Mirrors/PowerToys
1
0
Fork 0
mirror of https://github.com/microsoft/PowerToys.git synced 2025-12-16 11:48:06 +01:00
Code Issues Packages Projects Releases Wiki Activity

[FileExplorer][SVG]Increase security (#19941)

Browse Source 
* [FileExplorer][SVG]Increase security

* fix spellchecker

* Use 403 instead of 404
This commit is contained in:
Jaime Bernardo
2022-08-18 12:09:14 +01:00
committed by GitHub
parent 4e3c965511
commit de130171e9
3 changed files with 62 additions and 8 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
.github/actions/spell-check/expect.txt vendored
View File

@@ -119,11 +119,13 @@ Aut
Authenticode Authenticode
AUTHN AUTHN
AUTHZ AUTHZ
Autofill
autogenerate autogenerate
autogenerated autogenerated
AUTOHIDE AUTOHIDE
AUTOMATIONPROPERTIES AUTOMATIONPROPERTIES
Autorun Autorun
Autosave
Autostart Autostart
AUTOUPDATE AUTOUPDATE
AValid AValid

36
src/modules/previewpane/SvgPreviewHandler/SvgPreviewControl.cs
View File

@@ -38,6 +38,11 @@ namespace Microsoft.PowerToys.PreviewHandler.Svg
/// </summary> /// </summary>
private const string VirtualHostName = "PowerToysLocalSvg"; private const string VirtualHostName = "PowerToysLocalSvg";
/// <summary>
/// URI of the local file saved with the contents
/// </summary>
private Uri _localFileURI;
/// <summary> /// <summary>
/// Gets the path of the current assembly. /// Gets the path of the current assembly.
/// </summary> /// </summary>
@@ -162,6 +167,16 @@ namespace Microsoft.PowerToys.PreviewHandler.Svg
} }
} }
// Disable loading resources.
private void CoreWebView2_BlockExternalResources(object sender, CoreWebView2WebResourceRequestedEventArgs e)
{
// Show local file we've saved with the svg contents. Block all else.
if (new Uri(e.Request.Uri) != _localFileURI)
{
e.Response = _browser.CoreWebView2.Environment.CreateWebResourceResponse(null, 403, "Forbidden", null);
}
}
/// <summary> /// <summary>
/// Adds a WebView2 Control to Control Collection. /// Adds a WebView2 Control to Control Collection.
/// </summary> /// </summary>
@@ -171,9 +186,11 @@ namespace Microsoft.PowerToys.PreviewHandler.Svg
_browser = new WebView2(); _browser = new WebView2();
_browser.Dock = DockStyle.Fill; _browser.Dock = DockStyle.Fill;
// Prevent new windows from being opened.
var webView2Options = new CoreWebView2EnvironmentOptions("--block-new-web-contents");
ConfiguredTaskAwaitable<CoreWebView2Environment>.ConfiguredTaskAwaiter ConfiguredTaskAwaitable<CoreWebView2Environment>.ConfiguredTaskAwaiter
webView2EnvironmentAwaiter = CoreWebView2Environment webView2EnvironmentAwaiter = CoreWebView2Environment
.CreateAsync(userDataFolder: _webView2UserDataFolder) .CreateAsync(userDataFolder: _webView2UserDataFolder, options: webView2Options)
.ConfigureAwait(true).GetAwaiter(); .ConfigureAwait(true).GetAwaiter();
webView2EnvironmentAwaiter.OnCompleted(() => webView2EnvironmentAwaiter.OnCompleted(() =>
{ {
@@ -183,9 +200,19 @@ namespace Microsoft.PowerToys.PreviewHandler.Svg
{ {
_webView2Environment = webView2EnvironmentAwaiter.GetResult(); _webView2Environment = webView2EnvironmentAwaiter.GetResult();
await _browser.EnsureCoreWebView2Async(_webView2Environment).ConfigureAwait(true); await _browser.EnsureCoreWebView2Async(_webView2Environment).ConfigureAwait(true);
await _browser.CoreWebView2.AddScriptToExecuteOnDocumentCreatedAsync("window.addEventListener('contextmenu', window => {window.preventDefault();});"); _browser.CoreWebView2.SetVirtualHostNameToFolderMapping(VirtualHostName, AssemblyDirectory, CoreWebView2HostResourceAccessKind.Deny);
_browser.CoreWebView2.SetVirtualHostNameToFolderMapping(VirtualHostName, AssemblyDirectory, CoreWebView2HostResourceAccessKind.Allow);
_browser.CoreWebView2.Settings.AreDefaultScriptDialogsEnabled = false; _browser.CoreWebView2.Settings.AreDefaultScriptDialogsEnabled = false;
_browser.CoreWebView2.Settings.AreDefaultContextMenusEnabled = false;
_browser.CoreWebView2.Settings.AreDevToolsEnabled = false;
_browser.CoreWebView2.Settings.AreHostObjectsAllowed = false;
_browser.CoreWebView2.Settings.IsGeneralAutofillEnabled = false;
_browser.CoreWebView2.Settings.IsPasswordAutosaveEnabled = false;
_browser.CoreWebView2.Settings.IsScriptEnabled = false;
_browser.CoreWebView2.Settings.IsWebMessageEnabled = false;
// Don't load any resources.
_browser.CoreWebView2.AddWebResourceRequestedFilter("*", CoreWebView2WebResourceContext.All);
_browser.CoreWebView2.WebResourceRequested += CoreWebView2_BlockExternalResources;
// WebView2.NavigateToString() limitation // WebView2.NavigateToString() limitation
// See https://docs.microsoft.com/en-us/dotnet/api/microsoft.web.webview2.core.corewebview2.navigatetostring?view=webview2-dotnet-1.0.864.35#remarks // See https://docs.microsoft.com/en-us/dotnet/api/microsoft.web.webview2.core.corewebview2.navigatetostring?view=webview2-dotnet-1.0.864.35#remarks
@@ -194,7 +221,8 @@ namespace Microsoft.PowerToys.PreviewHandler.Svg
{ {
string filename = _webView2UserDataFolder + "\\" + Guid.NewGuid().ToString() + ".html"; string filename = _webView2UserDataFolder + "\\" + Guid.NewGuid().ToString() + ".html";
File.WriteAllText(filename, svgData); File.WriteAllText(filename, svgData);
_browser.Source = new Uri(filename); _localFileURI = new Uri(filename);
_browser.Source = _localFileURI;
} }
else else
{ {

