GHSL-2021-1024

Author: martinRenou

nbconvert/exporters/tests/files/notebook_inject.ipynb

@@ -136,6 +136,44 @@
       }
     ],
     "source": [""]
+   },
+   {
+    "cell_type": "code",
+    "execution_count": null,
+    "id": "d72e635a",
+    "metadata": {},
+    "outputs": [
+      {
+        "output_type": "execute_result",
+        "data": {
+         "image/png": ["abcd"]
+        },
+        "execution_count": null,
+        "metadata": {
+           "width": "><script>alert('output.metadata.width png injection')</script>"
+        }
+      }
+    ],
+    "source": [""]
+   },
+   {
+    "cell_type": "code",
+    "execution_count": null,
+    "id": "d72e635a",
+    "metadata": {},
+    "outputs": [
+      {
+        "output_type": "execute_result",
+        "data": {
+         "image/png": ["abcd"]
+        },
+        "execution_count": null,
+        "metadata": {
+           "height": "><script>alert('output.metadata.height png injection')</script>"
+        }
+      }
+    ],
+    "source": [""]
    }
  ],
  "metadata": {

nbconvert/exporters/tests/test_html.py

@@ -163,3 +163,7 @@ def test_javascript_injection(self):
             # Check injection in image data
             assert "<script>alert('image/png output')</script>" not in output
             assert "<script>alert('image/jpeg output')</script>" not in output
+
+            # Check injection in image width/height
+            assert "<script>alert('output.metadata.width png injection')</script>" not in output
+            assert "<script>alert('output.metadata.height png injection')</script>" not in output

share/jupyter/nbconvert/templates/classic/base.html.j2

@@ -162,18 +162,18 @@ unknown type  {{ cell.type }}
 {%- endif %}
 {%- set width=output | get_metadata('width', 'image/png') -%}
 {%- if width is not none %}
-width={{ width }}
+width={{ width | escape_html }}
 {%- endif %}
 {%- set height=output | get_metadata('height', 'image/png') -%}
 {%- if height is not none %}
-height={{ height }}
+height={{ height | escape_html }}
 {%- endif %}
 {%- if output | get_metadata('unconfined', 'image/png') %}
 class="unconfined"
 {%- endif %}
 {%- set alttext=(output | get_metadata('alt', 'image/png')) or (cell | get_metadata('alt')) -%}
 {%- if alttext is not none %}
-alt="{{ alttext }}"
+alt="{{ alttext | escape_html }}"
 {%- endif %}
 >
 </div>
@@ -188,18 +188,18 @@ alt="{{ alttext }}"
 {%- endif %}
 {%- set width=output | get_metadata('width', 'image/jpeg') -%}
 {%- if width is not none %}
-width={{ width }}
+width={{ width | escape_html }}
 {%- endif %}
 {%- set height=output | get_metadata('height', 'image/jpeg') -%}
 {%- if height is not none %}
-height={{ height }}
+height={{ height | escape_html }}
 {%- endif %}
 {%- if output | get_metadata('unconfined', 'image/jpeg') %}
 class="unconfined"
 {%- endif %}
 {%- set alttext=(output | get_metadata('alt', 'image/jpeg')) or (cell | get_metadata('alt')) -%}
 {%- if alttext is not none %}
-alt="{{ alttext }}"
+alt="{{ alttext | escape_html }}"
 {%- endif %}
 >
 </div>

share/jupyter/nbconvert/templates/lab/base.html.j2

@@ -180,11 +180,11 @@ unknown type  {{ cell.type }}
 {%- endif %}
 {%- set width=output | get_metadata('width', 'image/png') -%}
 {%- if width is not none %}
-width={{ width }}
+width={{ width | escape_html }}
 {%- endif %}
 {%- set height=output | get_metadata('height', 'image/png') -%}
 {%- if height is not none %}
-height={{ height }}
+height={{ height | escape_html }}
 {%- endif %}
 class="
 {%- if output | get_metadata('unconfined', 'image/png') %}
@@ -210,11 +210,11 @@ jp-needs-dark-background
 {%- endif %}
 {%- set width=output | get_metadata('width', 'image/jpeg') -%}
 {%- if width is not none %}
-width={{ width }}
+width={{ width | escape_html }}
 {%- endif %}
 {%- set height=output | get_metadata('height', 'image/jpeg') -%}
 {%- if height is not none %}
-height={{ height }}
+height={{ height | escape_html }}
 {%- endif %}
 class="
 {%- if output | get_metadata('unconfined', 'image/jpeg') %}