Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Javascript injection via notification messages #7283

Closed
luigigubello opened this issue Mar 5, 2020 · 5 comments · Fixed by #7289
Closed

Javascript injection via notification messages #7283

luigigubello opened this issue Mar 5, 2020 · 5 comments · Fixed by #7289
Assignees
Labels
help wanted issues meant to be picked up, require help notifications issues related to notifications security issues related to security

Comments

@luigigubello
Copy link

Description

In the notification messages there is no an HTML escaping, so Javascript code can run. I'm not sure, but I think the issue is in packages/messages/src/browser/notification-component.tsx:76

<span dangerouslySetInnerHTML={{ __html: message }} onClick={this.onMessageClick} />

In Electron app an arbitrary JS code can lead to dangerous exploits.

Reproduction Steps

  • Create a new project and create a new debugger configuration file launch.json
  • In the type field write the Javascript payload (e.g. <details open ontoggle=confirm(2)>)
  • Press F5 to launch the debugger and see the alert box

Screenshot from 2020-03-05 12-41-54

OS and Theia version:

  • Ubuntu 18.04
  • Theia Electron Example 0.16.0

I think this bug is a vulnerability, I can exfiltrate data from victim's computer by using JS. Here a proof-of-concept video.

Theia_PoC.zip

@kittaakos kittaakos added the security issues related to security label Mar 5, 2020
@akosyakov akosyakov added help wanted issues meant to be picked up, require help notifications issues related to notifications labels Mar 5, 2020
@akosyakov
Copy link
Member

cc @AlexTugarev

@akosyakov
Copy link
Member

I think this bug is a vulnerability, I can exfiltrate data from victim's computer by using JS.

Extensions already have access to all operating systems APIs. There is no need to inject JS in the notification center 😆

I think we should fix it anyway.

In Electron app an arbitrary JS code can lead to dangerous exploits.

In order to be completely safe, we need to enable web security in electron and run remote content like mini browser as webviews, otherwise any loaded JS code can user Node.js API to access everything directly.

@spoenemann
Copy link
Contributor

While we're changing the way we render notifications, can we make sure that line breaks in the notification text are displayed as such? I already found myself "using" this exploit in the past by replacing \n with <br/> before submitting a notification message.

@AlexTugarev AlexTugarev self-assigned this Mar 6, 2020
@AlexTugarev
Copy link
Contributor

AlexTugarev commented Mar 6, 2020

Will align with vscode for that matter.

@spoenemann, that's not supported, cf. https://github.com/Microsoft/vscode/blob/5651fa0a8a482ba8427797ba2c053b1943ff15fb/src/vs/workbench/common/notifications.ts#L493

@waynebeaton
Copy link

I've assigned CVE-2021-28162 with this description:

In Eclipse Theia versions up to and including 0.16.0, in the notification messages there is no HTML escaping, so Javascript code can run.

CWE-830: Inclusion of Web Functionality from an Untrusted Source

Let me know if updates are required.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
help wanted issues meant to be picked up, require help notifications issues related to notifications security issues related to security
Projects
None yet
Development

Successfully merging a pull request may close this issue.

6 participants