Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Security issue - XSS through Octotree #299

Closed
bvolpato opened this issue Jun 13, 2016 · 6 comments
Closed

Security issue - XSS through Octotree #299

bvolpato opened this issue Jun 13, 2016 · 6 comments

Comments

@bvolpato
Copy link

Hi!

There's a security flaw that compromises user data when using Octotree + GitHub.

The failure happens when you define a branch name that contains script - e.g. <script>alert('xss')</script>, define it as the default branch of the repo and navigate to an URL that doesn't contain the tree combobox (Issues, Pull Requests, Wiki, Stargazers, etc).

This repo has a harmless example: https://github.com/brunocvcunha/-script-alert-xaxa-script-/wiki
image

Best Regards,
Bruno Candido Volpato da Cunha

@bvolpato
Copy link
Author

@buunguyen

@buunguyen
Copy link
Collaborator

Which browser is this? I accessed the linked repo on Chrome, didn't see the popup.

@bvolpato
Copy link
Author

bvolpato commented Jun 13, 2016

Chrome 51.0.2704.84 (64-bit) on Mac OS X El Capitan.

image

Maybe some XSS protection kicked in? If you look at the pasted printscreen with the DOM, the whole <script> tag is there.

@buunguyen
Copy link
Collaborator

Thanks, xss protection indeed. Already fixed and released, should be in stores soon.

@bvolpato
Copy link
Author

Nice! Thank you!

@joedf
Copy link

joedf commented Jun 14, 2016

Nice find 👍

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants