Harden invidio.us

[TNTBOMBOM]

invidio.us needs some security auditing, this is XSS vulnerability reported using XSStrike scanner:

[++] Vulnerable webpage: https://invidio.us/search  
[++] Vector for q: </tiTLe><a%0aONMousEOvER%0d=%0d[8].find(confirm)//v3dm0s )

This is a report of surface scanning invidio.us using zaproxy scanner:

https://anonfile.com/52VaX1W8nd/invidious_html

[leonklingele]

#1023 adopts a good Content Security Policy.
However, strings should still be escaped properly.

[omarroth]

Could you please provide a working link to a PoC? The provided link https://invidio.us/search?q=</tiTLe><a%0aONMousEOvER%0d=%0d[8].find(confirm)//v3dm0s appears to be escaped properly.

[TNTBOMBOM]

can you try this: https://invidio.us/search?q=</tItle><a/+/onmOusEOVER+=+confim()%0dx//v3dm0s using Omar Roth:

…

Could you please provide a working link to a PoC? The provided link [https://invidio.us/search?q=</tiTLe><a%0aONMousEOvER%0d=%0d[8].find(confirm)//v3dm0s](https://invidio.us/search?q=</tiTLe><a%0aONMousEOvER%0d=%0d[8].find(confirm)//v3dm0s) appears to be escaped properly.

[leonklingele]

Just as a reminder: #1023 is ready to be merged which prevents this and all future kinds of XSS.

[omarroth]

Should be resolved with #1023.

In future please provide a working proof of concept (#1065 is a good example). I agree Invidious could use auditing, but output from automated tools by itself is generally not very useful.

[tleydxdy]

having

Content Security Policy: The page’s settings blocked the loading of a resource at eval (“script-src”).

after the commit, video thumbnail won't load, and doing anything else gets stuck

[leonklingele]

@tleydxdy works just fine on my end. Please check if https://invidious.snopyta.org/ (runs on the most recent commit) produces the same issue.
Is this the full error message you see? Does it mention which function it tries to eval?

[fabianski7]

same error

An error occured in the player, reloading... player.js:65:21
GEThttps://invidious.snopyta.org/latest_version?id=n_ouODKei0s&itag=18&local=true
[HTTP/2 302 Found 216ms]

GEThttps://invidious.snopyta.org/videoplayback?expire=1585628860&ei=XHKCXsqcC4ao1gL0vLmoDw&ip=95.216.24.230&id=o-ACX8GTiA5OWMfxbIBTE7ZVudr9c2LYdXPNwVU9uJJtHj&itag=18&source=youtube&requiressl=yes&mh=Wi&mm=31%2C29&mn=sn-5go7ynez%2Csn-5goeen76&ms=au%2Crdu&mv=m&mvi=0&pl=20&gcr=ua&initcwndbps=2016250&vprv=1&mime=video%2Fmp4&gir=yes&clen=74185234&ratebypass=yes&dur=1205.417&lmt=1537400293017761&mt=1585607190&fvip=1&c=WEB&sparams=expire%2Cei%2Cip%2Cid%2Citag%2Csource%2Crequiressl%2Cgcr%2Cvprv%2Cmime%2Cgir%2Cclen%2Cratebypass%2Cdur%2Clmt&sig=AJpPlLswRQIhAJtZ1RriDMYheqXL7M8sT49lSY8nEpKHGz534sPYhCZBAiA0FLUKdyLxGNWMX8zILaiyvmsz0GKA6PIORC32yMf78A%3D%3D&lsparams=mh%2Cmm%2Cmn%2Cms%2Cmv%2Cmvi%2Cpl%2Cinitcwndbps&lsig=ALrAebAwRQIgL2QffWgqCQVHQDCpax4YIwEbCKGXPZYwidUZQE9sqxsCIQDotFE7ad3SWR6NoLMgdxTa4JVlXEq8qaG3aVO9n9YfYg%3D%3D&host=r1---sn-5go7ynez.googlevideo.com
[HTTP/2 403 Forbidden 262ms]

VIDEOJS: ERROR: (CODE:4 MEDIA_ERR_SRC_NOT_SUPPORTED) The media could not be loaded, either because the server or network failed or because the format is not supported. 
Object { code: 4, message: "The media could not be loaded, either because the server or network failed or because the format is not supported." }
video.min.js:12:695
    e https://invidious.snopyta.org/js/video.min.js?v=bd7950b:12
    error https://invidious.snopyta.org/js/video.min.js?v=bd7950b:12
    error https://invidious.snopyta.org/js/video.min.js?v=bd7950b:12
    handleTechError_ https://invidious.snopyta.org/js/video.min.js?v=bd7950b:12
    dispatcher https://invidious.snopyta.org/js/video.min.js?v=bd7950b:12
O carregamento HTTP falhou com o status 403. Falha no carregamento da mídia https://invidious.snopyta.org/latest_version?id=n_ouODKei0s&itag=18&local=true.