From 87d687cde5e51c605fcf63121b27452992caadec Mon Sep 17 00:00:00 2001 From: Bill Thiede Date: Sun, 26 Nov 2023 21:00:44 -0800 Subject: [PATCH] server: sanitize html using ammonia --- Cargo.lock | 66 ++++++++++++++++++++++++++++++++++++++++--- server/Cargo.toml | 1 + server/src/graphql.rs | 7 ++++- 3 files changed, 69 insertions(+), 5 deletions(-) diff --git a/Cargo.lock b/Cargo.lock index b706fed..5d958b1 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -36,6 +36,19 @@ dependencies = [ "memchr", ] +[[package]] +name = "ammonia" +version = "3.3.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "64e6d1c7838db705c9b756557ee27c384ce695a1c51a6fe528784cb1c6840170" +dependencies = [ + "html5ever 0.26.0", + "maplit", + "once_cell", + "tendril", + "url 2.4.1", +] + [[package]] name = "android-tzdata" version = "0.1.1" @@ -1261,7 +1274,21 @@ checksum = "e5c13fb08e5d4dfc151ee5e88bae63f7773d61852f3bdc73c9f4b9e1bde03148" dependencies = [ "log 0.4.20", "mac", - "markup5ever", + "markup5ever 0.10.1", + "proc-macro2 1.0.66", + "quote 1.0.33", + "syn 1.0.109", +] + +[[package]] +name = "html5ever" +version = "0.26.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "bea68cab48b8459f17cf1c944c67ddc572d272d9f2b274140f223ecb1da4a3b7" +dependencies = [ + "log 0.4.20", + "mac", + "markup5ever 0.11.0", "proc-macro2 1.0.66", "quote 1.0.33", "syn 1.0.109", @@ -1523,7 +1550,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "1ea8e9c6e031377cff82ee3001dc8026cdf431ed4e2e6b51f98ab8c73484a358" dependencies = [ "cssparser 0.27.2", - "html5ever", + "html5ever 0.25.2", "matches", "selectors", ] @@ -1637,6 +1664,12 @@ dependencies = [ "quoted_printable", ] +[[package]] +name = "maplit" +version = "1.0.2" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "3e2e65a1a2e43cfcb47a895c4c8b10d1f4a61097f9f254f183aee60cad9c651d" + [[package]] name = "markup5ever" version = "0.10.1" @@ -1645,7 +1678,21 @@ checksum = "a24f40fb03852d1cdd84330cddcaf98e9ec08a7b7768e952fad3b4cf048ec8fd" dependencies = [ "log 0.4.20", "phf 0.8.0", - "phf_codegen", + "phf_codegen 0.8.0", + "string_cache", + "string_cache_codegen", + "tendril", +] + +[[package]] +name = "markup5ever" +version = "0.11.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "7a2629bb1404f3d34c2e921f21fd34ba00b206124c81f65c50b43b6aaefeb016" +dependencies = [ + "log 0.4.20", + "phf 0.10.1", + "phf_codegen 0.10.0", "string_cache", "string_cache_codegen", "tendril", @@ -2081,6 +2128,16 @@ dependencies = [ "phf_shared 0.8.0", ] +[[package]] +name = "phf_codegen" +version = "0.10.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "4fb1c3a8bc4dd4e5cfce29b44ffc14bedd2ee294559a294e2a4d4c9e9a6a13cd" +dependencies = [ + "phf_generator 0.10.0", + "phf_shared 0.10.0", +] + [[package]] name = "phf_generator" version = "0.8.0" @@ -2767,7 +2824,7 @@ dependencies = [ "log 0.4.20", "matches", "phf 0.8.0", - "phf_codegen", + "phf_codegen 0.8.0", "precomputed-hash", "servo_arc", "smallvec", @@ -2836,6 +2893,7 @@ dependencies = [ name = "server" version = "0.1.0" dependencies = [ + "ammonia", "async-graphql", "async-graphql-rocket", "glog", diff --git a/server/Cargo.toml b/server/Cargo.toml index ab55e37..50a5be3 100644 --- a/server/Cargo.toml +++ b/server/Cargo.toml @@ -23,6 +23,7 @@ rocket_cors = "0.6.0" rayon = "1.8.0" memmap = "0.7.0" mailparse = "0.14.0" +ammonia = "3.3.0" [dependencies.rocket_contrib] version = "0.4.11" diff --git a/server/src/graphql.rs b/server/src/graphql.rs index d4cc4a6..c6ec79e 100644 --- a/server/src/graphql.rs +++ b/server/src/graphql.rs @@ -243,7 +243,12 @@ impl QueryRoot { .headers .get_first_value("date") .and_then(|d| mailparse::dateparse(&d).ok()); - let body = extract_body(&m)?; + let body = match extract_body(&m)? { + Body::Html(Html { html }) => Body::Html(Html { + html: ammonia::clean(&html), + }), + b => b, + }; messages.push(Message { from, to,