mirrors/signal-desktop
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
signal-desktop/js/views/file_input_view.js
Daniel Gasienica a1ac810343 Security: Replace Unicode order overrides in attachment names 
As a user, when I receive a file attachment, I want to have confidence that the
filename I see in the Signal Desktop app is the same as it will be on disk.

To prevent user confusion when receiving files with Unicode order override
characters, e.g. `test<LTRO>fig.exe` appearing as `testexe.gif`, we replace all
occurrences of order overrides (`U+202D` and `U+202E`) with `U+FFFD`.

**Changes**
- [x] Bump `Attachment` `schemaVersion` to 2.
- [x] Replace all Unicode order overrides in `attachment.filename`:
      `Attachment.replaceUnicodeOrderOverrides`.
- [x] Add tests for existing `Attachment.upgradeSchema`
- [x] Add tests for existing `Attachment.withSchemaVersion`
- [x] Add tests for `Attachment.replaceUnicodeOrderOverrides` positives.
- [x] Add `testcheck` generative property-based testing library
      (based on QuickCheck) to ensure valid filenames are preserved.

---

commit 855bdbc7e647e44f73b9e1f5e6d64f734c61169a
Author: Daniel Gasienica <daniel@gasienica.ch>
Date:   Thu Feb 22 13:02:01 2018 -0500

    Log error stack in case of error

commit 6e053ed66aee136f186568fa88aacd4814b2ab07
Author: Daniel Gasienica <daniel@gasienica.ch>
Date:   Thu Feb 22 12:30:28 2018 -0500

    Improve `upgradeStep` error handling

commit 8c226a2523b701cb578b2137832c3eaf3475bb2b
Author: Daniel Gasienica <daniel@gasienica.ch>
Date:   Thu Feb 22 12:30:08 2018 -0500

    Check for expected version before upgrade

    Prevents out of order upgrade steps.

commit 28b0675591e782169128f75429b7bab2a22307fa
Author: Daniel Gasienica <daniel@gasienica.ch>
Date:   Thu Feb 22 12:29:52 2018 -0500

    Reject invalid attachments

commit 41f4f457dae9416dae66dc2fa2079483d1f127a9
Author: Daniel Gasienica <daniel@gasienica.ch>
Date:   Thu Feb 22 12:29:36 2018 -0500

    Fix upgrade pipeline order

commit 3935629e91c49b8d96c1e02bd37b1b31d1180720
Author: Daniel Gasienica <daniel@gasienica.ch>
Date:   Thu Feb 22 12:28:25 2018 -0500

    Avoid `_.isPlainObject`

    Attachments are deserialized from a protocol buffer and can have a
    non-plain-object constructor.

commit 39f6e7f622ff4885e2ccafa354e0edb5864c55d8
Author: Daniel Gasienica <daniel@gasienica.ch>
Date:   Thu Feb 22 12:19:07 2018 -0500

    Define basic attachment validity

commit adcf7e3243cd90866cc35990c558ff7829019037
Author: Daniel Gasienica <daniel@gasienica.ch>
Date:   Thu Feb 22 12:18:54 2018 -0500

    Add tests for attachment upgrade pipeline

commit 82fc4644d7e654eea9f348518b086497be2b0cb4
Author: Daniel Gasienica <daniel@gasienica.ch>
Date:   Wed Feb 21 12:20:24 2018 -0500

    Favor `async` / `await` over `then`

commit 8fe49e3c40e78ced0b8f2eb0b678f4bae842855d
Author: Daniel Gasienica <daniel@gasienica.ch>
Date:   Wed Feb 21 12:19:59 2018 -0500

    Add `eslint-more` plugin

    This will enable us to disallow `then` in favor of `async` / `await`.

commit 020beefb25f508ae96cf3fc099599fbbca98802b
Author: Daniel Gasienica <daniel@gasienica.ch>
Date:   Wed Feb 21 11:31:49 2018 -0500

    Remove unnecessary `async` modifiers

commit 177090c5f5ad9836f0ca0a5c2f298779519e3692
Author: Daniel Gasienica <daniel@gasienica.ch>
Date:   Wed Feb 21 11:30:55 2018 -0500

    Document `operator-linebreak` ESLint rule

commit 25622b7c59291cb672ae057c47e7327a564cca40
Author: Daniel Gasienica <daniel@gasienica.ch>
Date:   Wed Feb 21 11:14:15 2018 -0500

