New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[CVE-2018-3740] Sanitize HTML injection vulnerability #176

Closed
rgrove opened this Issue Mar 20, 2018 · 9 comments

Comments

Projects
None yet
3 participants
@rgrove
Copy link
Owner

rgrove commented Mar 20, 2018

This is a public disclosure of an HTML injection vulnerability in Sanitize that could allow XSS. I’d like to thank the Shopify Application Security Team for responsibly reporting this vulnerability.

Description

A specially crafted HTML fragment can cause Sanitize to allow non-whitelisted attributes to be used on a whitelisted HTML element.

Affected Versions

Sanitize < 4.6.3, but only in combination with libxml2 >= 2.9.2

Mitigation

Upgrade to Sanitize 4.6.3 or higher.

History of this vulnerability

  • 2018-03-19: Reported by Shopify Application Security Team via email
  • 2018-03-19: Sanitize 4.6.3 released with a fix
  • 2018-03-19: Initial vulnerability report published

@rgrove rgrove closed this in 01629a1 Mar 20, 2018

@rgrove rgrove changed the title Placeholder Sanitize HTML injection vulnerability Mar 20, 2018

@rgrove rgrove added the security label Mar 20, 2018

@reedloden

This comment has been minimized.

Copy link

reedloden commented Mar 20, 2018

@rgrove Is there a CVE for this? If not, can assign one.

@rgrove

This comment has been minimized.

Copy link
Owner

rgrove commented Mar 20, 2018

There isn't. If you could assign one, that'd be great! I tried to figure out how to request one but it was taking me too long, so I figured I'd get the fix out first.

@reedloden

This comment has been minimized.

Copy link

reedloden commented Mar 20, 2018

Sure, CVE-2018-3740.

Since Shopify (the reporter) is a HackerOne customer, I can assign one for you under our CNA scope. :-)

@rgrove

This comment has been minimized.

Copy link
Owner

rgrove commented Mar 20, 2018

Much appreciated!

@rgrove rgrove changed the title Sanitize HTML injection vulnerability [CVE-2018-3740] Sanitize HTML injection vulnerability Mar 20, 2018

@rgrove

This comment has been minimized.

Copy link
Owner

rgrove commented Mar 20, 2018

It looks like the root cause of this issue is being discussed in this libxml2 bug: https://bugzilla.gnome.org/show_bug.cgi?id=769760

@flavorjones

This comment has been minimized.

Copy link
Contributor

flavorjones commented Mar 20, 2018

@rgrove I've noted this CVE in that upstream bug report.

@rgrove

This comment has been minimized.

Copy link
Owner

rgrove commented Mar 20, 2018

Thanks @flavorjones! Also thanks for providing a good example for me to follow in terms of announcing a vuln and getting the word out to the community. First time I've done that, so it was a learning experience. 😬

@flavorjones

This comment has been minimized.

Copy link
Contributor

flavorjones commented Mar 20, 2018

Ha ha! Well, we have a good process for all this at my day job, so "I'm just following procedure."

amatriain added a commit to amatriain/feedbunch that referenced this issue Mar 21, 2018

TrevorBramble added a commit to TrevorBramble/bramblehaven-lita that referenced this issue Mar 21, 2018

h-lame added a commit to alphagov/govspeak that referenced this issue Mar 21, 2018

Bump sanitize gem dependency to 4.6
This fixes CVE-2018-2740 (See: rgrove/sanitize#176)

We also have to fix some tests around table tags, because as of sanitize
3.x it uses a parser more like a browser which means it will strip invalid
HTML and correct it when it's less-broken.  Tables are one of the things
it does this for.

rgrove added a commit to rgrove/gollum-lib that referenced this issue Mar 23, 2018

pravi added a commit to pravi/html-pipeline that referenced this issue Jun 27, 2018

gjtorikian added a commit to jch/html-pipeline that referenced this issue Jun 27, 2018

@rgrove

This comment has been minimized.

Copy link
Owner

rgrove commented Sep 30, 2018

FYI if you're still on the Sanitize 2.x line and can't upgrade to 4.x, @dometto was kind enough to backport this fix to the 2.x line in Sanitize 2.1.1.

reedloden added a commit to reedloden/ruby-advisory-db that referenced this issue Oct 18, 2018

reedloden added a commit to reedloden/ruby-advisory-db that referenced this issue Oct 18, 2018

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment