Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix secondary order XSS: Harden file type inputs #4635

Merged
merged 1 commit into from Feb 14, 2023
Merged

Fix secondary order XSS: Harden file type inputs #4635

merged 1 commit into from Feb 14, 2023

Conversation

NicolasDorier
Copy link
Member

@NicolasDorier NicolasDorier commented Feb 14, 2023
edited

I was thinking we could avoid validating file upload.
But nope... @nayefhmoodh has shown me a secondary order XSS which can even avoid the strictest CSP by crafting a rogue PDF file...

Credit to @nayefhmoodh

https://huntr.dev/bounties/9464e3c6-961d-4e23-8b3d-07cbb31de541/

@NicolasDorier NicolasDorier marked this pull request as draft February 14, 2023 02:34
@NicolasDorier
Copy link
Member Author

I can't detect whether a file is CSS. However, I can add some CSS trash as first line of a so called CSS file. If JS run, it will just crash first line... will do this.

@NicolasDorier
Copy link
Member Author

Ok I managed to make uploaded JS unexecutable with X-Content-Type-Options: nosniff

@NicolasDorier NicolasDorier marked this pull request as ready for review February 14, 2023 05:46
@NicolasDorier NicolasDorier merged commit fea27b9 into btcpayserver:master Feb 14, 2023
@NicolasDorier NicolasDorier deleted the euown branch February 14, 2023 08:03
dennisreimann
dennisreimann reviewed Feb 14, 2023
View reviewed changes
BTCPayServer/Controllers/UIStoresController.cs
Comment on lines +708 to +710
if (model.CssFile.Length > 1_000_000)
{
TempData[WellKnownTempData.ErrorMessage] = "The uploaded file should be less than 1MB";
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We can lower this limit here as 100KB should already be more than enough. (Bootstrap as a whole is > 300KB)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@dennisreimann dennisreimann dennisreimann left review comments

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@NicolasDorier @dennisreimann