SECURITY HOTFIX - Remove XSS attack #1634
Conversation
|
I think the allowed tags, attributes and host names should be read from a config file (lets say json to keep it simple) because that would make it much more comfortable to tweak/extend/improve these restrictions |
|
the next step could be to add an option to the settings, that allows to specify, which tags, attributes and hosts are allowed |
|
Careful when saying "should" @RomanKlopsch. I just spend hours patching a security hole directly after it came to my attention. My prefered security fix would be to disable html. According to the developers of the markdown renderer, that is what people "should" do. It's a boolean option; it would be a 1 minute fix. I figured Boostnote had reasons for going against this security advice, so I came up with this solution. Feel free to build a palace on top of this PR, but let's not start the goldplating discussion while the security hole is still open. @Rokt33r can add some extra defaults if you plead for certain tags, but I'm hoping he will merge this yesterday. |
|
I see your point @Redsandro and i agree, that this fix should be merged as fast as possible. Call me wrong but as far as i know it should last out to remove all html-tags, that define a js-event. These tags do all begin with on so removing all tags containing on should prevent the insertion of js. |
|
I'd just worried about the diagram things. But, everything works smoothly except auto scrolling. I agree with @Redsandro. Even we disable |
Rokt33r
added
next release (v0.11.0)
and removed
awaiting review ❇️
Definitely we should do.
The current configuration looks good to me. |
|
@Redsandro Could you fix auto scrolling again? If you don't have time to do it, I'm going to disable it temporary. Anyway, I'm going to release the next version on this Thursday. |
|
Hey guys, I reported the referenced batch of security bugs - thanks to everyone involved for your effort in fixing. I'll definitely re-test upon release and report any new XSS if I find some as a new issue. I agree with @Redsandro on pretty much all fronts. Allowing HTML while trying to prevent JS is a very painful path to go down. The side effect of this XSS allowing arbitrary code exec makes it even more dangerous. I think the whitelist approach is a good compromise. I don't think it's necessarily a bad decision to allow some html/css - it allows for a ton of cool features. Even my workflow depends on some html to format my notes appropriately, but I may be misusing the product a bit, haha. I regretfully don't have much time to help during the development phase, as my bandwidth is a little limited at the moment, but I can try to help on the pentesting front as much as I can. |
|
@Rokt33r said:
I pulled -update- I just did a fresh clone from master. Scroll sync still works fine. Could it be that you were on a wrong branch? |
|
@RomanKlopsch said:
Properly written notes should not have a problem. I think if a note depends on html a lot, one can argue that it's not written properly, but we have been getting away with it because of a bug or misguided feature. However, this discussion is not very productive without examples of problems caused. Show us broken usage patterns, and we can figure out how to deal with them, preferably in a new issue, and one problem per issue.
There are actually many ways to do xss, depending on features, plugins, and dependencies used by Boostnote, and their respective security issues. There can be zero-day exploits where you can write xss where it is not logically supposed to be possible due to errors in said dependencies.
Those are only the obvious ones. And electron picks up a lot of non-obvious ones, but there will always be new ones. Here are some other common ones:
XSS is more complex than just the 'legal' ways to execute scripts. I would actually prefer to remove For now this PR seems a sane place to start. |
|
@pmood Thanks for reporting. I wanted to get this fixed but I'm on a 'time budget' as well, so I only did shallow testing. I'm especially interested to see if |
|
Expressions should be impossible since that only works with old versions of IE as far as I know. Being limited to arbitrary CSS, the worst someone could do would probably be a keylogger. For ex: https://css-tricks.com/css-keylogger/ But even that's no big deal really since it would require you to type your sensitive information into that markdown file (like, honestly, what's the attack vector there?). You may be able to use it to load things like local images or fonts into the page. Again, not really a big deal. You can probably crash the program by loading huge images over and over... but that's pretty meh. You could have it automatically make requests upon opening the file which would reveal your IP if the attacker controls the server. The thing I am most interested in testing is the change to iframe and the filtering. I also started looking into maybe finding an issue to get XSS (or just flat code exec) using the existing markdown features rather than relying on inputting html directly. |
|
@Redsandro Thanks for your work and the explaination 👍 seems to be a real pain to solve xss without restricting users too much! Let me quickly outline some broken usage patterns caused by this fix here (please correct me if I'm wrong, I can then transfer them into a new issue if required)
This list can be endless and there will be almost certainly a broken usage pattern as long as the markdown implementation doesn't provide all possibilities that html does. Guess the question is what usage patterns boostnote wants to encourage (+ the majority needs) and which it wants to restrict. My guess: Boostnote is specifically advertised as "note-taking app for programmers that focuses on customizability" so I guess in the long run restricting all html tags when there are no alternatives in markdown might be annoying for some users. What about allowing to deactivate sanitisation but activate it by default? Let me know what you think about that. |
| @@ -84,6 +84,7 @@ | |||
| "react-sortable-hoc": "^0.6.7", | |||
| "redux": "^3.5.2", | |||
| "sander": "^0.5.1", | |||
| "sanitize-html": "^1.18.2", | |||
There was a problem hiding this comment.
There was a problem hiding this comment.
@rayou this branch was merged 2 days ago. You'll have to create a PR upstream.
Please note that I am using the npm workflow. I don't know what yarn is. I just git push what was updated. If this creates a mismatch, perhaps some automation should be written.
|
@libeanim I'll address all points briefly and subjectively, but the fact is that previous usage options were only available at a serious risk. Risky behavior is now disabled, and this is the new status quo. Issues that arise from the inability to do previously risky things should really be treated as feature requests from now on, and have their own separate issues.
Yes. I suggest opening a new issue/whishlist for a few weeks to collect more legal suggestions from users to complement the default legal origins with.
True. Functionality and Security are opposites, unfortunately. One could argue for a user customizable wishlist, but in my opinion, highest security should always be the default. Please open a separate issue for this if you want to discuss this further.
True. Markdown should handle paragrapgs, italics, strikethrough, etc.. If you want to write html, use a html editor.
True. I think divs are safe and can be added to the whitelist, but I have never seen this in a note. Are you using this, or are you thinking of potential repercussions from this PR?
False. You can use
I'd argue that a Markdown editor should not use html tags and for tables there should be Github Flavored Markdown support in Boostnote where you can make basic tables. But as long as you don't use
I can imagine your usecase, but this is impossible without compromising security. Please create a new feature request issue with the option to add custom iframe origins or the option to disable XSS security.
Seems like you can safely create a PR with maps as a whitelisted origin.
Perhaps if the podcast is on a big famous trusted site, it can be added on the whitelist. Otherwise see response to point 8 above.
Can be discussed in a separate issue. Personally I think the option should be worded for what it is:
When enabling, a modal pops up:
This is in my opinion the only acceptable implementation of what you are saying. But still, personally I'm against it. Enabling something this dangerous should not be as easy as two clicks. I'm for a whitelist that can only be edited manually so that no one will accidentally mess things up. This will quickly get out of hand and hard to follow. Please create separate PRs for the obvious cases and separate issues/feature-requests for ideas that require further discussion. |
|
Let's discuss this issue on #1644 |
|
@Redsandro Thanks for your response! Yeah, I agree to all of your points. Maybe I have some time in the next weeks to implement the one or other feature For your interest regarding no 5:
yeah I used it to have an image on one side and text on another. Would be ace if multi-column text can be supported with markdown. I don't know whether there is any specification for that tho. Might look into that / create an issue. Cheers |
|
A quick +1 to @libeanim - I frequently use spans and divs to style definitions for class notes - I was pretty cranky to update my version in the middle of finals and lose all the styling I use to distinguish between concepts within notes. I originally switched to boostnote from another md app for ease of combining markdown and html. |
|
@emrusso I'm sorry to hear that. I hope that you're somewhat understanding to the idea that we were trying to prevent a more dramatic comment that would go something like "I was pretty cranky to learn that my computer was hijacked in the middle of finals by ransomware through security leaks that were known for 3 months now." As for the problem itself, you can do multiple things:
As for the proposal and further discussion, see #1644. |
|
@Redsandro @Rokt33r thanks so much for the quick response! Didn't mean to undercut the importance of security at all - I definitely appreciate (and prefer) the fast action on that, especially considering the prevalence of XSS. My main intent was to give more feedback on what html is used in the wild. Using the git settings for sanitization is a great move to maintain a balance between features and security 😊 |
This will address #1443 at least partially by restricting the type of html tags and attributes that user is allowed to use.
markdown-itthemselves advise against enabling html (and it was not my choice to enable it(1)), but I've seen youtube-iframes and img-tags used in the wild.The set is pretty restrictive because I don't know what kind of html is legitimately used in the wild. This PR is an important first step and more tags can be allowed later if they turn out to be used by a lot of people. I recommend to merge this first because it's a security issue, and wait for upset people that want to use html tag x-y-z later, and consider adding them back one by one.
(1): I think no html should be allowed. If people want to e.g. embed youtube-movies, a markdown extension should be made for that. Currently, this is done by means of
iframe, so this PR restricts the urlsiframeis allowed to load to youtube.com. More allowed urls can be added later if they turn out to be used a lot.I think
imgtags should be disallowed too because there are markdown alternatives, but this way at least theonerrorthe harm is gone.