unpost": int(self.args.unpost),
             "have_b_u": (self.can_write and self.uparam.get("b") == "u"),
+            "sb_md": "" if "no_sb_md" in vf else (vf.get("md_sbf") or "y"),
+            "sb_lg": "" if "no_sb_lg" in vf else (vf.get("lg_sbf") or "y"),
             "url_suf": url_suf,
             "logues": logues,
             "readme": readme,
diff --git a/copyparty/svchub.py b/copyparty/svchub.py
index a4d26e70..4621ef04 100644
--- a/copyparty/svchub.py
+++ b/copyparty/svchub.py
@@ -97,13 +97,13 @@ class SvcHub(object):
         if args.sss or args.s >= 3:
             args.ss = True
             args.no_dav = True
+            args.no_logues = True
+            args.no_readme = True
             args.lo = args.lo or "cpp-%Y-%m%d-%H%M%S.txt.xz"
             args.ls = args.ls or "**,*,ln,p,r"
 
         if args.ss or args.s >= 2:
             args.s = True
-            args.no_logues = True
-            args.no_readme = True
             args.unpost = 0
             args.no_del = True
             args.no_mv = True
diff --git a/copyparty/web/browser.css b/copyparty/web/browser.css
index bded5d96..cfca7c18 100644
--- a/copyparty/web/browser.css
+++ b/copyparty/web/browser.css
@@ -793,6 +793,13 @@ html.y #path a:hover {
 .logue:empty {
 	display: none;
 }
+.logue>iframe {
+	background: var(--bgg);
+	visibility: hidden;
+	border: none;
+	width: 100%;
+	height: 0;
+}
 #pro.logue {
 	margin-bottom: .8em;
 }
@@ -817,6 +824,9 @@ html.y #path a:hover {
 .mdo {
 	max-width: 52em;
 }
+.mdo.sb {
+	max-width: unset;
+}
 .mdo,
 .mdo * {
 	line-height: 1.4em;
diff --git a/copyparty/web/browser.html b/copyparty/web/browser.html
index 7c2148c6..334ac99e 100644
--- a/copyparty/web/browser.html
+++ b/copyparty/web/browser.html
@@ -85,7 +85,7 @@
 	<div id="bdoc"></div>
 	{%- endif %}
 
-	<div id="pro" class="logue">{{ logues[0] }}</div>
+	<div id="pro" class="logue">{{ "" if sb_lg else logues[0] }}</div>
 
 	<table id="files">
 		<thead>
@@ -119,7 +119,7 @@
 		</tbody>
 	</table>
 	
-	<div id="epi" class="logue">{{ logues[1] }}</div>
+	<div id="epi" class="logue">{{ "" if sb_lg else logues[1] }}</div>
 
 	<h2><a href="{{ r }}/?h" id="goh">control-panel</a></h2>
 	
@@ -150,12 +150,14 @@
 			have_del = {{ have_del|tojson }},
 			have_unpost = {{ have_unpost }},
 			have_zip = {{ have_zip|tojson }},
+			sb_md = "{{ sb_md }}",
+			sb_lg = "{{ sb_lg }}",
 			lifetime = {{ lifetime }},
 			turbolvl = {{ turbolvl }},
 			u2sort = "{{ u2sort }}",
 			have_emp = {{ have_emp|tojson }},
 			txt_ext = "{{ txt_ext }}",
-			{% if no_prism %}no_prism = 1,{% endif %}
+			logues = {{ logues|tojson if sb_lg else "[]" }},
 			readme = {{ readme|tojson }},
 			ls0 = {{ ls0|tojson }};
 
diff --git a/copyparty/web/browser.js b/copyparty/web/browser.js
index 7ac62999..4a279c17 100644
--- a/copyparty/web/browser.js
+++ b/copyparty/web/browser.js
@@ -5420,8 +5420,8 @@ var treectl = (function () {
 		despin('#files');
 		despin('#gfiles');
 
-		ebi('pro').innerHTML = res.logues ? res.logues[0] || "" : "";
-		ebi('epi').innerHTML = res.logues ? res.logues[1] || "" : "";
+		sandbox(ebi('pro'), sb_lg, '', res.logues ? res.logues[0] || "" : "");
+		sandbox(ebi('epi'), sb_lg, '', res.logues ? res.logues[1] || "" : "");
 
 		clmod(ebi('epi'), 'mdo');
 		if (res.readme)
@@ -6587,7 +6587,7 @@ function show_md(md, name, div, url, depth) {
 
 	try {
 		clmod(div, 'mdo', 1);
-		div.innerHTML = marked.parse(md, marked_opts);
+		sandbox(div, sb_md, 'mdo', marked.parse(md, marked_opts));
 
 		ext = md_plug.post;
 		ext = ext ? [ext[0].render, ext[0].render2] : [];
@@ -6641,6 +6641,63 @@ if (readme)
 	show_readme(readme);
 
 
+function sandbox(tgt, rules, cls, html) {
+	if (!rules || (html || '').indexOf('<') == -1) {
+		tgt.innerHTML = html;
+		clmod(tgt, 'sb');
+		return false;
+	}
+	clmod(tgt, 'sb', 1);
+	var tid = tgt.getAttribute('id'),
+		dcs = document.styleSheets,
+		hash = location.hash,
+		want = '';
+
+	if (hash.startsWith('#md-'))
+		want = hash.slice(1);
+
+	var h2 = '<html class="' + document.documentElement.className + '"><head><base target="_parent">';
+	for (var a = 0; a < dcs.length; a++)
+		if (dcs[a].href)
+			h2 += '<link rel="stylesheet" media="screen" href="' + dcs[a].href + '">';
+
+	html = h2 + '</head><body class="logue ' + cls + '">' + html +
+		'<script>setTimeout(function(){var pih=-1;function f(){var d=document.documentElement,ih=2+Math.min(parseInt(getComputedStyle(d).height),d.scrollHeight);if(ih==pih)return;pih=ih;window.parent.postMessage("iheight #' + tid + '>iframe "+ih,"*")};setInterval(f,100);f();var el="' + want + '"&&document.getElementById("' + want + '");if(el)window.parent.postMessage("iscroll #' + tid + ' "+el.offsetTop,"*")},1)</script></body></html>';
+
+	var fr = mknod('iframe');
+	fr.setAttribute('sandbox', rules ? 'allow-' + rules.replace(/ /g, ' allow-') : '');
+	fr.setAttribute('srcdoc', html);
+	tgt.innerHTML = '';
+	tgt.appendChild(fr);
+	return true;
+}
+window.addEventListener("message", function (e) {
+	try {
+		console.log('msg:' + e.data);
+		var t = e.data.split(/ /g);
+		if (t[0] == 'iheight') {
+			var el = QS(t[1]);
+			el.style.height = t[2] + 'px';
+			el.style.visibility = 'unset';
+		}
+		else if (t[0] == 'iscroll') {
+			var y1 = QS(t[1]).offsetTop,
+				y2 = parseInt(t[2]);
+			console.log(y1, y2);
+			document.documentElement.scrollTop = y1 + y2;
+		}
+	} catch (ex) {
+		console.log('msg-err: ' + ex);
+	}
+}, false);
+
+
+if (sb_lg && logues.length) {
+	sandbox(ebi('pro'), sb_lg, '', logues[0]);
+	sandbox(ebi('epi'), sb_lg, '', logues[1]);
+}
+
+
 (function () {
 	try {
 		var tr = ebi('files').tBodies[0].rows;