Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Security] bad url bypass, could lead to XSS #332

Closed
trichimtrich opened this issue May 13, 2019 · 6 comments · Fixed by #334
Closed

[Security] bad url bypass, could lead to XSS #332

trichimtrich opened this issue May 13, 2019 · 6 comments · Fixed by #334

Comments

@trichimtrich
Copy link

Hi, check out this reported issue
#227

Im able to bypass the bad url check, implemented here
https://github.com/jonschlinkert/remarkable/blob/master/lib/parser_inline.js#L146

var Remarkable = require('remarkable');
var md = new Remarkable();

console.log(md.render(`# Remarkable rulezz!
[click me](\x0ejavascript:alert(1))
`));

It will generate output like this

<h1>Remarkable rulezz!</h1>
<p><a href=" javascript:alert(1)">click me</a></p>

Which could pop up an alert when user clicks into it.

Fix: maybe we can strip unprintable character around the url scheme?
@jonschlinkert
Copy link
Owner

jonschlinkert commented May 13, 2019
edited
Loading

Thanks for the issue. Would you want to do a pull request?

@trichimtrich trichimtrich mentioned this issue May 14, 2019
Closed
@dominykas dominykas mentioned this issue May 14, 2019
Closed
dominykas added a commit to dominykas/remarkable that referenced this issue May 14, 2019
@dominykas
fix: disallow ascii control characters in URLs
f6e8b3a 
Closes jonschlinkert#332

The code here is very similar to other markdown libraries, so I pretty much did what they do:

- https://github.com/npm/marky-markdown/blob/008509231558765695938020a376b5b2e4fd4fcc/lib/gfm/override-link-destination-parser.js#L67
- https://github.com/markdown-it/markdown-it/blob/ba6830ba13fb92953a91fb90318964ccd15b82c4/lib/helpers/parse_link_destination.js#L53
dominykas added a commit to dominykas/remarkable that referenced this issue May 14, 2019
@dominykas
fix: disallow ascii control characters in URLs
93543c2 
Closes jonschlinkert#332

The code here is very similar to other markdown libraries, so I pretty much did what they do:

- https://github.com/npm/marky-markdown/blob/008509231558765695938020a376b5b2e4fd4fcc/lib/gfm/override-link-destination-parser.js#L67
- https://github.com/markdown-it/markdown-it/blob/ba6830ba13fb92953a91fb90318964ccd15b82c4/lib/helpers/parse_link_destination.js#L53
@dominykas dominykas mentioned this issue May 14, 2019
Merged
dominykas added a commit to dominykas/remarkable that referenced this issue May 14, 2019
@dominykas
fix: disallow ascii control characters in URLs
371f29c 
Closes jonschlinkert#332

The code here is very similar to other markdown libraries, so I pretty much did what they do:

- https://github.com/npm/marky-markdown/blob/008509231558765695938020a376b5b2e4fd4fcc/lib/gfm/override-link-destination-parser.js#L67
- https://github.com/markdown-it/markdown-it/blob/ba6830ba13fb92953a91fb90318964ccd15b82c4/lib/helpers/parse_link_destination.js#L53
dominykas added a commit to dominykas/remarkable that referenced this issue May 14, 2019
@dominykas
fix: disallow ascii control characters in URLs
5f17c48 
Closes jonschlinkert#332

The code here is very similar to other markdown libraries, so I pretty much did what they do:

- https://github.com/npm/marky-markdown/blob/008509231558765695938020a376b5b2e4fd4fcc/lib/gfm/override-link-destination-parser.js#L67
- https://github.com/markdown-it/markdown-it/blob/ba6830ba13fb92953a91fb90318964ccd15b82c4/lib/helpers/parse_link_destination.js#L53
@reintroducing
Copy link

reintroducing commented May 29, 2019
edited
Loading

This triggered a GitHub security vulnerability notification in one of my repos today. Any chance that this can get fixed and republished?

@iamogbz iamogbz mentioned this issue May 29, 2019
Closed
@dmitriz dmitriz mentioned this issue Jun 6, 2019
Closed
@claudiopro claudiopro mentioned this issue Jun 7, 2019
Closed
@sgoumaz sgoumaz mentioned this issue Jun 17, 2019
Closed
XuluWarrior added a commit to XuluWarrior/jsonresume-theme-kards that referenced this issue Jun 30, 2019
@XuluWarrior
Use marked rather than helper-markdown
3059e04 
helper-markdown depends on remarkable which has unfixed security issue
jonschlinkert/remarkable#332
@XuluWarrior XuluWarrior mentioned this issue Jun 30, 2019
Merged
XuluWarrior added a commit to XuluWarrior/jsonresume-theme-kards that referenced this issue Jun 30, 2019
@XuluWarrior
Use marked rather than helper-markdown
3920790 
helper-markdown depends on remarkable which has unfixed security issue
jonschlinkert/remarkable#332
@rikoe
Copy link

rikoe commented Jul 16, 2019

Is there any update on this high severity vulnerability? It would be great if this could be fixed ASAP.

image

@sundowndev
Copy link

Still not fixed. But why this snippet does not produce the expected issue ?

