Add option to scrub html from secret

This new option allows admins to enable or disable scrubbing html from secrets on view and store.
renderorange · May 5, 2024 · 5c7b018 · 5c7b018
1 parent e9dcf6e
commit 5c7b018
Show file tree

Hide file tree

Showing 15 changed files with 144 additions and 12 deletions.
diff --git a/.github/workflows/test.yaml b/.github/workflows/test.yaml
@@ -13,7 +13,7 @@ jobs:
           sudo apt-get install cpanminus sqlite3
       - name: Install perl dependencies
         run: |
-          sudo cpanm -n Config::Tiny Crypt::Eksblowfish::Bcrypt Crypt::Random Cwd Dancer2 Dancer2::Session::Cookie Data::Structure::Util DBD::SQLite DBI Digest::SHA Encode Getopt::Long HTTP::Status Moo MooX::ClassAttribute namespace::clean Plack::Builder Plack::Middleware::TrailingSlashKiller Pod::Usage Scalar::Util Session::Storage::Secure strictures Template::Toolkit Time::Piece Try::Tiny
+          sudo cpanm -n Config::Tiny Crypt::Eksblowfish::Bcrypt Crypt::Random Cwd Dancer2 Dancer2::Session::Cookie Data::Structure::Util DBD::SQLite DBI Digest::SHA Encode Getopt::Long HTML::Strip HTTP::Status Moo MooX::ClassAttribute namespace::clean Plack::Builder Plack::Middleware::TrailingSlashKiller Pod::Usage Scalar::Util Session::Storage::Secure strictures Template::Toolkit Time::Piece Try::Tiny
       - name: Install perl test dependencies
         run: |
           # Test::More and File::Spec are provided by perl-modules-*

diff --git a/INSTALLATION.md b/INSTALLATION.md
@@ -24,7 +24,7 @@ These instructions walk through a basic installation of the Pasteburn applicatio
 
 The Perl dependencies for this project are listed in the `cpanfile` within the repo.
 
-    cpanm -n Config::Tiny Crypt::Eksblowfish::Bcrypt Crypt::Random Cwd Dancer2 Dancer2::Session::Cookie Data::Structure::Util DBD::SQLite DBI Digest::SHA Encode Getopt::Long HTTP::Status Moo MooX::ClassAttribute namespace::clean Plack::Builder Plack::Middleware::TrailingSlashKiller Pod::Usage Scalar::Util Session::Storage::Secure strictures Template::Toolkit Time::Piece Try::Tiny
+    cpanm -n Config::Tiny Crypt::Eksblowfish::Bcrypt Crypt::Random Cwd Dancer2 Dancer2::Session::Cookie Data::Structure::Util DBD::SQLite DBI Digest::SHA Encode Getopt::Long HTML::Strip HTTP::Status Moo MooX::ClassAttribute namespace::clean Plack::Builder Plack::Middleware::TrailingSlashKiller Pod::Usage Scalar::Util Session::Storage::Secure strictures Template::Toolkit Time::Piece Try::Tiny
 
 ## CREATE THE DATABASE
 
@@ -50,12 +50,15 @@ After creating the file, edit and update the values accordingly.
 
 - secret
 
-    The `secret` section key is required, and `age` option key within it.
+    The `secret` section key is required, `age` and `scrub` option keys within it.
 
         [secret]
         age = 604800
+        scrub = 1
 
-    To change the default time to expire secrets, change the `age` value.  The value must be a positive integer.  The `age` value is only enforced if running the `delete_expired_secrets.pl` script, as noted below.
+    If `scrub` is set to 1, HTML tags will be removed from the secret string before storing and again as it's retrieved from the database.  If set to 0, HTML tags will not be removed from the secret.
+
+    NOTE: Setting `scrub` to 0 means XSS vulnerabilities will be possible in the textarea box as it's displayed.  Disable this setting with caution.
 
 - passphrase
 

diff --git a/cpanfile b/cpanfile
@@ -10,6 +10,7 @@ requires 'DBI';
 requires 'Digest::SHA';
 requires 'Encode';
 requires 'Getopt::Long';
+requires 'HTML::Strip';
 requires 'HTTP::Status';
 requires 'Moo';
 requires 'MooX::ClassAttribute';

diff --git a/examples/config.ini.example b/examples/config.ini.example
@@ -1,5 +1,6 @@
 [secret]
 age = 604800
+scrub = 1
 [passphrase]
 allow_blank = 0
 [cookie]

diff --git a/lib/Pasteburn.pm b/lib/Pasteburn.pm
@@ -20,6 +20,7 @@ BEGIN {
         die("FATAL: session Cookie secret_key is not set");
     }
 
+    set secret     => $conf->{secret};
     set passphrase => $conf->{passphrase};
 
     set views  => config->{appdir} . 'views';
@@ -123,13 +124,18 @@ B<NOTE:> If the C<$ENV{HOME}/.config/pasteburn/> directory exists, C<config.ini>
 
 =item secret
 
-The C<secret> section key is required, and C<age> option key within it.
+The C<secret> section key is required, C<age> and C<scrub> option keys within it.
 
  [secret]
  age = 604800
+ scrub = 1
 
 To change the default time to expire secrets, change the C<age> value.  The value must be a positive integer.  The C<age> value is only enforced if running the C<delete_expired_secrets.pl> script, as noted below.
 
+If C<scrub> is set to 1, HTML tags will be removed from the secret string before storing and again as it's retrieved from the database.  If set to 0, HTML tags will not be removed from the secret.
+
+B<NOTE:> Setting C<scrub> to 0 means XSS vulnerabilities will be possible in the textarea box as it's displayed.  Disable this setting with caution.
+
 =item passphrase
 
 The C<passphrase> section key is required, and the C<allow_blank> option key within it.

diff --git a/lib/Pasteburn/Config.pm b/lib/Pasteburn/Config.pm
@@ -60,6 +60,11 @@ sub _validate {
         die "config section secret age must be a positive integer\n";
     }
 
+    # verify secret scrub exists
+    unless ( exists $config->{secret}{scrub} ) {
+        die "config section secret scrub is required\n";
+    }
+
     # verify passphrase allow_blank exists
     unless ( exists $config->{passphrase}{allow_blank} ) {
         die "config section passphrase allow_blank is required\n";
@@ -137,13 +142,18 @@ B<NOTE:> If the C<$ENV{HOME}/.config/pasteburn/> directory exists, C<config.ini>
 
 =item secret
 
-The C<secret> section key is required, and C<age> option key within it.
+The C<secret> section key is required, C<age> and C<scrub> option keys within it.
 
  [secret]
  age = 604800
+ scrub = 1
 
 To change the default time to expire secrets, change the C<age> value.  The value must be a positive integer.  The C<age> value is only enforced if running the C<delete_expired_secrets.pl> script, as noted below.
 
+If C<scrub> is set to 1, HTML tags will be removed from the secret string before storing and again as it's retrieved from the database.  If set to 0, HTML tags will not be removed from the secret.
+
+B<NOTE:> Setting C<scrub> to 0 means XSS vulnerabilities will be possible in the textarea box as it's displayed.  Disable this setting with caution.
+
 =item passphrase
 
 The C<passphrase> section key is required, and the C<allow_blank> option key within it.

diff --git a/lib/Pasteburn/Controller/Secret.pm b/lib/Pasteburn/Controller/Secret.pm
@@ -66,7 +66,7 @@ post q{/secret} => sub {
     }
 
     my $secret_obj = Pasteburn::Model::Secrets->new( secret => $secret, passphrase => $passphrase );
-    $secret_obj->store;
+    $secret_obj->store( scrub => config->{secret}{scrub} );
 
     my $session_secrets = session->read('secrets');
     $session_secrets->{ $secret_obj->id }{runmode} = 'new';
@@ -184,7 +184,7 @@ post q{/secret/:id} => sub {
         return template secret => $template_params;
     }
 
-    my $decoded_secret = $secret_obj->decode_secret( passphrase => $passphrase );
+    my $decoded_secret = $secret_obj->decode_secret( passphrase => $passphrase, scrub => config->{secret}{scrub} );
     if ($decoded_secret) {
 
         # this will not delete from the author session unless they also view it.

diff --git a/lib/Pasteburn/Model/Secrets.pm b/lib/Pasteburn/Model/Secrets.pm
@@ -12,6 +12,7 @@ use Pasteburn::Crypt::Hash    ();
 use Pasteburn::Crypt::Storage ();
 use Crypt::Random             ();
 use Digest::SHA               ();
+use HTML::Strip;
 
 use Moo;
 use MooX::ClassAttribute;
@@ -111,6 +112,10 @@ sub get {
 
 sub store {
     my $self = shift;
+    my $arg  = {
+        scrub => undef,
+        @_,
+    };
 
     foreach my $attribute ( 'passphrase', 'secret' ) {
         unless ( defined $self->{$attribute} ) {
@@ -123,6 +128,13 @@ sub store {
     my $crypt_hash        = Pasteburn::Crypt::Hash->new();
     my $hashed_passphrase = $crypt_hash->generate( string => $self->passphrase );
 
