Skip to content

Latest commit

 

History

History
150 lines (122 loc) · 9.55 KB

mitigations.md

File metadata and controls

150 lines (122 loc) · 9.55 KB

Mitigation Strategies Analysis for facebook/react

Mitigation Strategy: Strict dangerouslySetInnerHTML Usage with Sanitization

  1. Identify all instances of dangerouslySetInnerHTML: Search the entire codebase for this prop. Use your IDE's search functionality or a command-line tool like grep.
  2. Evaluate Necessity: For each instance, determine if dangerouslySetInnerHTML is absolutely necessary. Could the same result be achieved using standard React components and JSX? Often, it can. If it's not strictly required, refactor the code to remove it.
  3. Implement Sanitization (if necessary): If dangerouslySetInnerHTML is unavoidable (e.g., rendering trusted Markdown), install a robust sanitization library like DOMPurify: 
    npm install dompurify
# or
yarn add dompurify
  4. Import and Use DOMPurify: Import DOMPurify into the component where dangerouslySetInnerHTML is used. Call DOMPurify.sanitize() on the input HTML before passing it to dangerouslySetInnerHTML. 
    import DOMPurify from 'dompurify';

function MyComponent({ potentiallyUnsafeHTML }) {
  const sanitizedHTML = DOMPurify.sanitize(potentiallyUnsafeHTML);
  return (
    <div dangerouslySetInnerHTML={{ __html: sanitizedHTML }} />
  );
}
  5. Configure DOMPurify (Optional): DOMPurify offers configuration options to customize the allowed HTML tags and attributes. Review the documentation and configure it to be as restrictive as possible while still meeting your application's needs. For example, you might disallow <script> tags entirely, or only allow specific attributes on <img> tags.
  6. Regularly Review: Periodically re-examine all uses of dangerouslySetInnerHTML to ensure they remain necessary and that sanitization is still correctly implemented.

  • Threats Mitigated:

    • Cross-Site Scripting (XSS) (Severity: High): Malicious JavaScript injected through user input could steal user cookies, redirect users to phishing sites, deface the website, or perform other harmful actions. Sanitization prevents the execution of malicious scripts. This is directly related to how React handles rendering HTML.
    • HTML Injection (Severity: Medium): Even without JavaScript, malicious HTML could disrupt the layout of the page, inject unwanted content, or potentially lead to phishing attacks. Sanitization removes or neutralizes harmful HTML elements. This is a consequence of using dangerouslySetInnerHTML.

  • Impact:

    • XSS: Risk reduction: Very High. Proper sanitization with a library like DOMPurify is highly effective at preventing XSS through dangerouslySetInnerHTML.
    • HTML Injection: Risk reduction: High. Sanitization significantly reduces the risk of HTML injection.

  • Currently Implemented:

    • Example: Implemented in src/components/Blog/BlogPost.js where blog post content (from a trusted CMS) is rendered. DOMPurify is used with a default configuration.
    • Example: Implemented in src/components/Comments/Comment.js where user comments are rendered. DOMPurify is used with custom configuration.

  • Missing Implementation:

    • Example: Missing in src/components/Legacy/OldWidget.js. This component uses dangerouslySetInnerHTML without any sanitization. This is a high-priority area for refactoring or remediation.

Mitigation Strategy: Secure URL Handling in Attributes (React-Specific Considerations)

  1. Identify Dynamic URLs within JSX: Locate all instances where URLs are dynamically generated and used in attributes like href, src, action, etc., within your JSX. This includes <a>, <img>, <form>, <script>, and other elements. The key here is that React doesn't automatically sanitize these.
  2. Implement Validation: Before using a dynamically generated URL within a React component, validate it. While the URL API is a general web API, its use within React's rendering context is crucial. 
    // Basic validation using the URL API (within a React component)
function MyComponent({ userProvidedURL }) {
  function isValidURL(string) {
    try {
      new URL(string);
      return true;
    } catch (_) {
      return false;
    } 
  }

  if (isValidURL(userProvidedURL)) {
    return <a href={userProvidedURL}>Click Here</a>;
  } else {
    return <p>Invalid URL provided.</p>;
  }
}
  3. Encode URLs (if necessary): If you need to include special characters in the URL, use encodeURIComponent() to properly encode them within your component's logic.
  4. Avoid javascript: URLs: Never allow user-provided input to directly construct javascript: URLs within your JSX. These are a major XSS vector, and React won't protect you here.
  5. Regularly check: Regularly check if URL handling is secure.