Tried using @trichimtrich's code and #227. None of them work on Firefox.

# Remarkable rulezz!

[click me](\x0ejavascript:alert(1))

[xss](data:text/html,<script>alert(1)</script>)

@rikoe
Copy link

rikoe commented Jul 17, 2019

The xss one works for me in Safari but not in Chrome. There is likely something in Chrome preventing such an attack?

image

The first one doesn't work for me on the demo page, because it is turned into the URL https://jonschlinkert.github.io/x0ejavascript:alert(1) which then returns a 404 (not sure why). I am therefore not sure if it can be proved through the demo page...

@rikoe
Copy link

rikoe commented Jul 17, 2019

@sundowndev there are two CVEs open currently:

Both these issues were raised based on calling md.render from JavaScript, so that should be the way to test it I think.

I think I was able to replicate both these issues by using:

# Remarkable rulezz!
[xss](data:text/html,<script>alert(1)</script>)
<a>z</a><!--aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa--->

The comment line makes the demo page hang if I turn the "html" flag on.

dominykas added a commit to dominykas/remarkable that referenced this issue Jul 26, 2019
@dominykas
fix: disallow ascii control characters in URLs
80200e3 
Closes jonschlinkert#332

The code here is very similar to other markdown libraries, so I pretty much did what they do:

- https://github.com/npm/marky-markdown/blob/008509231558765695938020a376b5b2e4fd4fcc/lib/gfm/override-link-destination-parser.js#L67
- https://github.com/markdown-it/markdown-it/blob/ba6830ba13fb92953a91fb90318964ccd15b82c4/lib/helpers/parse_link_destination.js#L53
dominykas added a commit to dominykas/remarkable that referenced this issue Jul 26, 2019
@dominykas
fix: disallow ascii control characters in URLs
00381e7 
Closes jonschlinkert#332

The code here is very similar to other markdown libraries, so I pretty much did what they do:

- https://github.com/npm/marky-markdown/blob/008509231558765695938020a376b5b2e4fd4fcc/lib/gfm/override-link-destination-parser.js#L67
- https://github.com/markdown-it/markdown-it/blob/ba6830ba13fb92953a91fb90318964ccd15b82c4/lib/helpers/parse_link_destination.js#L53
TrySound pushed a commit that referenced this issue Jul 27, 2019
@dominykas @TrySound
fix: disallow ascii control characters in URLs (#334)
92d79a9 
Closes #332

The code here is very similar to other markdown libraries, so I pretty much did what they do:

- https://github.com/npm/marky-markdown/blob/008509231558765695938020a376b5b2e4fd4fcc/lib/gfm/override-link-destination-parser.js#L67
- https://github.com/markdown-it/markdown-it/blob/ba6830ba13fb92953a91fb90318964ccd15b82c4/lib/helpers/parse_link_destination.js#L53
TrySound pushed a commit that referenced this issue Jul 29, 2019
@dominykas @TrySound
fix: disallow ascii control characters in URLs (#334)
49e87b7 
Closes #332

The code here is very similar to other markdown libraries, so I pretty much did what they do:

- https://github.com/npm/marky-markdown/blob/008509231558765695938020a376b5b2e4fd4fcc/lib/gfm/override-link-destination-parser.js#L67
- https://github.com/markdown-it/markdown-it/blob/ba6830ba13fb92953a91fb90318964ccd15b82c4/lib/helpers/parse_link_destination.js#L53
bestlucky0825 pushed a commit to bestlucky0825/remarkable that referenced this issue May 30, 2022
@dominykas @bestlucky0825
fix: disallow ascii control characters in URLs (#334)
a13f521 
Closes jonschlinkert/remarkable#332

The code here is very similar to other markdown libraries, so I pretty much did what they do:

- https://github.com/npm/marky-markdown/blob/008509231558765695938020a376b5b2e4fd4fcc/lib/gfm/override-link-destination-parser.js#L67
- https://github.com/markdown-it/markdown-it/blob/ba6830ba13fb92953a91fb90318964ccd15b82c4/lib/helpers/parse_link_destination.js#L53
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Ignore control chars in links dominykas/remarkable
5 participants
@reintroducing @jonschlinkert @rikoe @trichimtrich @sundowndev