Join GitHub today
GitHub is home to over 28 million developers working together to host and review code, manage projects, and build software together.Sign up
[Security issue] Remote script can read user local resource #187
UPDATED at 2018-06-14
We have recognized a way of bypass a patch for this vulnerability in v0.0.12. The latest release (v0.0.13~) is fixed this.
This issue is a special case to deal with important security issue on current version. It affects on Marp
Will effect this vulnerability to my markdown?
Mostly we can say "No". This exploit would affect when you would open malicious Markdown with Marp, so there are no problem on mostly general Markdown.
But you should pay attention when opens Markdown that has untrusted inline script or embed frame (
My markdown has inline script. Will work it on v0.0.11?
Yes. Your script would work usually even if you opens on v0.0.11.
In each case, you can avoid by uploading your resource on the web.
How about sanitizing inline script tag?
Marp v0.0.11 can still execute inline script because we have been recognized the case of power-user like #29. CommonMark defines the spec about inline
However, sanitizing inline script should consider on future.
We have updated release page to add links to JVN. (68cbdce)
@luigigubello Thanks for your mention. We re-examined about this vulnerability, and we have recognized that it still has remaining a way to be able accessing to the content of local resource in v0.0.12.
In a few days, we are going to release Marp v0.0.13 (and remove v0.0.11 and v0.0.12 from release logs) to prevent vulnerability that we are recognized. We welcome to report details if it still had vulnerable.
Have you any reproducible markdown? We already have tried a few exploits to get local resources but every case is obstructed correctly in v0.0.13. If there is still a way to get the content of the local resource, it means we have not sanitized CVE-2017-2239 completely.
If a vulnerability you know refers simply "can execute scripts", it is expected design in the current Marp, and not vulnerable.
In either case, the current Marp have already dropped maintenance long ago. We will remove a reported vulnerabillity if we recognize that it has a potential risk like CVE-2017-2239 or Node API access beyond the browser context. Otherwise, please don't expect too much.
At first glance, HTML whitelist looks like a good solution, but the current Marp (pre-released version) would not employ this because of keeping compatibility. We might break effective slides powered by d3.js (See #29), Chart.js, Embed videos (YouTube, vimeo..., and
On the other hand, currently we are working on @marp-team for the next generation of Marp. We are planning that Marp will become to the web-based app including online, so we have to keep secure.
The idea of whitelist is going to feedback to @marp-team/marp-core. Using HTML in the next-gen Marp will be restricted, but power user can use the customized Marp core or Marpit framework if necessary.
Create two .md files:
I know that you do not update Marp, but it may be useful to warn of this problem.