    Prefix internal function with `_`

commit 6aa3cf5098df71e9b710064739ec49d74f81b7bf
Author: Daniel Gasienica <daniel@gasienica.ch>
Date:   Fri Feb 16 19:00:07 2018 -0500

    Replace all Unicode order override occurrences

commit fd6e23b0a519bce3c12c5b9ac676bcd198034fed
Author: Daniel Gasienica <daniel@gasienica.ch>
Date:   Fri Feb 16 17:48:41 2018 -0500

    Whitelist `testcheck` `check` and `gen` globals

commit 400bae9fac5078821813bc0ca17a5d7a72900161
Author: Daniel Gasienica <daniel@gasienica.ch>
Date:   Fri Feb 16 17:46:57 2018 -0500

    🎨 Fix lint errors

commit da53d3960aa7aa36b7cc1fcff414c9e929c0d9fc
Author: Daniel Gasienica <daniel@gasienica.ch>
Date:   Fri Feb 16 17:42:42 2018 -0500

    Add tests for `Attachment.withSchemaVersion`

commit ec203444239d9e3c443ba88cab7ef4672151072d
Author: Daniel Gasienica <daniel@gasienica.ch>
Date:   Fri Feb 16 17:42:17 2018 -0500

    Add test for `Attachment.upgradeSchema`

commit 4540d5bdf7a4279f49d2e4c6ee03f47b93df46bf
Author: Daniel Gasienica <daniel@gasienica.ch>
Date:   Fri Feb 16 17:05:29 2018 -0500

    Rename `setSchemaVersion` --> `withSchemaVersion`

    Put the schema version first for better readability.

commit e379cf919feda31d1fa96d406c30fd38e159a11d
Author: Daniel Gasienica <daniel@gasienica.ch>
Date:   Fri Feb 16 17:03:22 2018 -0500

    Add filename sanitization to upgrade pipeline

commit 1e344a0d15926fc3e17be20cd90bfa882b65f337
Author: Daniel Gasienica <daniel@gasienica.ch>
Date:   Fri Feb 16 17:01:55 2018 -0500

    Test that we preserve non-suspicious filenames

commit a2452bfc98f93f82bed48b438757af2e66a6af82
Author: Daniel Gasienica <daniel@gasienica.ch>
Date:   Fri Feb 16 17:00:56 2018 -0500

    Add `testcheck` dependency

    Allows for generative property-based testing similar to Haskell’s QuickCheck.
    See: https://medium.com/javascript-inside/f91432247c27

commit ceb5bfd2484a77689fdb8e9edd18d4a7b093a486
Author: Daniel Gasienica <daniel@gasienica.ch>
Date:   Fri Feb 16 16:15:33 2018 -0500

    Replace Unicode order override characters

    Prevents users from being tricked into clicking a file named `testexe.fig`
    that appears as `testexe.gif` due to a Unicode order override character.

    See:
    - http://unicode.org/reports/tr36/#Bidirectional_Text_Spoofing
    - https://krebsonsecurity.com/2011/09/right-to-left-override-aids-email-attacks/

commit bc605afb1c6af3a5ebc31a4c1523ff170eb96ffe
Author: Daniel Gasienica <daniel@gasienica.ch>
Date:   Fri Feb 16 16:12:29 2018 -0500

    Remove `CURRENT_PROCESS_VERSION`

    Reintroduce this whenever we need it. We currently only deal with schema version
    numbers within this module.
2018-02-22 13:21:53 -05:00

