feat: support running with TrustedTypes enforced #4447
Conversation
Trusted Types is a new Content Security Policy specification, currently implemented in browsers based on Chromium 83 or higher, which requires that data passed to APIs which may result in arbitrary code execution must go through an explicit policy. This helps to catch unintended use of dangerous APIs, and reduces the surface area for some security reviews. I'm not sure if test infrastructure like mocha is a likely target for attack – seems like in most cases an attacker could only access test data, and it is rare for tests to handle untrusted data. However, there's value for infrastructure to be compatible with running with Trusted Types enabled, as it will allow users to write tests to ensure that the code under test can run with Trusted Types. This change creates and applies policies for the two places in mocha that call innerHTML, and adds a temporary patch to the rollup build. With those changes in place, we can run mocha's karma tests with Trusted Types enabled (save for the one test that runs with requirejs, which relies on eval). More info: * Spec: https://w3c.github.io/webappsec-trusted-types/dist/spec/#introduction * Related PR adding support to karma: karma-runner/karma#3360
|
|
There was a problem hiding this comment.
Thanks! Seems like a good addition. Unfortunately, I don't know anything about Trusted Types, so I think I need to educate myself or defer the decision to another maintainer who does (e.g., @Munter?).
My main question is: if a test is written using eval(), and we ship this change, will the test now fail when run in a Trusted-Types-supporting browser? If so, this behavior must be opt-in. And if it needs to be opt-in, does this defeat the purpose?
| * 2021-01-01. This behavior is tested, so we can just remove the plugin | ||
| * from our array and try `npm test`. If the tests pass, this can be removed. | ||
| */ | ||
| const applyTemporaryCspPatchPlugin = { |
There was a problem hiding this comment.
Seems like others would have this problem. Is there not an "official" fix anywhere?
There was a problem hiding this comment.
The latest version of regenerator-runtime is compatible with trusted types. It looks like some dependency of a dependency is shipping with an older regenerator-runtime version compiled in. That's why I'm expecting that in a few months they'll have shipped an update with the new regenerator-runtime and we can drop applyTemporaryCspPatchPlugin
There was a problem hiding this comment.
Speaking from the perspective of a reviewer in September 2020: I'd want a comment in the code pointing to the relevant tracking issue. That way it's easier to get context on it and check whether it's been resolved.
Speaking from the perspective of a reviewer now, in 2024: I'm betting this has since been resolved. 😄
boneskull
added
area: browser
|
Further, I think it'd be good to see a test which asserts the behavior works as intended. |
Trusted type enforcement is opt in. Like other CSP features, you enable it with either an HTTP header or with a The change should have no effect on existing tests, which won't have opted into enforcing Trusted Types. Shipping this change will make mocha compatible with trusted types, so it will enable testing with mocha with TT enforced. See e.g. lit/lit#1323. So tests that use potential unsafe APIs like
See the changes to karma.conf.js, which adds headers to enable Trusted Type enforcement for mocha's existing browser tests (in supporting browsers, which is currently browsers based on a recent Chromium like Brave, Chrome, and Edge). |
sorry, what I meant was that the existing tests assert compatibility, but we do not have:
|
|
(AppVeyor is no longer building our PRs; I've removed it from the list of checks) |
|
I'm not 100% sure I follow. You'd like to see a test of native Trusted Types functionality? A test that only runs in Chromium browsers and would fail if the trusted types headers in karma.conf.js didn't result in TT being enforced? |
Yes, essentially:
The point is not to test the browser feature--I'm sure Chromium has plenty of tests--but rather to establish a baseline of behavior which Mocha will exhibit when encountering these configurations. We need to make sure that future changes in Mocha do not violate the assumptions of its behavior established here. |
|
I need to learn about TrustedTypes. |
|
@rictic are you able to continue on this PR? |
| * 2021-01-01. This behavior is tested, so we can just remove the plugin | ||
| * from our array and try `npm test`. If the tests pass, this can be removed. | ||
| */ | ||
| const applyTemporaryCspPatchPlugin = { |
There was a problem hiding this comment.
Speaking from the perspective of a reviewer in September 2020: I'd want a comment in the code pointing to the relevant tracking issue. That way it's easier to get context on it and check whether it's been resolved.
Speaking from the perspective of a reviewer now, in 2024: I'm betting this has since been resolved. 😄
| createHTML: function(html) { | ||
| // The highlight function escapes its input. | ||
| return highlight(html); | ||
| } |
There was a problem hiding this comment.
[Style] Nit: no need for this wrapper, I think?
| createHTML: function(html) { | |
| // The highlight function escapes its input. | |
| return highlight(html); | |
| } | |
| // The highlight function escapes its input. | |
| createHTML: highlight, |
| * processed by a secure sanitization system like dompurify | ||
| */ | ||
| return html; | ||
| } |
There was a problem hiding this comment.
[Bug] Indeed, this looks like it partially (not completely) bypasses the point of Trusted Types. Which worries me. If Mocha were to ship with this change as-is and claim to supported Trusted Types, that claim would be a little misleading.
I'd think making this truly "safe" should be a blocker to the PR. But I'm very open to being convinced otherwise if I'm off.
JoshuaKGoldberg
added
the
status: waiting for author
JoshuaKGoldberg
changed the title
|
I would still like to see this resolved, especially as Webkit has decided to support the standard as of two weeks ago: WebKit/standards-positions#186 (comment) and Mozilla as of Dec 2023: mozilla/standards-positions#20 (comment) |
|
Great, I look forward to your PR @justinfagnani. 😉 |
Description of the Change
Trusted Types is a new Content Security Policy specification,
currently implemented in browsers based on Chromium 83 or higher, which
requires that data passed to APIs which may result in arbitrary code
execution must go through an explicit policy. This helps to catch
unintended use of dangerous APIs, and reduces the surface area for
some security reviews.
I'm not sure if test infrastructure like mocha is a likely target
for attack – seems like in most cases an attacker could only access test
data, and it is rare for tests to handle untrusted data. However,
there's value for infrastructure to be compatible with running with
Trusted Types enabled, as it will allow users to write tests to ensure
that the code under test can run with Trusted Types.
This change creates and applies policies for the two places in mocha
that call innerHTML, and adds a temporary patch to the rollup build.
With those changes in place, we can run mocha's karma tests with
Trusted Types enabled (save for the one test that runs with requirejs,
which relies on eval).
Alternate Designs
It would be possible to integrate dompurify into the HTML reporter, which would make it more secure. Alternatively, it may be possible to do a larger refactoring to construct the HTML output in a more structured way, rather than using string concatenation of HTML.
Why should this be in core?
This must be in core in order for these parts of core to be trusted types compatible.
Benefits
Users will be able to test their code with mocha in a browser with native Trusted Types enforcement enabled.
Possible Drawbacks
This change adds additional code, which adds weight to the mocha package for users, and maintenance burden on the mocha core devs.
Our own dependencies may inadvertently break us by doing otherwise safe operations (e.g. eval(str), Function(str), setting innerHTML, etc).
This is an enhancement (minor release).
More info and related work