Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[hackerone] validate wayback URL before navigating #32395

Closed
diracdeltas opened this issue Aug 19, 2023 · 2 comments · Fixed by brave/brave-core#19786
Closed

[hackerone] validate wayback URL before navigating #32395

diracdeltas opened this issue Aug 19, 2023 · 2 comments · Fixed by brave/brave-core#19786
Assignees
@simonhong
Labels
OS/Desktop priority/P2 A bad problem. We might uplift this to the next planned release. QA Pass-macOS-arm64 QA Pass-Win64 QA/Yes release-notes/include security
Milestone
1.57.x - Release #5

Comments

@diracdeltas
Copy link
Member

diracdeltas commented Aug 19, 2023
edited by simonhong

see https://bravesoftware.slack.com/archives/C6R461GF4/p1692466879103279?thread_ts=1692442338.103219&cid=C6R461GF4 for details

reported at https://hackerone.com/reports/2117246 and https://hackerone.com/reports/2113111 by xiaoyinl

STR:

  1. Launch and load brave.com/bo
  2. Check wayback infobar is loaded
  3. By using proxy tool such as (Proxyman or fiddler), modify response for https://brave-api.archive.org/wayback/available?url=https://brave.com/bo/.
{
 "url": "https://brave.com/bo/",
 "archived_snapshots": {
   "closest": {
     "status": "200",
     "available": true,
     "url": "javascript:alert()",
     "timestamp": "20150906092942"
   }
 }
}
  1. Check infobar says Sorry, there is no saved version available.

Note: As it's platform independent, checking on one platform would be sufficient.
@diracdeltas diracdeltas added the priority/P2 A bad problem. We might uplift this to the next planned release. label Aug 19, 2023
simonhong added a commit to brave/brave-core that referenced this issue Aug 21, 2023
@simonhong
Sanitized wayback url from archived.org
71e1747 
fix brave/brave-browser#32395

Only allow to load http/https scheme and valid wayback domain.
simonhong added a commit to brave/brave-core that referenced this issue Aug 21, 2023
@simonhong
Sanitized wayback url from wayback machine
7dc3f0d 
fix brave/brave-browser#32395

Only allow to load valid wayback url that has http/https scheme and
valid wayback domain.
@simonhong simonhong mentioned this issue Aug 21, 2023
Merged
25 tasks
simonhong added a commit to brave/brave-core that referenced this issue Aug 21, 2023
@simonhong
Sanitized wayback url from wayback machine
f87849e 
fix brave/brave-browser#32395

Only allow to load valid wayback url that has http/https scheme and
valid wayback domain.
@brave-builds brave-builds added this to the 1.59.x - Nightly milestone Aug 21, 2023
@rebron rebron added this to Completed in General Aug 22, 2023
@rebron rebron moved this from Completed to Pending review/uplift or retest in General Aug 22, 2023
This was referenced Aug 25, 2023
Merged
Merged
@kjozwiak
Copy link
Member

The above requires 1.57.57 or higher for 1.57.x verification 👍

@LaurenWags
Copy link
Member

LaurenWags commented Aug 30, 2023
edited by GeetaSarvadnya

Verified with

Brave	1.57.57 Chromium: 116.0.5845.163 (Official Build) (arm64) 
Revision	d85db1f5df3b20ffecf96ab3f0dc7fca1d536955
OS	macOS Version 13.5.1 (Build 22G90)

Using the STR/Cases outlined via #32395 (comment), ensured that Sorry, there is no saved version available. was being displayed when visiting https://brave.com/bo/ and clicking on Check for saved versions via the Wayback Machine as per the following:

  • using Fiddler, created a new rule to change the JSON response for https://brave-api.archive.org/wayback/available?url=https://brave.com/bo/ to the JSON that's mentioned via [hackerone] validate wayback URL before navigating #32395 (comment)
  • enabled the Fiddler rule and visited https://brave.com/bo/
  • ensured that clicking Check for saved versions displayed Sorry, there is no saved version available. via the banner
Example Example Example Example
1 2 3 4

Verification PASSED on

Brave | 1.57.57 Chromium: 116.0.5845.163 (Official Build) (64-bit)
-- | --
Revision | d85db1f5df3b20ffecf96ab3f0dc7fca1d536955
OS | Windows 11 Version 22H2 (Build 22621.2134)

Using the STR/Cases outlined via #32395 (comment), ensured that Sorry, there is no saved version available. was being displayed when visiting https://brave.com/bo/ and clicking on Check for saved versions via the Wayback Machine as per the following:

  • using Fiddler, created a new rule to change the JSON response for https://brave-api.archive.org/wayback/available?url=https://brave.com/bo/ to the JSON that's mentioned via [hackerone] validate wayback URL before navigating #32395 (comment)
  • enabled the Fiddler rule and visited https://brave.com/bo/
  • ensured that clicking Check for saved versions displayed Sorry, there is no saved version available. via the banner
Example Example Example Example
image image image image

@LaurenWags LaurenWags mentioned this issue Aug 30, 2023
Closed
@rebron rebron moved this from Pending review/uplift or retest to Completed in General Aug 30, 2023
@rebron rebron removed this from Completed in General Sep 11, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@simonhong simonhong

Labels
OS/Desktop priority/P2 A bad problem. We might uplift this to the next planned release. QA Pass-macOS-arm64 QA Pass-Win64 QA/Yes release-notes/include security
Projects
None yet
Milestone
1.57.x - Release #5
Development

Successfully merging a pull request may close this issue.

Sanitized wayback url from wayback machine brave/brave-core
6 participants
@diracdeltas @kjozwiak @simonhong @LaurenWags @GeetaSarvadnya @brave-builds