Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Strip HTML tags for gist id to avoid stored XSS on showing error [Security Issue] #1691

Merged
merged 2 commits into from
Jun 16, 2021
Merged

Strip HTML tags for gist id to avoid stored XSS on showing error [Security Issue] #1691

merged 2 commits into from
Jun 16, 2021

Conversation

jackycute
Copy link
Member

Fix #1689

cc @lbherrera

Signed-off-by: Max Wu jackymaxj@gmail.com

@jackycute jackycute requested review from a60814billy and Yukaii May 31, 2021 05:16
@jackycute jackycute force-pushed the bugfix/fix-gist-id-stored-XSS branch from cc52e8d to 272904a Compare May 31, 2021 08:05
@jackycute jackycute changed the title Escape gist id to avoid stored XSS on showing error [Security Issue] Strip HTML tags for gist id to avoid stored XSS on showing error [Security Issue] May 31, 2021
@jackycute jackycute force-pushed the bugfix/fix-gist-id-stored-XSS branch from 272904a to 85c76f5 Compare June 1, 2021 10:12
@lbherrera
Copy link

Hi @jackycute,

I think the fix contained on 85c76f5 is incomplete as the code located in https://github.com/hackmdio/codimd/blob/develop/public/js/extra.js#L332 looks for elements that have a code tag with a data-gist-id attribute and then sends a reference of it to the gist function of the gist's embed library.

So if a user created the following note, they would still be able to reach the vulnerable library and get XSS:

<code data-gist-id="payload"></code>

I think that to fix this issue you will have to make sure that all the attributes of code tags that have a data-gist-id attribute are escaped before calling $(value).gist(window.viewAjaxCallback).

@jackycute jackycute force-pushed the bugfix/fix-gist-id-stored-XSS branch from 85c76f5 to 9e65e7a Compare June 2, 2021 01:31
@jackycute
Copy link
Member Author

jackycute commented Jun 2, 2021
edited
Loading

Hi @jackycute,

I think the fix contained on 85c76f5 is incomplete as the code located in https://github.com/hackmdio/codimd/blob/develop/public/js/extra.js#L332 looks for elements that have a code tag with a data-gist-id attribute and then sends a reference of it to the gist function of the gist's embed library.

So if a user created the following note, they would still be able to reach the vulnerable library and get XSS:

<code data-gist-id="payload"></code>

I think that to fix this issue you will have to make sure that all the attributes of code tags that have a data-gist-id attribute are escaped before calling $(value).gist(window.viewAjaxCallback).

Thanks for heads up @lbherrera.
I've force pushed a commit that set attribute with stripped tags gist id before applying gist embed to the element.
Please take a look if that works, thanks.

@lbherrera
Copy link

I think that works, but there are other attributes that get used by gist embed that also seem to be reflected into error messages and need to be sanitized as well.

e = f.data("gist-id") || "";
h = f.data("gist-file");
k = f.data("gist-hide-footer") === true;
d = f.data("gist-hide-line-numbers") === true;
n = f.data("gist-line");
l = f.data("gist-highlight-line");
m = f.data("gist-show-spinner") === true;

[...]

g = f.data("gist-show-loading") !== undefined ? f.data("gist-show-loading") : true

I don't see this being exploitable anymore if you also sanitize the data-gist-file, data-gist-line, data-gist-show-loading and data-gist-highlight-line attributes.

@jackycute jackycute force-pushed the bugfix/fix-gist-id-stored-XSS branch from 94ba61b to 33b1044 Compare June 9, 2021 07:06
@jackycute
Copy link
Member Author

I think that works, but there are other attributes that get used by gist embed that also seem to be reflected into error messages and need to be sanitized as well.

e = f.data("gist-id") || "";
h = f.data("gist-file");
k = f.data("gist-hide-footer") === true;
d = f.data("gist-hide-line-numbers") === true;
n = f.data("gist-line");
l = f.data("gist-highlight-line");
m = f.data("gist-show-spinner") === true;

[...]

g = f.data("gist-show-loading") !== undefined ? f.data("gist-show-loading") : true

I don't see this being exploitable anymore if you also sanitize the data-gist-file, data-gist-line, data-gist-show-loading and data-gist-highlight-line attributes.

Thanks for the reminder.
I've pushed commit that also sanitize those attributes, please take a look.

@Yukaii Yukaii temporarily deployed to codimd-pr-1691 June 10, 2021 05:14 Inactive
jackycute added 2 commits June 16, 2021 19:00
@jackycute
fix: strip html tags for gist id to avoid stored XSS on showing error…
6966881 
… [Security Issue]

Signed-off-by: Max Wu <jackymaxj@gmail.com>
@jackycute
fix: strip html tags for gist file, gist line, gist highlight line, g…
2eefe77 
…ist show loading attrtributes

Signed-off-by: Max Wu <jackymaxj@gmail.com>
@jackycute jackycute force-pushed the bugfix/fix-gist-id-stored-XSS branch from 33b1044 to 2eefe77 Compare June 16, 2021 11:00
@a60814billy a60814billy merged commit 82b7800 into develop Jun 16, 2021
@a60814billy a60814billy mentioned this pull request Jan 18, 2022
Merged
@stanley2058 stanley2058 mentioned this pull request Dec 26, 2023
Merged
@Yukaii Yukaii deleted the bugfix/fix-gist-id-stored-XSS branch January 3, 2024 06:27
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Yukaii Yukaii Yukaii approved these changes

@a60814billy a60814billy a60814billy approved these changes

Assignees
No one assigned
Labels
security
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Stored XSS in Gist's importing functionality
4 participants
@jackycute @lbherrera @a60814billy @Yukaii