SECURITY: Fix Stored-dom XSS via Facebook Oneboxes

2024-11-22 11:13:16 +08:00 · 2024-05-23 20:04:47 -03:00 · 2024-05-23 20:04:47 -03:00 · 311b737c91
commit 311b737c91
parent e2a7265dba
2 changed files with 22 additions and 1 deletions
--- a/lib/onebox/engine/facebook_media_onebox.rb
+++ b/lib/onebox/engine/facebook_media_onebox.rb
@ -6,7 +6,7 @@ module Onebox
      include Engine
      include StandardEmbed

-      matches_regexp(%r{^https?://.*\.facebook\.com/(\w+)/(videos|\?).*})
+      matches_regexp(%r{^https?://(?:www\.)?facebook\.com/(\w+)/(videos|\?).*})
      always_https
      requires_iframe_origins "https://www.facebook.com"

--- a/spec/lib/onebox/engine/facebook_media_onebox_spec.rb
+++ b/spec/lib/onebox/engine/facebook_media_onebox_spec.rb
@ -0,0 +1,21 @@
+# frozen_string_literal: true
+
+RSpec.describe Onebox::Engine::FacebookMediaOnebox do
+  describe "regex URI match" do
+    it "matches videos with title" do
+      expect(match("https://www.facebook.com/user/videos/title/123456789/")).to eq true
+    end
+
+    it "matches videos without a title" do
+      expect(match("https://facebook.com/user/videos/123456789")).to eq true
+    end
+
+    it "only matches the facebook.com domain" do
+      expect(match("https://somedomain.com/a.facebook.com/a/videos")).to eq false
+    end
+
+    def match(url)
+      Onebox::Engine::FacebookMediaOnebox === URI(url)
+    end
+  end
+end