Merge pull request #3465 from appfi5/bugfix/release-notes-window

fix: harden release notes rendering and privileged window navigation

Author: u2

packages/neuron-ui/src/components/GeneralSetting/index.tsx

@@ -12,6 +12,7 @@ import { uniformTimeFormatter, bytesFormatter, clsx, wakeScreen, releaseWakeLock
 import Switch from 'widgets/Switch'
 import { keepScreenAwake } from 'services/localCache'
 import { LanguageSelect, UnLock } from 'widgets/Icons/icon'
+import { sanitizeReleaseNotes } from 'utils/sanitizeReleaseNotes'
 import styles from './generalSetting.module.scss'
 import { useCheckUpdate, useUpdateDownloadStatus } from './hooks'
 import LockWindowDialog from './LockWindowDialog'
@@ -67,7 +68,7 @@ const UpdateDownloadStatus = ({
 
   if (available) {
     const releaseNotesHtml = () => {
-      return { __html: releaseNotes }
+      return { __html: sanitizeReleaseNotes(releaseNotes) }
     }
 
     /* eslint-disable react/no-danger */

packages/neuron-ui/src/containers/Navbar/index.tsx

@@ -111,7 +111,7 @@ const Navbar = () => {
     }
   }, [network?.readonly])
 
-  const gotoCompatile = useCallback(() => {
+  const gotoCompatible = useCallback(() => {
     openExternal(`https://neuron.magickbase.com${i18n.language.startsWith('zh') ? '/zh' : ''}/download`)
   }, [i18n.language])
 
@@ -133,7 +133,7 @@ const Navbar = () => {
             i18nKey="navbar.ckb-node-compatible"
             values={{ version: getVersion(), btnText: t('navbar.learn-more') }}
             components={[
-              <button type="button" className={styles.learnMore} onClick={gotoCompatile}>
+              <button type="button" className={styles.learnMore} onClick={gotoCompatible}>
                 {t('navbar.learn-more')}
               </button>,
             ]}

packages/neuron-ui/src/tests/sanitizeReleaseNotes/index.test.ts

@@ -0,0 +1,24 @@
+import { describe, expect, it } from 'vitest'
+import { sanitizeReleaseNotes } from 'utils/sanitizeReleaseNotes'
+
+describe('sanitizeReleaseNotes', () => {
+  it('removes interactive markup and keeps basic formatting', () => {
+    const sanitized = sanitizeReleaseNotes(`
+      <p>safe</p>
+      <button data-method="open-in-window" onclick="window.electron.ipcRenderer.invoke('open-in-window')">open</button>
+      <img src="x" onerror="alert('xss')" />
+      <script>alert('xss')</script>
+      <pre><code>const ok = true</code></pre>
+    `)
+
+    expect(sanitized).toContain('<p>safe</p>')
+    expect(sanitized).toContain('<pre><code>const ok = true</code></pre>')
+    expect(sanitized).not.toContain('<button')
+    expect(sanitized).not.toContain('<img')
+    expect(sanitized).not.toContain('<script')
+    expect(sanitized).not.toContain('onclick')
+    expect(sanitized).not.toContain('data-method')
+    expect(sanitized).not.toContain('onerror')
+    expect(sanitized).not.toContain("alert('xss')")
+  })
+})

packages/neuron-ui/src/utils/sanitizeReleaseNotes.ts

@@ -0,0 +1,46 @@
+const ALLOWED_TAGS = new Set(['p', 'br', 'ul', 'ol', 'li', 'strong', 'em', 'b', 'i', 'code', 'pre'])
+const DROP_CONTENT_TAGS = new Set(['script', 'style', 'iframe', 'object', 'embed'])
+
+const sanitizeNodes = (doc: Document, nodes: ChildNode[]): Node[] => {
+  return nodes.flatMap(node => {
+    if (node.nodeType === Node.TEXT_NODE) {
+      return [doc.createTextNode(node.textContent ?? '')]
+    }
+
+    if (node.nodeType !== Node.ELEMENT_NODE) {
+      return []
+    }
+
+    const element = node as HTMLElement
+    const tagName = element.tagName.toLowerCase()
+
+    if (DROP_CONTENT_TAGS.has(tagName)) {
+      return []
+    }
+
+    const children = sanitizeNodes(doc, Array.from(element.childNodes))
+
+    if (!ALLOWED_TAGS.has(tagName)) {
+      return children
+    }
+
+    const sanitizedElement = doc.createElement(tagName)
+    children.forEach(child => {
+      sanitizedElement.appendChild(child)
+    })
+    return [sanitizedElement]
+  })
+}
+
+export const sanitizeReleaseNotes = (releaseNotes: string) => {
+  const template = document.createElement('template')
+  template.innerHTML = releaseNotes
+
+  const container = document.createElement('div')
+  sanitizeNodes(document, Array.from(template.content.childNodes)).forEach(node => {
+    container.appendChild(node)
+  })
+  return container.innerHTML
+}
+
+export default sanitizeReleaseNotes

