HTML search: sanitise 'searchindex.js' contents

CHANGES.rst

@@ -15,6 +15,11 @@ Deprecated
 Features added
 --------------
 
+* #13098: HTML Search: the contents of the search index are sanitised
+  (reassigned to frozen null-prototype JavaScript objects), to reduce
+  the risk of unintended access or modification.
+  Patch by James Addison
+
 Bugs fixed
 ----------
 

sphinx/search/__init__.py

@@ -9,6 +9,7 @@
 import os
 import pickle
 import re
+from collections import Counter
 from importlib import import_module
 from pathlib import Path
 from typing import IO, TYPE_CHECKING, Any
@@ -334,7 +335,7 @@
         for docname in self._titles:
             self._all_titles[docname] = []
         for title, doc_tuples in frozen['alltitles'].items():
-            for doc, titleid in doc_tuples:
+            for _, (doc, titleid) in doc_tuples.items():
                 self._all_titles[index2fn[doc]].append((title, titleid))
 
         def load_terms(mapping: dict[str, Any]) -> dict[str, set[str]]:
@@ -358,10 +359,11 @@
 
     def get_objects(
         self, fn2index: dict[str, int]
-    ) -> dict[str, list[tuple[int, int, int, str, str]]]:
-        rv: dict[str, list[tuple[int, int, int, str, str]]] = {}
+    ) -> dict[str, dict[int, tuple[int, int, int, str, str]]]:
+        rv: dict[str, dict[int, tuple[int, int, int, str, str]]] = {}
         otypes = self._objtypes
         onames = self._objnames
+        prefix_count = Counter()
         for domain in self.env.domains.sorted():
             sorted_objects = sorted(domain.get_objects())
             for fullname, dispname, type, docname, anchor, prio in sorted_objects:
@@ -372,7 +374,8 @@
                 fullname = html.escape(fullname)
                 dispname = html.escape(dispname)
                 prefix, _, name = dispname.rpartition('.')
-                plist = rv.setdefault(prefix, [])
+                index = prefix_count[prefix]
+                plist = rv.setdefault(prefix, {})
                 try:
                     typeindex = otypes[domain.name, type]
                 except KeyError:
@@ -394,7 +397,8 @@
                     shortanchor = '-'
                 else:
                     shortanchor = anchor
-                plist.append((fn2index[docname], typeindex, prio, shortanchor, name))
+                plist[index] = (fn2index[docname], typeindex, prio, shortanchor, name)
+                prefix_count[prefix] += 1
         return rv
 
     def get_terms(
@@ -429,19 +433,25 @@
         objtypes = {v: k[0] + ':' + k[1] for (k, v) in self._objtypes.items()}
         objnames = self._objnames
 
-        alltitles: dict[str, list[tuple[int, str | None]]] = {}
+        alltitles_count = Counter()
+        alltitles: dict[str, dict[int, tuple[int, str | None]]] = {}
         for docname, titlelist in sorted(self._all_titles.items()):
             for title, titleid in titlelist:
-                alltitles.setdefault(title, []).append((fn2index[docname], titleid))
+                count = alltitles_count[title]
+                alltitles.setdefault(title, {})[count] = (fn2index[docname], titleid)
+                alltitles_count[title] += 1
 
-        index_entries: dict[str, list[tuple[int, str, bool]]] = {}
+        index_entry_count = Counter()
+        index_entries: dict[str, dict[int, tuple[int, str, bool]]] = {}
         for docname, entries in self._index_entries.items():
             for entry, entry_id, main_entry in entries:
-                index_entries.setdefault(entry.lower(), []).append((
+                count = index_entry_count[entry]
+                index_entries.setdefault(entry.lower(), {})[count] = (
                     fn2index[docname],
                     entry_id,
                     main_entry == 'main',
-                ))
+                )
+                index_entry_count[entry] += 1
 
         return {
             'docnames': docnames,

sphinx/themes/basic/static/searchtools.js

@@ -219,7 +219,16 @@ const Search = {
     (document.body.appendChild(document.createElement("script")).src = url),
 
   setIndex: (index) => {
-    Search._index = index;
+    const sanitiseRecursive = function(obj) {
+      const result = Object.create(null);
+      for (const [k, v] of Object.entries(obj)) {
+          if (!(v instanceof Object)) result[k] = v;
+          else if (Array.isArray(v)) result[k] = Object.freeze(v);
+          else result[k] = sanitiseRecursive(v);
+      }
+      return Object.freeze(result);
+    }
+    Search._index = sanitiseRecursive(index);
     if (Search._queued_query !== null) {
       const query = Search._queued_query;
       Search._queued_query = null;
@@ -335,7 +344,7 @@ const Search = {
     const queryLower = query.toLowerCase().trim();
     for (const [title, foundTitles] of Object.entries(allTitles)) {
       if (title.toLowerCase().trim().includes(queryLower) && (queryLower.length >= title.length/2)) {
-        for (const [file, id] of foundTitles) {
+        for (const [file, id] of Object.values(foundTitles)) {
           const score = Math.round(Scorer.title * queryLower.length / title.length);
           const boost = titles[file] === title ? 1 : 0;  // add a boost for document titles
           normalResults.push([
@@ -354,7 +363,7 @@ const Search = {
     // search for explicit entries in index directives
     for (const [entry, foundEntries] of Object.entries(indexEntries)) {
       if (entry.includes(queryLower) && (queryLower.length >= entry.length/2)) {
-        for (const [file, id, isMain] of foundEntries) {
+        for (const [file, id, isMain] of Object.values(foundEntries)) {
           const score = Math.round(100 * queryLower.length / entry.length);
           const result = [
             docNames[file],
@@ -474,7 +483,7 @@ const Search = {
       const descr = objName + _(", in ") + title;
 
       // add custom score for some objects according to scorer
-      if (Scorer.objPrio.hasOwnProperty(match[2]))
+      if (match[2] in Scorer.objPrio)
         score += Scorer.objPrio[match[2]];
       else score += Scorer.objPrioDefault;
 
@@ -489,7 +498,7 @@ const Search = {
       ]);
     };
     Object.keys(objects).forEach((prefix) =>
-      objects[prefix].forEach((array) =>
+      Object.values(objects[prefix]).forEach((array) =>
         objectSearchCallback(prefix, array)
       )
     );
@@ -520,13 +529,13 @@ const Search = {
       // add support for partial matches
       if (word.length > 2) {
         const escapedWord = _escapeRegExp(word);
-        if (!terms.hasOwnProperty(word)) {
+        if (!(word in terms)) {
           Object.keys(terms).forEach((term) => {
             if (term.match(escapedWord))
               arr.push({ files: terms[term], score: Scorer.partialTerm });
           });
         }
-        if (!titleTerms.hasOwnProperty(word)) {
+        if (!(word in titleTerms)) {
           Object.keys(titleTerms).forEach((term) => {
             if (term.match(escapedWord))
               arr.push({ files: titleTerms[term], score: Scorer.partialTitle });

tests/js/searchtools.spec.js

@@ -25,6 +25,35 @@ describe('Basic html theme search', function() {
     expect(nextExpected).toEqual(undefined);
   }
 
+  describe('index immutability', function() {
+
+    it('should not be possible to modify index contents', function() {
+      eval(loadFixture("cpp/searchindex.js"));
+
+      // record some initial state
+      const initialTitle = Search._index.titles[0];
+      const initialTitlesProto = Search._index.titles.__proto__;
+      const initialTerms = Search._index.terms;
+      const initialDocNames = [...Search._index.docnames];
+
+      // attempt to mutate the index state
+      try { Search._index.docnames.pop(); } catch {};
+      try { Search._index.docnames.push('extra'); } catch {};
+      Search._index.titles[0] += 'modified';
+      Search._index.titles.__proto__ = 'anotherProto';
+      Search._index.terms = {'fake': [1, 2, 3]};
+      Search._index.__proto__ = 'otherProto';
+
+      // ensure that none of the modifications were applied
+      expect(Search._index.__proto__).toBe(undefined);
+      expect(Search._index.terms).toEqual(initialTerms);
+      expect(Search._index.titles.__proto__).toEqual(initialTitlesProto);
+      expect(Search._index.titles[0]).toEqual(initialTitle);
+      expect(Search._index.docnames).toEqual(initialDocNames);
+    });
+
+  });
+
   describe('terms search', function() {
 
     it('should find "C++" when in index', function() {