SECURITY: Sanitize YouTube Onebox data (stable) (#13749)

CVE-2021-32764
2025-02-21 04:43:55 +08:00 · 2021-07-15 19:32:47 +01:00 · 2021-07-15 19:32:47 +01:00 · ad7c7f819d
commit ad7c7f819d
parent a94a623009
3 changed files with 26 additions and 10 deletions
--- a/plugins/lazy-yt/assets/javascripts/initializers/lazyYT.js.es6
+++ b/plugins/lazy-yt/assets/javascripts/initializers/lazyYT.js.es6
@ -1,9 +1,11 @@
 import { withPluginApi } from "discourse/lib/plugin-api";
+import initLazyYt from "../lib/lazyYT";

 export default {
  name: "apply-lazyYT",
  initialize() {
    withPluginApi("0.1", (api) => {
+      initLazyYt($);
      api.decorateCooked(
        ($elem) => {
          const iframes = $(".lazyYT", $elem);
--- a/plugins/lazy-yt/assets/javascripts/lib/lazyYT.js
+++ b/plugins/lazy-yt/assets/javascripts/lib/lazyYT.js
@ -11,7 +11,9 @@
 *
 */

-(function ($) {
+import escape from "discourse-common/lib/escape";
+
+export default function initLazyYt($) {
  "use strict";

  function setUp($el, settings) {
@ -75,13 +77,13 @@
    innerHtml.push('<div class="html5-title-text-wrapper">');
    innerHtml.push(
      '<a class="html5-title-text" target="_blank" tabindex="3100" href="https://www.youtube.com/watch?v=',
-      id,
+      escape(id),
      '">'
    );
    if (title === undefined || title === null || title === "") {
-      innerHtml.push("youtube.com/watch?v=" + id);
+      innerHtml.push("youtube.com/watch?v=" + escape(id));
    } else {
-      innerHtml.push(title);
+      innerHtml.push(escape(title));
    }
    innerHtml.push("</a>");
    innerHtml.push("</div>"); // .html5-title
@ -121,7 +123,7 @@
          $(
            [
              '<img class="ytp-thumbnail-image" src="https://img.youtube.com/vi/',
-              id,
+              escape(id),
              "/",
              thumb_img,
              '">',
@ -143,7 +145,7 @@
          $el
            .html(
              '<iframe src="//www.youtube.com/embed/' +
-                id +
+                escape(id) +
                "?autoplay=1&" +
                youtube_parameters +
                '" frameborder="0" allowfullscreen></iframe>'
@ -170,4 +172,4 @@
      setUp($el, settings);
    });
  };
-})(jQuery);
+}
--- a/plugins/lazy-yt/plugin.rb
+++ b/plugins/lazy-yt/plugin.rb
@ -5,12 +5,10 @@
 # version: 1.0.1
 # authors: Arpit Jalan
 # url: https://github.com/discourse/discourse/tree/master/plugins/lazy-yt
+# transpile_js: true

 hide_plugin if self.respond_to?(:hide_plugin)

-# javascript
-register_asset "javascripts/lazyYT.js"
-
 # stylesheet
 register_asset "stylesheets/lazyYT.css"
 register_asset "stylesheets/lazyYT_mobile.scss", :mobile
@ -55,6 +53,20 @@ class Onebox::Engine::YoutubeOnebox
    end
  end

+  alias_method :old_video_id, :video_id
+  alias_method :old_list_id, :list_id
+
+  def video_id
+    sanitize_yt_id(old_video_id)
+  end
+
+  def list_id
+    sanitize_yt_id(old_list_id)
+  end
+
+  def sanitize_yt_id(raw)
+    raw&.match?(/\A[\w-]+\z/) ? raw : nil
+  end
 end

 after_initialize do