Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Low risk xss. If the torrent contains a specially crafted title or file name, and a user running WebTorrent in Node.js starts the HTTP server via
torrent.createServer(), and then the user visits the HTTP server's index page (which lists the files in the torrent), then the attacker can run JavaScript in this browser context.This seems relatively low risk since the WebTorrent HTTP server only allows fetching data pieces from the torrent. So an attack that interacts with the HTTP server cannot control the torrent client or execute any code. They can only fetch data pieces from the torrent. So, attacker code could e.g. figure out what content the user is downloading and exfiltrate that to an external server.
This PR mitigates the issue in two ways (either of which could have prevented this XSS on its own):
HTML-escape untrusted torrent metadata (name, path, file names, etc.)
Add the strictest possible CSP to prevent all connections, scripts, styles, plugins, frames. Every capability is denied.