351 lines
12 KiB
JavaScript
Raw Blame History

/* eslint-disable */
/* global textsecure: false */
(function () {
'use strict';
window.Whisper = window.Whisper || {};
const { MIME } = window.Signal.Types;
Whisper.FileSizeToast = Whisper.ToastView.extend({
templateName: 'file-size-modal',
render_attributes: function() {
return {
'file-size-warning': i18n('fileSizeWarning'),
limit: this.model.limit,
units: this.model.units
};
}
});
Whisper.UnsupportedFileTypeToast = Whisper.ToastView.extend({
template: i18n('unsupportedFileType')
});
Whisper.FileInputView = Backbone.View.extend({
tagName: 'span',
className: 'file-input',
initialize: function(options) {
this.$input = this.$('input[type=file]');
this.$input.click(function(e) {
e.stopPropagation();
});
this.thumb = new Whisper.AttachmentPreviewView();
this.$el.addClass('file-input');
this.window = options.window;
this.previewObjectUrl = null;
},
events: {
'change .choose-file': 'previewImages',
'click .close': 'deleteFiles',
'click .choose-file': 'open',
'drop': 'openDropped',
'dragover': 'showArea',
'dragleave': 'hideArea',
'paste': 'onPaste'
},
open: function(e) {
e.preventDefault();
// hack
if (this.window && this.window.chrome && this.window.chrome.fileSystem) {
this.window.chrome.fileSystem.chooseEntry({type: 'openFile'}, function(entry) {
if (!entry) {
return;
}
entry.file(function(file) {
this.file = file;
this.previewImages();
}.bind(this));
}.bind(this));
} else {
this.$input.click();
}
},
addThumb: function(src) {
this.$('.avatar').hide();
this.thumb.src = src;
this.$('.attachment-previews').append(this.thumb.render().el);
this.thumb.$('img')[0].onload = function() {
this.$el.trigger('force-resize');
}.bind(this);
},
autoScale: function(file) {
if (file.type.split('/')[0] !== 'image'
|| file.type === 'image/gif'
|| file.type === 'image/tiff') {
// nothing to do
return Promise.resolve(file);
}
return new Promise(function(resolve, reject) {
var url = URL.createObjectURL(file);
var img = document.createElement('img');
img.onerror = reject;
img.onload = function () {
URL.revokeObjectURL(url);
var maxSize = 6000 * 1024;
var maxHeight = 4096;
var maxWidth = 4096;
if (img.width <= maxWidth && img.height <= maxHeight &&
file.size <= maxSize) {
resolve(file);
return;
}
var canvas = loadImage.scale(img, {
canvas: true, maxWidth: maxWidth, maxHeight: maxHeight
});
var quality = 0.95;
var i = 4;
var blob;
do {
i = i - 1;
blob = window.dataURLToBlobSync(
canvas.toDataURL('image/jpeg', quality)
);
quality = quality * maxSize / blob.size;
// NOTE: During testing with a large image, we observed the
// `quality` value being > 1. Should we clamp it to [0.5, 1.0]?
// See: https://developer.mozilla.org/en-US/docs/Web/API/HTMLCanvasElement/toBlob#Syntax
if (quality < 0.5) {
quality = 0.5;
}
} while (i > 0 && blob.size > maxSize);
resolve(blob);
};
img.src = url;
});
},
previewImages: function() {
this.clearForm();
var file = this.file || this.$input.prop('files')[0];
if (!file) { return; }
var type = file.type.split('/')[0];
if (file.type === 'image/tiff') {
type = 'file';
}
switch (type) {
case 'audio': this.addThumb('images/audio.svg'); break;
case 'video': this.addThumb('images/video.svg'); break;
case 'image':
if (!MIME.isJPEG(file.type)) {
this.previewObjectUrl = URL.createObjectURL(file);
this.addThumb(this.previewObjectUrl);
break;
}
// NOTE: Temporarily allow `then` until we convert the entire file
// to `async` / `await`:
// eslint-disable-next-line more/no-then
window.autoOrientImage(file)
.then(dataURL => this.addThumb(dataURL));
break;
default:
this.addThumb('images/file.svg'); break;
}
// NOTE: Temporarily allow `then` until we convert the entire file
// to `async` / `await`:
// eslint-disable-next-line more/no-then
this.autoScale(file).then(function(blob) {
var limitKb = 1000000;
var blobType = file.type === 'image/gif' ? 'gif' : type;
switch (blobType) {
case 'image':
limitKb = 6000; break;
case 'gif':
limitKb = 25000; break;
case 'audio':
limitKb = 100000; break;
case 'video':
limitKb = 100000; break;
default:
limitKb = 100000; break;
}