packages/neuron-wallet/src/controllers/app/resolve-window-url.ts

@@ -0,0 +1,21 @@
+import env from '../../env'
+
+export const resolveInternalWindowTarget = (url: string) => {
+  const normalizedUrl = url.trim()
+
+  if (normalizedUrl.startsWith('#/')) {
+    return {
+      navigationUrl: normalizedUrl.replace(/^#/, ''),
+      windowUrl: `${env.mainURL}${normalizedUrl}`,
+    }
+  }
+
+  if (normalizedUrl.startsWith('/')) {
+    return {
+      navigationUrl: normalizedUrl,
+      windowUrl: `${env.mainURL}#${normalizedUrl}`,
+    }
+  }
+
+  return null
+}

packages/neuron-wallet/src/controllers/app/show-window.ts

@@ -2,17 +2,23 @@ import { BrowserWindow } from 'electron'
 import path from 'path'
 import env from '../../env'
 import AppController from '.'
+import { resolveInternalWindowTarget } from './resolve-window-url'
 
 const showWindow = (
   url: string,
   title: string,
   options?: Electron.BrowserWindowConstructorOptions,
   channels?: string[],
   comparator: (win: BrowserWindow) => boolean = win => win.getTitle() === title
-): BrowserWindow => {
+): BrowserWindow | null => {
+  const target = resolveInternalWindowTarget(url)
+  if (!target) {
+    return null
+  }
+
   const opened = BrowserWindow.getAllWindows().find(comparator)
   if (opened) {
-    opened.webContents.send('navigation', url.replace(/^#/, ''))
+    opened.webContents.send('navigation', target.navigationUrl)
     opened.focus()
     return opened
   } else {
@@ -38,8 +44,7 @@ const showWindow = (
     if (channels) {
       AppController.getInstance().registerChannels(win, channels)
     }
-    const fmtUrl = url.startsWith('http') || url.startsWith('file:') ? url : env.mainURL + url
-    win.loadURL(fmtUrl)
+    win.loadURL(target.windowUrl)
     win.on('ready-to-show', () => {
       win.setTitle(title)
       win.show()

packages/neuron-wallet/tests/controllers/app/resolve-window-url.test.ts

@@ -0,0 +1,31 @@
+jest.mock('../../../src/env', () => ({
+  __esModule: true,
+  default: {
+    mainURL: 'file:///app/index.html',
+  },
+}))
+
+import { resolveInternalWindowTarget } from '../../../src/controllers/app/resolve-window-url'
+
+describe('resolveInternalWindowTarget', () => {
+  it('accepts internal hash routes', () => {
+    expect(resolveInternalWindowTarget('  #/settings/general  ')).toEqual({
+      navigationUrl: '/settings/general',
+      windowUrl: 'file:///app/index.html#/settings/general',
+    })
+  })
+
+  it('accepts internal slash routes', () => {
+    expect(resolveInternalWindowTarget('/settings/general')).toEqual({
+      navigationUrl: '/settings/general',
+      windowUrl: 'file:///app/index.html#/settings/general',
+    })
+  })
+
+  it.each(['https://attacker.example/poc', 'http://127.0.0.1:3000/#/settings', 'file:///tmp/poc.html'])(
+    'rejects external target %s',
+    target => {
+      expect(resolveInternalWindowTarget(target)).toBeNull()
+    }
+  )
+})