+    # strip html tags from secret before storing
+    if ( $arg->{scrub} ) {
+        my $html_strip = HTML::Strip->new();
+        $self->_set_secret( $html_strip->parse( $self->secret ) );
+        $html_strip->eof;
+    }
+
     my $crypt_storage  = Pasteburn::Crypt::Storage->new( passphrase => $self->passphrase );
     my $encoded_secret = $crypt_storage->encode( secret => $self->secret );
 
@@ -147,6 +159,8 @@ sub store {
     # set id into the object so we can _update_object using it as a select value.
     $self->_set_id($id);
 
+    # always update the object with the stored data from the database.
+    # we don't want the decoded secret or passphrase in the object.
     $self->_update_object;
 
     return $result;
@@ -222,6 +236,7 @@ sub decode_secret {
     my $self = shift;
     my $arg  = {
         passphrase => undef,
+        scrub      => undef,
         @_,
     };
 
@@ -237,8 +252,16 @@ sub decode_secret {
         die "passphrase is required";
     }
 
-    my $crypt_storage = Pasteburn::Crypt::Storage->new( passphrase => $arg->{passphrase} );
-    return $crypt_storage->decode( secret => $self->secret );
+    my $crypt_storage  = Pasteburn::Crypt::Storage->new( passphrase => $arg->{passphrase} );
+    my $decoded_secret = $crypt_storage->decode( secret => $self->secret );
+
+    if ( $arg->{scrub} ) {
+        my $html_strip = HTML::Strip->new();
+        $decoded_secret = $html_strip->parse($decoded_secret);
+        $html_strip->eof;
+    }
+
+    return $decoded_secret;
 }
 
 sub delete_secret {
@@ -288,7 +311,7 @@ Pasteburn::Model::Secrets - data access layer for Secrets
 
  my $secret_obj = Pasteburn::Model::Secrets->get( id => $id );
  $secret_obj->validate_passphrase( passphrase => $passphrase );
- my $decoded_secret = $secret_obj->decode_secret( passphrase => $passphrase );
+ my $decoded_secret = $secret_obj->decode_secret( passphrase => $passphrase, scrub => 1 );
 
  $secret_obj->delete_secret;
 
@@ -402,6 +425,10 @@ Object method to decode the stored secret using the submitted passphrase.
 
 =item passphrase
 
+=item scrub
+
+Truthy value indicating whether the secret string should have the HTML tags removed before returning.
+
 =back
 
