Security: Comments can still be used to smuggle arbitrary CSS

[hackvertor]

Prerequisites

• I verified that this is not a filter issue (MUST be reported at filter issue tracker)
• This is not a support issue or a question
• I performed a cursory search of the issue tracker to avoid opening a duplicate issue
• The issue is not present after wholly disabling uBlock Origin ("uBO") in the browser
• I checked the documentation to understand that the issue I report is not a normal behavior

I tried to reproduce the issue when...

• uBO is the only extension
• uBO with default lists/settings
• using a new, unmodified browser profile

Description

This bug is related to #1693 and was marked fixed. However, it's still possible to smuggle arbitrary CSS through filter selectors. The following filter list causes a CSS injection:

##input,input/*
##input[x="*/{}*{background-color:red;}"]

The {} is used to make the CSS parser drop everything before as an invalid selector, this then allows you to define your own selector, in this case I make the background red but you could change it to use background URLs etc.

A specific URL where the issue occurs

https://portswigger-labs.net/

Steps to Reproduce

1. Create a filter in my filters:

##input,input/*
##input[x="*/{}*{background-color:red;}"]

2. Visit https://portswigger-labs.net/ and the background should appear red.

Expected behavior

The background should not appear red and arbitrary CSS should not be allowed to be injected.

Actual behavior

The filter injects CSS onto the page and the background goes red.

uBlock Origin version

1.38.4

Browser name and version

Chrome 95.0.4638.69

Operating System and version

MacOS 10.15.7

[gwarser]

Invalid generic cosmetic filter in user-filters: ##input,input/*

Is logged in 1.38.7b12

[uBlock-user]

and the background goes red.

Can't repro that on Firefox.

[gorhill]

The commit gorhill/uBlock@4f92338 made the issue here go away.

Also, there is no need to use words like smuggle or arbitrary when it's already allowed by design to apply background-color:red with a cosmetic filter like:

*#$#* { background-color: red }

[hackvertor]

@gorhill The background colour was only to demonstrate the issue. It's possible to use background urls too. Which isn't possible with a cosmetic filter right? That's why I said arbitrary CSS because normally this wouldn't be allowed.

[gorhill]

It's possible to use background urls too

Please provide a proof of concept.

[hackvertor]

Sure ...

##input,input/*
##input[x="*/{}*{background:url(https://hackvertor.co.uk/images/logo.gif)}"]

[gorhill]

Thanks, I can reproduce. This commit was specifically looking for opening comment in style declarations, while in the current case the opening comment is outside a style declaration.

The filter ##.fail,.fail/* (test page) no long work because now uBO detects that this filter can't be injected in a declarative manner in a stylesheet, the browser rejects the declaration because of the dangling /*.

Currently when this happens, uBO tries to compile the filter as a procedural one, but end up rejecting it because implicitly global procedural filters are forbidden.

So I tried *##.fail,.fail/* which render the filter valid as an explicit global filter, but due to the fact that the filter is compiled as a procedural one, it will never be injected in a style sheet, which was the root issue here.

So it appears by chance this commit took care of the issue here.

[gorhill]

Related: https://portswigger.net/research/ublock-i-exfiltrate-exploiting-ad-blockers-with-css