Join GitHub today
GitHub is home to over 40 million developers working together to host and review code, manage projects, and build software together.
Sign upFix http server XSS #1714
Merged
Fix http server XSS #1714
+48
−10
Conversation
Low risk xss. If the torrent contains a specially crafted title or file name, and the user starts the WebTorrent HTTP server via createServer(), and then the user visits the HTTP server index page (which lists the contents of the torrent), then the attacker can run JavaScript in this browser context. The reason this seems relatively low risk is that the WebTorrent HTTP server only allows fetching data pieces from the torrent. It doesn't support any other control of the torrent client. So, attacker code could e.g. figure out what content the user is downloading and exfiltrate that to an external domain. This commit mitigates the issue in two ways (either of which could have prevented this XSS on its own): 1. HTML-escape untrusted torrent metadata (name, path, file names, etc.) 2. Add the strictest possible CSP to prevent all connections, scripts, styles, plugins, frames. Every capability is denied.
This comment has been minimized.
This comment has been minimized.
|
lgtm |
This comment has been minimized.
This comment has been minimized.
|
lgtm |
This comment has been minimized.
This comment has been minimized.
|
0.107.6 |
feross
added a commit
to webtorrent/webtorrent-desktop
that referenced
this pull request
Sep 4, 2019
To address minor xss vulnerability in http server. See: webtorrent/webtorrent#1714
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
feross commentedAug 27, 2019
•
edited
Low risk xss. If the torrent contains a specially crafted title or file name, and a user running WebTorrent in Node.js starts the HTTP server via
torrent.createServer(), and then the user visits the HTTP server's index page (which lists the files in the torrent), then the attacker can run JavaScript in this browser context.This seems relatively low risk since the WebTorrent HTTP server only allows fetching data pieces from the torrent. So an attack that interacts with the HTTP server cannot control the torrent client or execute any code. They can only fetch data pieces from the torrent. So, attacker code could e.g. figure out what content the user is downloading and exfiltrate that to an external server.
This PR mitigates the issue in two ways (either of which could have prevented this XSS on its own):
HTML-escape untrusted torrent metadata (name, path, file names, etc.)
Add the strictest possible CSP to prevent all connections, scripts, styles, plugins, frames. Every capability is denied.