New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
XSS in transform filter #3018
Comments
|
Thank you for the report and the simple reproduction. I am moving this issue to Vega. |
|
Repro without Vega-Lite: Open the Chart in the Vega Editor |
|
Here is a reproduction in Vega proper: {
"$schema": "https://vega.github.io/schema/vega/v5.json",
"data": [
{
"name": "data",
"values": [{}],
"transform": [
{"type": "filter", "expr": "(0//1/)-'\\\n,alert(1))))//'"}
]
}
]
} |
|
The parser sees a 0 divided by a regexp, while JS treats it as a 0 followed by a comment. Since the resulting parsed expression is passed to eval, we have arbitrary code execution. |
|
The issue also exists in Vega 2. {
"data": [
{
"name": "data",
"values": [{}],
"transform": [
{"type": "filter", "test": "(0//1/)-'\\\n,alert(1))))//'"}
]
}
]
} |
|
The error stemmed from the removal of comments from our parser, which opened the door to seeing "division by a regexp" instead. PR #3019 updates the parser to instead throw when a single-line comment |
This was found during the hxp ctf.
Credit
@cgvwzq and his writeup
Paste the below JSON in the Vega Editor.
Working demo.
You will see a '1' alert dialog.
To my understanding you should not be able to run arbitrary JS using vega-lite json, should you?
{ "data": { "values": [{}] }, "transform": [ {"filter": "(0//1/)-'\\\n,alert(1))))//'"} ], "mark": "bar" }The text was updated successfully, but these errors were encountered: