Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

xss vulnerability in data URI #135

Closed
goromlagche opened this issue Jun 8, 2022 · 2 comments
Closed

xss vulnerability in data URI #135

goromlagche opened this issue Jun 8, 2022 · 2 comments

Comments

@goromlagche
Copy link

goromlagche commented Jun 8, 2022
edited

Currently in the scrub_attribute method, there is divergence between the code present in loofah
https://github.com/flavorjones/loofah/blob/main/lib/loofah/html5/scrub.rb#L38-L61

vs how it is handle in the PermitScrubber class
https://github.com/rails/rails-html-sanitizer/blob/master/lib/rails/html/scrubbers.rb#L142-L154

The section around safe data uri is missing

Because of this, a base64 encoded XSS script can be injected. I have attached a test for the same.

  def test_sanitize_data_protocol
    text = '- XSS><iframe src="data:text/html;base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4=">- XSS><iframe src="data:application/vnd.wap.xhtml+xml;base64,PHg6c2NyaXB0IHhtbG5zOng9Imh0dHA6Ly93d3cudzMub3JnLzE5OTkveGh0bWwiPmFsZXJ0KGRvY3VtZW50LmRvbWFpbik8L3g6c2NyaXB0Pg=="></iframe></iframe>'

    scope_allowed_tags %w(iframe) do
      scope_allowed_attributes %w(src) do
        assert_equal %(- XSS\"&gt;<iframe>- XSS\"&gt;<iframe></iframe></iframe>), safe_list_sanitize(text)
      end
    end
  end

The test fails with

  1) Failure:
SanitizersTest#test_sanitize_data_protocol [/home/goromlagche/work/rails-html-sanitizer/test/sanitizer_test.rb:523]:
--- expected
+++ actual
@@ -1 +1 @@
-"- XSS\"&gt;<iframe>- XSS\"&gt;<iframe></iframe></iframe>"
+"- XSS\"&gt;<iframe src=\"data:text/html;base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4=\">- XSS\"&gt;<iframe src=\"data:application/vnd.wap.xhtml+xml;base64,PHg6c2NyaXB0IHhtbG5zOng9Imh0dHA6Ly93d3cudzMub3JnLzE5OTkveGh0bWwiPmFsZXJ0KGRvY3VtZW50LmRvbWFpbik8L3g6c2NyaXB0Pg==\"></iframe></iframe>"

Unable to scrub the base64 encoded script.

I am not well accustomed to this project or loofah, but I tried updating the corresponding code to be in sync with loofah, and that seems to solve the xss problem. Change is in PR #134
@goromlagche goromlagche mentioned this issue Jun 8, 2022
Closed
@flavorjones
Copy link
Member

Thank you for responsibly reporting this issue.

In the future, though, please report vulnerabilities for Rails following the program description here: https://rubyonrails.org/security. I'll make sure the rails-html-sanitizer README states this more explicitly.

@flavorjones flavorjones mentioned this issue Jun 9, 2022
Draft
@flavorjones
Copy link
Member

Addressed in v1.4.4. I've credited you with the discovery of this vulnerability in GHSA-mcvf-2q2m-x72m

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@flavorjones @goromlagche