Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Security]: Javascript links #3505

Closed
4 tasks done
terribleplan opened this issue Jul 6, 2023 · 4 comments
Closed
4 tasks done

[Security]: Javascript links #3505

terribleplan opened this issue Jul 6, 2023 · 4 comments
Labels
bug Something isn't working

Comments

@terribleplan
Copy link

Requirements

  • Is this a bug report? For questions or discussions use https://lemmy.ml/c/lemmy_support
  • Did you check to see if this issue already exists?
  • Is this only a single bug? Do not put multiple bugs in one issue.
  • Is this a backend issue? Use the lemmy-ui repo for UI / frontend issues.

Summary

Javascript is allowed as a scheme in links. This should likely be restricted to only http and https. This should probably be enforced at a federation level as well reject non-http(s) URIs on links. This was reported in the wild here

I tried to contact security@lemmy.ml over a week ago but gotten no response for a separate issue that is made much more severe due to this issue. Please contact me at kegan@keganmyers.com to discuss the other issue that has not yet been publicly disclosed elsewhere yet.

Steps to Reproduce

  1. Submit a link with javascript:alert('hacked')
  2. Click the link
  3. The javascript is executed

Technical Details

You can see a link I tested this with here.

Version

0.17.4 and up

Lemmy Instance URL

lemmy.nrd.li
@terribleplan terribleplan added the bug Something isn't working label Jul 6, 2023
@necropola
Copy link

necropola commented Jul 6, 2023
edited

@dessalines @Nutomic Does this hack still work in 0.18.x?

Update: Tested on lemmy.world (UI: 0.18.1-rc.10 | BE: 0.18.1-rc.9-14-ge7195130) and it still works.

What is lemmy's designated procedure for sanitizing user input:

  • UI sanitizes data before generating html (output) from it,
  • UI validates data before accepting it from the user,
  • UI sanitizes before writing to Backend,
  • Backend validates data before accepting it from the UI,
  • Backend sanitizes before writing to DB,
  • Backend sanitizes before federating
  • or all of the above?

Nutomic added a commit that referenced this issue Jul 6, 2023
@Nutomic
Only allow http(s) scheme for urls (ref #3505)
be285c8 
With this change only http(s) schemes are allowed for post.url
field. This is checked for incoming api and federation requests.
Existing posts in database which are sent to clients are not
checked. Neither does it check urls in markdown.
Nutomic added a commit that referenced this issue Jul 6, 2023
@Nutomic
Only allow http(s) scheme for urls (ref #3505)
eaf0fbf 
With this change only http(s) schemes are allowed for post.url
field. This is checked for incoming api and federation requests.
Existing posts in database which are sent to clients are not
checked. Neither does it check urls in markdown.
@necropola necropola mentioned this issue Jul 6, 2023
Closed
4 tasks
dessalines pushed a commit that referenced this issue Jul 6, 2023
@Nutomic
Only allow http(s) scheme for urls (ref #3505) (#3508)
00f9f79 
With this change only http(s) schemes are allowed for post.url
field. This is checked for incoming api and federation requests.
Existing posts in database which are sent to clients are not
checked. Neither does it check urls in markdown.
@Nutomic
Copy link
Member

Nutomic commented Jul 6, 2023

The fix is deployed on voyager.lemmy.ml so you can test there (signups are open). Looks like the markdown parser already prohibits javascript links so this seems completely fixed to me.

@terribleplan
Copy link
Author

@Nutomic

As basically all of what I discovered is being exploited in the wild I have posted what I found: https://akkoma.nrd.li/notice/AXXhAVF7N5ZH1V972W

I did reply to the kind email I was sent, I assume my response and my earlier emails must have gotten caught in a spam filter or something. In my response I did mention that I signed up for a matrix account and my user id is @terribleplan:sakura.ci, and I am around sporadically if you would like to go over what I have found and ways to remediate the issues.

@Nutomic
Copy link
Member

Nutomic commented Jul 10, 2023

@terribleplan Sent you a message.

This issue is finished.

@Nutomic Nutomic closed this as completed Jul 10, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@Nutomic @terribleplan @necropola