if ((blob.size/1024).toFixed(4) >= limitKb) {
var units = ['kB','MB','GB'];
var u = -1;
var limit = limitKb * 1000;
do {
limit /= 1000;
++u;
} while (limit >= 1000 && u < units.length - 1);
var toast = new Whisper.FileSizeToast({
model: {limit: limit, units: units[u]}
});
toast.$el.insertAfter(this.$el);
toast.render();
this.deleteFiles();
}
}.bind(this));
},
hasFiles: function() {
var files = this.file ? [this.file] : this.$input.prop('files');
return files && files.length && files.length > 0;
},
/* eslint-enable */
/* jshint ignore:start */
getFiles() {
const files = this.file ? [this.file] : Array.from(this.$input.prop('files'));
const promise = Promise.all(files.map(file => this.getFile(file)));
this.clearForm();
return promise;
},
getFile(rawFile) {
const file = rawFile || this.file || this.$input.prop('files')[0];
if (file === undefined) {
return Promise.resolve();
}
const attachmentFlags = this.isVoiceNote
? textsecure.protobuf.AttachmentPointer.Flags.VOICE_MESSAGE
: null;
const setFlags = flags => (attachment) => {
const newAttachment = Object.assign({}, attachment);
if (flags) {
newAttachment.flags = flags;
}
return newAttachment;
};
// NOTE: Temporarily allow `then` until we convert the entire file
// to `async` / `await`:
// eslint-disable-next-line more/no-then
return this.autoScale(file)
.then(this.readFile)
.then(setFlags(attachmentFlags));
},
/* jshint ignore:end */
/* eslint-disable */
getThumbnail: function() {
// Scale and crop an image to 256px square
var size = 256;
var file = this.file || this.$input.prop('files')[0];
if (file === undefined || file.type.split('/')[0] !== 'image' || file.type === 'image/gif') {
// nothing to do
return Promise.resolve();
}
return new Promise(function(resolve, reject) {
var url = URL.createObjectURL(file);
var img = document.createElement('img');
img.onerror = reject;
img.onload = function () {
URL.revokeObjectURL(url);
// loadImage.scale -> components/blueimp-load-image
// scale, then crop.
var canvas = loadImage.scale(img, {
canvas: true, maxWidth: size, maxHeight: size,
cover: true, minWidth: size, minHeight: size
});
canvas = loadImage.scale(canvas, {
canvas: true, maxWidth: size, maxHeight: size,
crop: true, minWidth: size, minHeight: size
});
var blob = window.dataURLToBlobSync(canvas.toDataURL('image/png'));
resolve(blob);
};
img.src = url;
}).then(this.readFile);
},
// File -> Promise Attachment
readFile: function(file) {
return new Promise(function(resolve, reject) {
var FR = new FileReader();
FR.onload = function(e) {
resolve({
data: e.target.result,
contentType: file.type,
fileName: file.name,
size: file.size
});
};
FR.onerror = reject;
FR.onabort = reject;
FR.readAsArrayBuffer(file);
});
},
clearForm: function() {
if (this.previewObjectUrl) {
URL.revokeObjectURL(this.previewObjectUrl);
this.previewObjectUrl = null;
}
this.thumb.remove();
this.$('.avatar').show();
this.$el.trigger('force-resize');
},
deleteFiles: function(e) {
if (e) { e.stopPropagation(); }
this.clearForm();
this.$input.wrap('<form>').parent('form').trigger('reset');
this.$input.unwrap();
this.file = null;
this.$input.trigger('change');
this.isVoiceNote = false;
},
openDropped: function(e) {
if (e.originalEvent.dataTransfer.types[0] != 'Files') {
return;
}
e.stopPropagation();
e.preventDefault();
this.file = e.originalEvent.dataTransfer.files[0];
this.previewImages();
this.$el.removeClass('dropoff');
},
showArea: function(e) {
if (e.originalEvent.dataTransfer.types[0] != 'Files') {
return;
}
e.stopPropagation();
e.preventDefault();
this.$el.addClass('dropoff');
},
hideArea: function(e) {
if (e.originalEvent.dataTransfer.types[0] != 'Files') {
return;
}
e.stopPropagation();
e.preventDefault();
this.$el.removeClass('dropoff');
},
onPaste: function(e) {
var items = e.originalEvent.clipboardData.items;
var imgBlob = null;
for (var i = 0; i < items.length; i++) {
if (items[i].type.split('/')[0] === 'image') {
imgBlob = items[i].getAsFile();
}
}
if (imgBlob !== null) {
this.file = imgBlob;
this.previewImages();
}
}
});
})();
Reference in a new issue View git blame Copy permalink