32
src/modules/previewpane/SvgThumbnailProvider/SvgThumbnailProvider.cs
View File

@@ -51,6 +51,11 @@ namespace Microsoft.PowerToys.ThumbnailHandler.Svg
/// </summary> /// </summary>
private const string VirtualHostName = "PowerToysLocalSvgThumbnail"; private const string VirtualHostName = "PowerToysLocalSvgThumbnail";
/// <summary>
/// URI of the local file saved with the contents
/// </summary>
private Uri _localFileURI;
/// <summary> /// <summary>
/// Gets the path of the current assembly. /// Gets the path of the current assembly.
/// </summary> /// </summary>
@@ -126,9 +131,10 @@ namespace Microsoft.PowerToys.ThumbnailHandler.Svg
thumbnailDone = true; thumbnailDone = true;
}; };
var webView2Options = new CoreWebView2EnvironmentOptions("--block-new-web-contents");
ConfiguredTaskAwaitable<CoreWebView2Environment>.ConfiguredTaskAwaiter ConfiguredTaskAwaitable<CoreWebView2Environment>.ConfiguredTaskAwaiter
webView2EnvironmentAwaiter = CoreWebView2Environment webView2EnvironmentAwaiter = CoreWebView2Environment
.CreateAsync(userDataFolder: _webView2UserDataFolder) .CreateAsync(userDataFolder: _webView2UserDataFolder, options: webView2Options)
.ConfigureAwait(true).GetAwaiter(); .ConfigureAwait(true).GetAwaiter();
webView2EnvironmentAwaiter.OnCompleted(async () => webView2EnvironmentAwaiter.OnCompleted(async () =>
{ {
@@ -136,9 +142,26 @@ namespace Microsoft.PowerToys.ThumbnailHandler.Svg
{ {
_webView2Environment = webView2EnvironmentAwaiter.GetResult(); _webView2Environment = webView2EnvironmentAwaiter.GetResult();
await _browser.EnsureCoreWebView2Async(_webView2Environment).ConfigureAwait(true); await _browser.EnsureCoreWebView2Async(_webView2Environment).ConfigureAwait(true);
await _browser.CoreWebView2.AddScriptToExecuteOnDocumentCreatedAsync("window.addEventListener('contextmenu', window => {window.preventDefault();});"); _browser.CoreWebView2.SetVirtualHostNameToFolderMapping(VirtualHostName, AssemblyDirectory, CoreWebView2HostResourceAccessKind.Deny);
_browser.CoreWebView2.SetVirtualHostNameToFolderMapping(VirtualHostName, AssemblyDirectory, CoreWebView2HostResourceAccessKind.Allow);
_browser.CoreWebView2.Settings.AreDefaultScriptDialogsEnabled = false; _browser.CoreWebView2.Settings.AreDefaultScriptDialogsEnabled = false;
_browser.CoreWebView2.Settings.AreDefaultContextMenusEnabled = false;
_browser.CoreWebView2.Settings.AreDevToolsEnabled = false;
_browser.CoreWebView2.Settings.AreHostObjectsAllowed = false;
_browser.CoreWebView2.Settings.IsGeneralAutofillEnabled = false;
_browser.CoreWebView2.Settings.IsPasswordAutosaveEnabled = false;
_browser.CoreWebView2.Settings.IsScriptEnabled = false;
_browser.CoreWebView2.Settings.IsWebMessageEnabled = false;
// Don't load any resources.
_browser.CoreWebView2.AddWebResourceRequestedFilter("*", CoreWebView2WebResourceContext.All);
_browser.CoreWebView2.WebResourceRequested += (object sender, CoreWebView2WebResourceRequestedEventArgs e) =>
{
// Show local file we've saved with the svg contents. Block all else.
if (new Uri(e.Request.Uri) != _localFileURI)
{
e.Response = _browser.CoreWebView2.Environment.CreateWebResourceResponse(null, 403, "Forbidden", null);
}
};
// WebView2.NavigateToString() limitation // WebView2.NavigateToString() limitation
// See https://docs.microsoft.com/en-us/dotnet/api/microsoft.web.webview2.core.corewebview2.navigatetostring?view=webview2-dotnet-1.0.864.35#remarks // See https://docs.microsoft.com/en-us/dotnet/api/microsoft.web.webview2.core.corewebview2.navigatetostring?view=webview2-dotnet-1.0.864.35#remarks
@@ -147,7 +170,8 @@ namespace Microsoft.PowerToys.ThumbnailHandler.Svg
{ {
string filename = _webView2UserDataFolder + "\\" + Guid.NewGuid().ToString() + ".html"; string filename = _webView2UserDataFolder + "\\" + Guid.NewGuid().ToString() + ".html";
File.WriteAllText(filename, wrappedContent); File.WriteAllText(filename, wrappedContent);
_browser.Source = new Uri(filename); _localFileURI = new Uri(filename);
_browser.Source = _localFileURI;
} }
else else
{ {