Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

xss vulnerability in data URI #135

Closed
goromlagche opened this issue Jun 8, 2022 · 2 comments
Closed

xss vulnerability in data URI #135

goromlagche opened this issue Jun 8, 2022 · 2 comments

Comments

@goromlagche
Copy link

goromlagche commented Jun 8, 2022
edited
Loading

Currently in the scrub_attribute method, there is divergence between the code present in loofah
https://github.com/flavorjones/loofah/blob/main/lib/loofah/html5/scrub.rb#L38-L61

vs how it is handle in the PermitScrubber class
https://github.com/rails/rails-html-sanitizer/blob/master/lib/rails/html/scrubbers.rb#L142-L154

The section around safe data uri is missing

Because of this, a base64 encoded XSS script can be injected. I have attached a test for the same.

  def test_sanitize_data_protocol
    text = '- XSS><iframe src="data:text/html;base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4=">- XSS><iframe src="data:application/vnd.wap.xhtml+xml;base64,PHg6c2NyaXB0IHhtbG5zOng9Imh0dHA6Ly93d3cudzMub3JnLzE5OTkveGh0bWwiPmFsZXJ0KGRvY3VtZW50LmRvbWFpbik8L3g6c2NyaXB0Pg=="></iframe></iframe>'

    scope_allowed_tags %w(iframe) do
      scope_allowed_attributes %w(src) do
        assert_equal %(- XSS\"&gt;<iframe>- XSS\"&gt;<iframe></iframe></iframe>), safe_list_sanitize(text)
      end
    end
  end

The test fails with

  1) Failure:
SanitizersTest#test_sanitize_data_protocol [/home/goromlagche/work/rails-html-sanitizer/test/sanitizer_test.rb:523]:
--- expected
+++ actual
@@ -1 +1 @@
-"- XSS\"&gt;<iframe>- XSS\"&gt;<iframe></iframe></iframe>"
+"- XSS\"&gt;<iframe src=\"data:text/html;base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4=\">- XSS\"&gt;<iframe src=\"data:application/vnd.wap.xhtml+xml;base64,PHg6c2NyaXB0IHhtbG5zOng9Imh0dHA6Ly93d3cudzMub3JnLzE5OTkveGh0bWwiPmFsZXJ0KGRvY3VtZW50LmRvbWFpbik8L3g6c2NyaXB0Pg==\"></iframe></iframe>"

Unable to scrub the base64 encoded script.

I am not well accustomed to this project or loofah, but I tried updating the corresponding code to be in sync with loofah, and that seems to solve the xss problem. Change is in PR #134
@goromlagche goromlagche mentioned this issue Jun 8, 2022
Closed
@flavorjones
Copy link
Member

Thank you for responsibly reporting this issue.

In the future, though, please report vulnerabilities for Rails following the program description here: https://rubyonrails.org/security. I'll make sure the rails-html-sanitizer README states this more explicitly.

@flavorjones flavorjones mentioned this issue Jun 9, 2022
Draft
@flavorjones
Copy link
Member

Addressed in v1.4.4. I've credited you with the discovery of this vulnerability in GHSA-mcvf-2q2m-x72m

# for free to join this conversation on GitHub. Already have an account? # to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@flavorjones @goromlagche