Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[CVE-2021-20066] : JSDom improperly allows the loading of local resources #3124

Closed
guimard opened this issue Feb 22, 2021 · 4 comments
Closed

Comments

@guimard
Copy link

guimard commented Feb 22, 2021

Basic info:

  • Node.js version: 15.x
  • jsdom version: 16.4.0

Minimal reproduction case

From https://fr.tenable.com/security/research/tra-2021-05 (CVE-2021-20066) :

Synopsis

JSDom improperly allows the loading of local resources. Modern browser best practices dictate that the loading of local resources should be disallowed by default.

From documentation, JSDom does not, by default, load any subresources. Users must enable the loading of resources/subresources. For example, when creating a new JSDOM object, the resources item can be set to "usable" to allow the loading of external resources:

const dom = new JSDOM(source, {url: "http://localhost:8080/", resources: "usable"});

The issue here is that this setting also enables the loading of local resources. For example, the following code snippet verifies that JSDOM is attempting to access a local resource by using a non-existent file to throw an error:

const jsdom = require("jsdom");
const { JSDOM } = jsdom;
source = '<iframe src="file:///does_not_exist" />';
const dom = new JSDOM(source, {url: "http://localhost:8080/", resources: "usable"});
console.log(dom.window.document.body.parentElement.outerHTML);

Output when running the above:

$ node -v; npm -v; npm list | grep jsdom;
 v15.8.0
 7.5.1
 pocs@ /Users/user/research/browser/jsdom/pocs
 └── jsdom@16.4.0
 ~/r/b/j/pocs ❯❯❯ node local_resources.js
 <html><head></head><body><iframe src="file:///does_not_exist"></iframe></body></html>
 Error: Could not load iframe: "file:///does_not_exist"
 at onErrorWrapped (/Users/user/research/browser/jsdom/pocs/node_modules/jsdom/lib/jsdom/browser/resources/per-document-resource-loader.js:38:19)
 at Object.check (/Users/user/research/browser/jsdom/pocs/node_modules/jsdom/lib/jsdom/browser/resources/resource-queue.js:72:23)
 at /Users/user/research/browser/jsdom/pocs/node_modules/jsdom/lib/jsdom/browser/resources/resource-queue.js:124:14
 at processTicksAndRejections (node:internal/process/task_queues:94:5) [Error: ENOENT: no such file or directory, open '/does_not_exist']
{ errno: -2, code: 'ENOENT', syscall: 'open', path: '/does_not_exist' }
@domenic
Copy link
Member

domenic commented Feb 22, 2021

As discussed previously over email, this is equivalent to removing the brakes on your car (by explicitly opting in to loading all resources) and then complaining when the brake pedal does nothing. This is not a security issue, and the jsdom docs are very clear on the consequences of allowing resource loading.

This CVE is officially "disputed" and we hope that the folks filing this will withdraw it.

@algj
Copy link

algj commented Dec 22, 2021

Is there a way to disable loading local files, but still allowing external web files?

@domenic
Copy link
Member

domenic commented Dec 22, 2021

It is disabled by default.

@rugk
Copy link

rugk commented Jul 7, 2022

GitHub now shows this old CVE has been patched in v16.5.0. In the changelog here I see nothing about this and I also don't know why it comes up now hmm…

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

4 participants