 =head3 RETURNS

diff --git a/t/integration/backend/create-scrub-new-secret.t b/t/integration/backend/create-scrub-new-secret.t
@@ -0,0 +1,39 @@
+use strict;
+use warnings;
+
+use FindBin ();
+use lib "$FindBin::RealBin/../../lib", "$FindBin::RealBin/../../../lib";
+use Pasteburn::Test;
+use Pasteburn::Model::Secrets;
+
+SCRUB_SECRET_ENABLED: {
+    note( 'scrub secret enabled' );
+    my $secret_non_html = 'blaine was here text';
+    my $secret     = '</textarea><script>blaine was here script</script>' . $secret_non_html;
+    my $passphrase = 'mypassphrase';
+    my $secret_obj = Pasteburn::Model::Secrets->new( secret => $secret, passphrase => $passphrase );
+
+    ok( $secret_obj->store( scrub => 1 ), 'store was successful' );
+
+    # here we're intentionally not scrubbing the outgoing secret because we need to ensure
+    # scrubbing the secret inbound works correctly.
+    my $decoded_secret = $secret_obj->decode_secret( passphrase => $passphrase );
+    is( $decoded_secret, $secret_non_html, 'returned secret only contains the non-html string' )
+}
+
+SCRUB_SECRET_DISABLED: {
+    note( 'scrub secret disabled' );
+    my $secret_non_html = 'blaine was here text';
+    my $secret     = '</textarea><script>blaine was here script</script>' . $secret_non_html;
+    my $passphrase = 'mypassphrase';
+    my $secret_obj = Pasteburn::Model::Secrets->new( secret => $secret, passphrase => $passphrase );
+
+    ok( $secret_obj->store( scrub => 0 ), 'store was successful' );
+
+    # here we're intentionally not scrubbing the outgoing secret because we need to ensure
+    # scrubbing the secret inbound works correctly.
+    my $decoded_secret = $secret_obj->decode_secret( passphrase => $passphrase );
+    is( $decoded_secret, $secret, 'returned secret contains the html and non-html string parts' );
+}
+
+done_testing;
diff --git a/t/integration/backend/decode-scrub-secret.t b/t/integration/backend/decode-scrub-secret.t
@@ -0,0 +1,40 @@
+use strict;
+use warnings;
+
+use FindBin ();
+use lib "$FindBin::RealBin/../../lib", "$FindBin::RealBin/../../../lib";
+use Pasteburn::Test;
+use Pasteburn::Model::Secrets;
+
+SCRUB_SECRET_ENABLED: {
+    note( 'scrub secret enabled' );
+    my $secret_non_html = 'blaine was here text';
+    my $secret     = '</textarea><script>blaine was here script</script>' . $secret_non_html;
+    my $passphrase = 'mypassphrase';
+    my $secret_obj = Pasteburn::Model::Secrets->new( secret => $secret, passphrase => $passphrase );
+
+    # here we're intentionally not scrubbing the incoming secret because we need to ensure
+    # decoding a secret with html works correctly.
+    ok( $secret_obj->store, 'stored new secret' );
+
+    my $decoded_secret = $secret_obj->decode_secret( passphrase => $passphrase, scrub => 1 );
+    isnt( $decoded_secret, $secret, "returned secret doesn't match" );
+    is( $decoded_secret, $secret_non_html, 'returned secret only contains the non-html string' );
+}
+
+SCRUB_SECRET_DISABLED: {
+    note( 'scrub secret disabled' );
+    my $secret_non_html = 'blaine was here text';
+    my $secret     = '</textarea><script>blaine was here script</script>' . $secret_non_html;
+    my $passphrase = 'mypassphrase';
+    my $secret_obj = Pasteburn::Model::Secrets->new( secret => $secret, passphrase => $passphrase );
+
+    # here we're intentionally not scrubbing the incoming secret because we need to ensure
+    # decoding a secret with html works correctly.
+    ok( $secret_obj->store, 'stored new secret' );
+
+    my $decoded_secret = $secret_obj->decode_secret( passphrase => $passphrase, scrub => 0 );
+    is( $decoded_secret, $secret, 'returned secret contains the html and non-html string parts' );
+}
+
+done_testing;
diff --git a/t/integration/frontend/allow-empty-passphrase.t b/t/integration/frontend/allow-empty-passphrase.t
@@ -10,6 +10,7 @@ use HTTP::Request ();
 my $config = {
     secret => {
         age => 1,
+        scrub => 1,
     },
     passphrase => {
         allow_blank => 1,

diff --git a/t/integration/frontend/create-new-secret.t b/t/integration/frontend/create-new-secret.t
@@ -10,6 +10,7 @@ use HTTP::Request ();
 my $config = {
     secret => {
         age => 1,
+        scrub => 1,
     },
     passphrase => {
         allow_blank => 0,

diff --git a/t/integration/frontend/view-secret.t b/t/integration/frontend/view-secret.t
@@ -10,6 +10,7 @@ use HTTP::Request ();
 my $config = {
     secret => {
         age => 1,
+        scrub => 1,
     },
     passphrase => {
         allow_blank => 0,

diff --git a/t/unit/lib-Pasteburn-Config/_load.t b/t/unit/lib-Pasteburn-Config/_load.t
@@ -11,6 +11,7 @@ use_ok( $class );
 my $config_expected = {
     secret => {
         age => 1,
+        scrub => 1,
     },
     passphrase => {
         allow_blank => 0,

diff --git a/t/unit/lib-Pasteburn-Config/_validate.t b/t/unit/lib-Pasteburn-Config/_validate.t
@@ -11,6 +11,7 @@ use_ok( $class );
 my $config_expected = {
     secret => {
         age => 1,
+        scrub => 1,
     },
     passphrase => {
         allow_blank => 0,
@@ -47,7 +48,7 @@ EXCEPTIONS: {
     };
 
     subtest 'dies if missing any of the config sub keys' => sub {
-        plan tests => 4;
+        plan tests => 5;
 
         foreach my $required ( keys %{ $config_expected } ) {
             foreach my $required_sub_key ( keys %{ $config_expected->{$required} } ) {