fix: prevent html injection in cockpit by andremedeiros · Pull Request #1381 · embarklabs/embark

andremedeiros · 2019-02-27T21:07:55Z

No description provided.

jrainville · 2019-02-27T21:12:58Z

packages/embark/src/lib/modules/console/index.ts

+            .replace(/</g, "&lt;")
+            .replace(/>/g, "&gt;")
+            .replace(/\"/g, "&quot;")
+            .replace(/\'/g, "&#39;");


There are npm packages that do that, but if we prefer our version of it, it's better to put it in a utils, because you use it at least twice.

jrainville · 2019-02-27T21:13:27Z

packages/embark/src/lib/modules/process_logs_api/index.js

      (ws, _req) => {
        this.events.on('process-log-' + this.processName, function (log) {
+          log.msg = self.escapeMessage(log.msg);
+          log.msg_clear = self.escapeMessage(log.msg_clear);


Instead of introducing self , just replace function (log) { with (log) => {

emizzle

Awesome work! I would like to see a description for the PR, but I understand that the title does a lot of justice. Something like "prevent API responses from XSS attacks" would be helpful.

emizzle · 2019-02-27T22:44:39Z

packages/embark/src/lib/modules/console/index.ts

        let response = result;
        if (typeof result !== "string") {
          response = stringify(result, utils.jsonFunctionReplacer, 2);
+          this.logger.info(response);


Does stringify handle escaping HTML that could be produced from stringifying an object?

It does not, but I'm pretty sure that this is the JSON printer, which we still want to be parsed as HTML.

The alternative is introducing plaintext / JSON response types that the cockpit could respond to, but that's a whole other bag of worms.

Right, so when we stringify in this case, we return it in the response at the end. So I think maybe we should still escape it, no? For example,

if (typeof result !== "string") { response = stringify(result, utils.jsonFunctionReplacer, 2); this.logger.info(response); } else { // Avoid HTML injection in the Cockpit this.logger.info(response); } response = escapeHtml(response); return res.send({ result: response });

Isn't the JSON tree explorer rendered in the backend? Or is it the frontend that renders it?

I think that's a frontend thing, but could be wrong.

emizzle · 2019-02-27T22:46:01Z

packages/embark/src/lib/utils/escapeHtml.js

+  if(typeof message !== "string") return message;
+
+  return message
+    .replace(/&/g, "&amp;")


Is there a library that would handle this for us and possibly handle additional use cases that we haven't thought of?

Probably tons of them, but this is a simple enough fix that I think we can handle it ourselves without introducing yet another dependency.

emizzle · 2019-03-01T02:03:06Z

Could we also apply this to packages/embark-ui/src/components/Console.js line 94 and line 100 to prevent console command usage containing < and > from injecting elements in to the cockpit?

andremedeiros · 2019-03-04T12:49:07Z

This might not be necessary, in favour of #1385. @emizzle WDYT?

emizzle · 2019-03-05T02:01:00Z

Yep, looks good!

andremedeiros force-pushed the fix/html-injection-in-cockpit branch from 96b6e4e to 5301c9b Compare February 27, 2019 21:11

jrainville reviewed Feb 27, 2019

View reviewed changes

fix: prevent HTML injection in the cockpit

e2b3a11

andremedeiros force-pushed the fix/html-injection-in-cockpit branch from 5301c9b to e2b3a11 Compare February 27, 2019 21:23

emizzle reviewed Feb 27, 2019

View reviewed changes

jrainville approved these changes Feb 28, 2019

View reviewed changes

michaelsbradleyjr approved these changes Mar 1, 2019

View reviewed changes

andremedeiros changed the title ~~prevent html injection in cockpit~~ fix: prevent html injection in cockpit Mar 4, 2019

emizzle approved these changes Mar 5, 2019

View reviewed changes

andremedeiros merged commit 78201ce into master Mar 5, 2019

andremedeiros deleted the fix/html-injection-in-cockpit branch March 5, 2019 19:15

Conversation

andremedeiros commented Feb 27, 2019

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

emizzle left a comment • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Choose a reason for hiding this comment

Uh oh!

emizzle Feb 27, 2019 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

emizzle commented Mar 1, 2019

Uh oh!

andremedeiros commented Mar 4, 2019

Uh oh!

emizzle commented Mar 5, 2019

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

4 participants

emizzle left a comment •

edited

Loading

emizzle Feb 27, 2019 •

edited

Loading