Commit graph

13125 commits

Author SHA1 Message Date
Raymond Hill
a1689fb9d0
[mv3] Fix JSON, add description 2025-04-16 15:13:52 -04:00
Raymond Hill
b8adf5b027
[mv3] Add admin setting defaultFiltering
Setting name: "defaultFiltering"
Type: string
Valid values: "none", "basic", "optimal", "complete"

Additionally, fix default "basic" mode toggling back to "optimal"
upon extension restart when uBOL has broad host permissions. The
default mode will toggle automatically only when there is a change
in broad host permissions status.
2025-04-16 15:04:47 -04:00
Raymond Hill
3b34f9439a
Import translation work from https://crowdin.com/project/ublock 2025-04-16 08:39:43 -04:00
Raymond Hill
ec19e352b1
[mv3] Mitigate issues when hitting regex-based rules limit
When there are too many regex-based rules, uBOL will start to drop
some strict-block rules to comply with the framework limit regarding
the maximum number of regex-based rules.

Related issues:
- https://github.com/uBlockOrigin/uBOL-home/issues/317
- https://github.com/w3c/webextensions/issues/744
2025-04-16 08:19:52 -04:00
Raymond Hill
e20e6addf0
[mv3] Mind excluded to= hostnames in strict-block rules 2025-04-16 08:18:26 -04:00
Raymond Hill
eaedaf5b10
Fix regexes with potential catastrophic backtracking
The quoted email below was sent to ubo-security at raymondhill dot net:

=====
Dear Raymond,

I am writing to report a potential Regular Expression Denial of Service (ReDoS)
vulnerability in the 1p-filters.js script of uBlock Origin. The vulnerability
occurs due to the use of the regular expression /\s+$/, which is used to remove
trailing whitespace. This issue can lead to a denial of service when processing
strings with a large number of trailing spaces, potentially causing a browser to
freeze.

Affected file(s)

    js/1p-filters.js

Vulnerable pattern(s)

    Lines 131 and 167: /\s+$/

Description of the issue

The regular expression /\s+$/ is applied to remove trailing whitespace in user‑
provided content. However, when the content has a large number of spaces
(e.g., ~100,000), this pattern causes excessive backtracking in the regular
expression engine, resulting in performance degradation and UI freezing. This is
a classic ReDoS attack vector.

Steps to reproduce

1. Open the uBlock Origin dashboard and navigate to the My filters tab.
2. Run the following code in the browser's DevTools Console or as a bookmarklet.
3. Observe the UI freezing for several seconds or even longer, depending on the
   number of spaces used.

PoC (Proof of Concept)

/**
 * poc.js — triggers ReDoS in 1p-filters.js
 * Expected: <1 ms; Actual: several seconds – UI freeze
 */
(() => {
  const payload = " ".repeat(100000) + "!";  // 100,000 spaces + sentinel
  const run = () => {
    if (!window.cmEditor) {
      console.error("cmEditor not ready");
      return;
    }
    // Inject payload into the editor
    cmEditor.setValue(payload);

    console.time("ReDoS");
    // Call the vulnerable function (mirroring getEditorText)
    cmEditor.getValue().replace(/\s+$/, '');
    // Alternatively, simulate a realistic user flow:
    // document.querySelector('#userFiltersApply').click();
    console.timeEnd("ReDoS");
  };

  if (document.readyState === "complete") {
    run();
  } else {
    window.addEventListener("load", run, { once: true });
  }
})();

Impact

This issue can significantly degrade the user experience, causing the page to
become unresponsive. If an attacker can inject this malicious string into the
page (for example, through XSS or other attacks), it could lead to a denial of
service (DoS). This vulnerability can be triggered repeatedly, causing the
browser to hang indefinitely.

Suggested fix

The issue can be mitigated by replacing /\s+$/ with a more efficient solution,
such as a look‑behind assertion /(?<=\S)\s+$/ (available in modern browsers)
which ensures no backtracking occurs, or using trimEnd() for legacy support:

// Example of using look-behind:
cmEditor.setValue(text.replace(/(?<=\S)\s+$/, '') + '\n\n');

// Alternatively, using trimEnd():
cmEditor.setValue(text.trimEnd() + '\n\n');

Additional information

If required, I am happy to assist in testing or provide more information.
Please feel free to contact me for further clarification.

Best regards,
[redacted]
=====
2025-04-15 12:47:02 -04:00
Raymond Hill
87007e62c0
[mv3] Ensure POL-3 list is separate from POL-0 list in uBOL 2025-04-14 09:07:46 -04:00
Raymond Hill
b5eea3ce3a
[mv3] Fix Github Actions 2025-04-13 15:45:39 -04:00
Raymond Hill
e11335f5ad
[mv3] Fix Github Actions 2025-04-13 15:37:07 -04:00
Raymond Hill
20f52daf9b
Import translation work from https://crowdin.com/project/ublock 2025-04-13 15:23:08 -04:00
Raymond Hill
f15adcf2d5
[mv3] Ensure strict-blocking is enabled when gaining broad permissions 2025-04-13 10:24:23 -04:00
Raymond Hill
51db128dc2
[mv3] "Enable strict blocking" setting depends on broad host permissions 2025-04-13 10:13:18 -04:00
Raymond Hill
7c5c93f073
Import translation work from https://crowdin.com/project/ublock 2025-04-13 09:34:22 -04:00
Raymond Hill
dc3602985f
[mv3] Update summary description 2025-04-13 09:19:25 -04:00
Raymond Hill
9bf05023c1
Import translation work from https://crowdin.com/project/ublock 2025-04-13 09:16:54 -04:00
Raymond Hill
50f87c21ea
[mv3] Provide console feedback that work is ongoing when building 2025-04-13 09:04:13 -04:00
Raymond Hill
f51a4c79db
[mv3] Determine "genericity" on a per-cosmetic filter basis
Related issue:
https://github.com/uBlockOrigin/uBOL-home/issues/328
2025-04-13 09:02:12 -04:00
Raymond Hill
12c8bc6c5b
Make Firefox dev build auto-update 2025-04-13 07:45:55 -04:00
Raymond Hill
a33e2e4115
New revision for dev build 2025-04-13 07:39:03 -04:00
Raymond Hill
5ed1b07034
Update changelog 2025-04-13 07:38:19 -04:00
Raymond Hill
cac420a22d
Rename trusted-create-element to trusted-create-html
To avoid confusion with AG's own `trusted-create-element`, which has
a different syntax and a different purpose.
2025-04-13 07:34:36 -04:00
Raymond Hill
c15dc9d8ff
Fix scrollbars not following dark theme
Related issue:
https://github.com/uBlockOrigin/uBlock-issues/issues/3604
2025-04-12 15:51:36 -04:00
Raymond Hill
dfd42ebf5f
Improve noscript spoofing
Related issue:
https://github.com/uBlockOrigin/uBlock-issues/issues/2642
2025-04-12 15:20:18 -04:00
Raymond Hill
d1fc38c473
Make Firefox dev build auto-update 2025-04-12 11:01:06 -04:00
Raymond Hill
cc987cb072
Update changelog 2025-04-12 10:55:14 -04:00
Raymond Hill
b4a8dd0754
New revision for dev build 2025-04-12 10:54:00 -04:00
Raymond Hill
20dd606504
Add trusted-create-element scriptlet
As discussed with filter list maintainers.

* @scriptlet trusted-create-element
*
* @description
* Element(s) from a parsed HTML string are added as child element(s) to a
* specific parent element in the DOM.
*
* @param parent
* A CSS selector identifying the element to which created element(s) will be
* added.
*
* @param html
* An HTML string to be parsed using DOMParser, and which resulting elements
* are to be added as child element(s).
*
* @param duration
* Optional. If specified, the time in ms after which the added elements will
* be removed. No removal will occur if not specified.
2025-04-12 10:51:50 -04:00
Raymond Hill
a06f09acda
Group POL lists together 2025-04-12 09:40:46 -04:00
Raymond Hill
ad2add4676
Code review 2025-04-12 08:08:12 -04:00
Raymond Hill
af054f7980
Make Firefox dev build auto-update 2025-04-11 18:51:21 -04:00
Raymond Hill
1e783d62e0
New revision for dev build 2025-04-11 18:44:55 -04:00
Raymond Hill
f25a437fd1
Code review re. scriptlets lookup
Possibly fixes a race condition at browser launch causing empty
scriptlets to be injected (and cached).
2025-04-11 18:20:51 -04:00
Raymond Hill
90e3c352ec
Make Firefox dev build auto-update 2025-04-11 10:11:13 -04:00
Raymond Hill
ad68834479
Update changelog 2025-04-11 10:01:31 -04:00
Raymond Hill
809d4f93c4
New revision for dev build 2025-04-11 09:58:51 -04:00
Raymond Hill
11e159fd31
[mv3] Discard regex- or path-based targets in static extended filters
There is no support yet for such filters in uBO Lite.
2025-04-11 09:49:03 -04:00
Raymond Hill
15e832da8a
Mind potential race condition when dynamically registering scriptlets
In Firefox, scriptlets are dynamically registered as content scripts
to ensure they execute in a timely manner.