  • Threats Mitigated:

    • Cross-Site Scripting (XSS) (Severity: High): Malicious javascript: URLs or URLs pointing to malicious scripts can be injected because React doesn't sanitize URL attributes.
    • Open Redirects (Severity: Medium): An attacker could craft a URL that redirects the user to a malicious site. While not unique to React, the dynamic nature of React apps makes this more likely if not handled.
    • Protocol Smuggling (Severity: Medium): Attackers might try to use unexpected protocols. Again, React's dynamic rendering makes this a concern.

  • Impact:

    • XSS: Risk reduction: High. Proper URL validation and encoding within React components significantly reduce the risk.
    • Open Redirects: Risk reduction: High.
    • Protocol Smuggling: Risk reduction: Medium.

  • Currently Implemented:

    • Example: Implemented in src/components/User/ProfileLink.js where user profile links are generated. The URL API is used for validation.

  • Missing Implementation:

    • Example: Missing in src/components/Legacy/ImageGallery.js. Image source URLs are taken directly from user input without validation.

Mitigation Strategy: Component Whitelisting (for Dynamic Component Rendering)

  1. Identify Dynamic Component Rendering: Find all places in your React code where components are rendered based on user input or external data. This is a React-specific pattern.
  2. Create a Whitelist: Define a JavaScript object (within your React codebase) that maps allowed component names to their corresponding component implementations. 
    const allowedComponents = {
  'MyComponent1': MyComponent1,
  'MyComponent2': MyComponent2,
  'SafeWidget': SafeWidget,
  // ... other allowed components
};
  3. Implement Lookup: Instead of directly rendering a component based on user input, use the whitelist to look up the component within your React component. 
    function DynamicComponentRenderer({ componentName }) {
  const Component = allowedComponents[componentName];

  if (Component) {
    return <Component />;
  } else {
    // Handle the case where the component is not allowed
    return <p>Invalid component.</p>;
  }
}
  4. Handle Invalid Input: If the requested component name is not found in the whitelist, handle the situation gracefully.
  5. Regularly check: Regularly check if component whitelisting is implemented correctly.

  • Threats Mitigated:

    • Component Injection (Severity: High): Prevents attackers from injecting arbitrary React components. This is specific to React's component model.

  • Impact:

    • Component Injection: Risk reduction: Very High.

  • Currently Implemented:

    • Example: Implemented in src/components/Dashboard/WidgetRenderer.js where dashboard widgets are rendered dynamically.

  • Missing Implementation:

    • Example: Missing in src/components/Legacy/DynamicForm.js.

Mitigation Strategy: Disable React DevTools in Production

  1. Verify Build Configuration: Ensure your build process is configured to create a production build. Production builds should automatically disable React DevTools.
  2. Check for Manual Configuration: If you have any manual configuration related to React DevTools, make sure it's disabled for production builds using environment variables. 
    // Example (using environment variables)
if (process.env.NODE_ENV === 'development') {
  // Enable DevTools (only in development)
  require('react-devtools');
}
  3. Test in Production: Deploy and verify that React DevTools are not accessible.
  4. Regularly check: Regularly check if React DevTools are disabled in production.

  • Threats Mitigated:

    • Information Disclosure (Severity: Low to Medium): Prevents attackers from inspecting the internal structure and state of your React components. This is specific to the React DevTools.

  • Impact:

    • Information Disclosure: Risk reduction: High.

  • Currently Implemented:

    • Example: The build process (using Create React App) automatically disables React DevTools.

  • Missing Implementation:

    • Example: No specific checks are in place to ensure that manual DevTools configuration is disabled.