base64 encode the embedded runner config object so it can't b… (#5155)

* base64 encode the config so it can't be escaped * update tests
cypress-io · Sep 17, 2019 · 8cde36e · 8cde36e · cypress-bot · Sep 17, 2019
1 parent 72b082d
commit 8cde36e
Show file tree

Hide file tree

Showing 7 changed files with 33 additions and 11 deletions.
diff --git a/packages/runner/src/main.jsx b/packages/runner/src/main.jsx
@@ -8,8 +8,10 @@ import Container from './app/container'
 configure({ enforceActions: 'strict' })
 
 const Runner = {
-  start (el, config) {
+  start (el, base64Config) {
     action('started', () => {
+      const config = JSON.parse(atob(base64Config))
+
       const state = new State((config.state || {}).reporterWidth)
 
       Runner.state = state

diff --git a/packages/runner/static/index.html b/packages/runner/static/index.html
@@ -17,7 +17,7 @@
       window.__Cypress__ = true
 
       setTimeout(function(){
-        Runner.start(document.getElementById('app'), {{{config}}})
+        Runner.start(document.getElementById('app'), "{{{base64Config}}}")
       }, 0)
     </script>
   </body>

diff --git a/packages/server/__snapshots__/2_config_spec.coffee.js b/packages/server/__snapshots__/2_config_spec.coffee.js
@@ -23,16 +23,18 @@ exports['e2e config passes 1'] = `
     ✓ .arch
     ✓ .browser
     ✓ .spec
+    .env
+      ✓ doesn't die on <script> tags
 
 
-  5 passing
+  6 passing
 
 
   (Results)
 
   ┌──────────────────────────────────────────┐
-  │ Tests:        5                          │
-  │ Passing:      5                          │
+  │ Tests:        6                          │
+  │ Passing:      6                          │
   │ Failing:      0                          │
   │ Pending:      0                          │
   │ Skipped:      0                          │
@@ -56,9 +58,9 @@ exports['e2e config passes 1'] = `
 
       Spec                                                Tests  Passing  Failing  Pending  Skipped 
   ┌────────────────────────────────────────────────────────────────────────────────────────────────┐
-  │ ✔ config_passing_spec.coffee                XX:XX        5        5        -        -        - │
+  │ ✔ config_passing_spec.coffee                XX:XX        6        6        -        -        - │
   └────────────────────────────────────────────────────────────────────────────────────────────────┘
-    All specs passed!                           XX:XX        5        5        -        -        -  
+    All specs passed!                           XX:XX        6        6        -        -        -  
 
 
 `

diff --git a/packages/server/lib/controllers/runner.coffee b/packages/server/lib/controllers/runner.coffee
@@ -23,8 +23,12 @@ module.exports = {
       _.pick(config, "version", "platform", "arch", "projectName")
     )
 
+    ## base64 before embedding so user-supplied contents can't break out of <script>
+    ## https://github.com/cypress-io/cypress/issues/4952
+    base64Config = Buffer.from(JSON.stringify(config)).toString('base64')
+
     res.render(runner.getPathToIndex(), {
-      config:      JSON.stringify(config)
+      base64Config
       projectName: config.projectName
     })
 

diff --git a/packages/server/test/e2e/2_config_spec.coffee b/packages/server/test/e2e/2_config_spec.coffee
@@ -14,6 +14,11 @@ describe "e2e config", ->
       spec: "config_passing_spec.coffee"
       snapshot: true
       expectedExitCode: 0
+      config: {
+        env: {
+          scriptlet: "<script>alert('this should not break')</script>"
+        }
+      }
     })
 
   it "fails", ->

diff --git a/packages/server/test/integration/http_requests_spec.coffee b/packages/server/test/integration/http_requests_spec.coffee
@@ -269,8 +269,12 @@ describe "Routes", ->
         @rp("http://localhost:9999/__")
         .then (res) ->
           expect(res.statusCode).to.eq(200)
-          expect(res.body).to.include("version")
-          expect(res.body).to.include(pkg.version)
+
+          base64Config = /Runner\.start\(.*, "(.*)"\)/.exec(res.body)[1]
+          configStr = Buffer.from(base64Config, 'base64').toString()
+
+          expect(configStr).to.include("version")
+          expect(configStr).to.include(pkg.version)
 
   context "GET /__cypress/runner/*", ->
     beforeEach ->

diff --git a/.../server/test/support/fixtures/projects/e2e/cypress/integration/config_passing_spec.coffee b/.../server/test/support/fixtures/projects/e2e/cypress/integration/config_passing_spec.coffee
@@ -18,7 +18,7 @@ describe "Cypress static methods + props", ->
     expect(browser.version).to.be.a("string")
     expect(browser.majorVersion).to.be.a("string")
     expect(browser.path).to.be.a("string")
-    
+
     switch browser.isHeadless
       when true
         expect(browser.isHeaded).to.be.false
@@ -34,3 +34,8 @@ describe "Cypress static methods + props", ->
     expect(spec.name).to.eq("config_passing_spec.coffee")
     expect(spec.relative).to.eq("cypress/integration/config_passing_spec.coffee")
     expect(spec.absolute.indexOf("cypress/integration/config_passing_spec.coffee")).to.be.gt(0)
+
+  context ".env", ->
+    ## https://github.com/cypress-io/cypress/issues/4952
+    it "doesn't die on <script> tags", ->
+      expect(Cypress.env('scriptlet')).to.eq("<script>alert('this should not break')</script>")