The race condition could lead to scriptlet injection failing at
browser launch time in Firefox when the setting "Suspend network
activity until all filter lists are loaded" had been disabled[1],
even after forcing a page reload. Causing the filter lists to
reload would make the issue go away.

[1] Default is enabled in Firefox and it is strongly advised to NOT
    change this.
2025-04-11 09:35:38 -04:00
Raymond Hill
3d2f70ac56
Add POL list for regional malware
Related discussion:
https://github.com/uBlockOrigin/uBlock-discussions/discussions/890#discussioncomment-9632360
2025-04-11 09:06:28 -04:00
Raymond Hill
d1c57d3fa6
Remove stale extraneous POL-2 list
Related issue:
https://github.com/uBlockOrigin/uAssets/issues/27935
2025-04-10 09:35:19 -04:00
Raymond Hill
70bdcfbae6
Make Firefox dev build auto-update
Mistakenly ran the update script from the safari-ubol branch.
2025-04-10 09:11:56 -04:00
Raymond Hill
ae336c3688
New revision for dev build 2025-04-10 07:37:01 -04:00
Raymond Hill
d0e303ca19
Fix regression in response header filtering
Related commit:
8b696a691a
2025-04-10 07:32:09 -04:00
Raymond Hill
981be2d5b2
Make Firefox dev build auto-update 2025-04-09 18:31:38 -04:00
Raymond Hill
2679aafc17
New revision for dev build 2025-04-09 18:25:20 -04:00
Raymond Hill
9029d1d715
Fix regression in categorizing highly generic filters at load time
Related feedback:
https://github.com/uBlockOrigin/uBlock-issues/issues/3235#issuecomment-2790807915

Regression from:
8b696a691a
2025-04-09 18:23:01 -04:00
Raymond Hill
0fdcd44794
Import translation work from https://crowdin.com/project/ublock 2025-04-09 15:29:26 -04:00
Raymond Hill
01e36db23a
Remove "permission-less" status at install time
Related issue:
https://github.com/uBlockOrigin/uBOL-home/issues/326

uBOL now asks broad host permissions by default. Users can still
choose narrow host permissions by using their browser's controls
for this.

For instance in Chromium, those host permissions controls are found
in the "Site access" section in the detailed view of an extension.

One can set "Site access" to "On click" to revoke broad host
permissions, and grant host permissions to only specific site.

In such mode, uBOL will still block through the DNR API, but no
cosmetic or scriptlet filtering will occurs, as these requires
permission to "read and change data" on websites for which higher
filtering mode is desired.

Some browsers do not automatically grant broad host permissions
even when an extension asks for broad permissions at install time,
and going forward all browsers will likely adopt this approach, and
thus it no longer made sense for uBOL to default to no broad hosts
permissions at install time, especially given this leads to issues
with no solution -- issues solved with the new approach (e.g. like
the ability to deploy uBOL in Optimal mode by default).
2025-04-09 15:11:17 -04:00
Raymond Hill
f6f7333b5d
Code review for recent commit re path support in target
Related commit:
8b696a691a

1) There will always be a `/` at that point in the code path
2) The hostname will already be a match in that code path
2025-04-08 19:01:43 -04:00
Raymond Hill
c38101cd34
Make Firefox dev build auto-update 2025-04-08 15:51:30 -04:00
Raymond Hill
cdc63d03cf
New revision for dev build 2025-04-08 15:43:13 -04:00