Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Identity Server Security Bug: Unsafe jQuery plugins #24

Open
6 of 36 tasks
alexhiggins732 opened this issue Feb 16, 2024 · 0 comments · Fixed by #34
Open
6 of 36 tasks

Identity Server Security Bug: Unsafe jQuery plugins #24

alexhiggins732 opened this issue Feb 16, 2024 · 0 comments · Fixed by #34
Assignees
@alexhiggins732
Labels
bug Something isn't working dependencies Pull requests that update a dependency file
Milestone
Patched DotNet8 T...

Comments

@alexhiggins732
Copy link
Owner

Identity Server Security Bug: Unsafe jQuery plugin

The original Identity Server 4 code base has several security bugs detected by CodeQL scanning violating this rule.

Description:

Library plugins, such as those for the jQuery library, are often configurable through options provided by the clients of the plugin. Clients, however, do not know the implementation details of the plugin, so it is important to document the capabilities of each option. The documentation for the plugin options that the client is responsible for sanitizing is of particular importance. Otherwise, the plugin may write user input (for example, a URL query parameter) to a web page without properly sanitizing it first, which allows for a cross-site scripting vulnerability in the client application through dynamic HTML construction.

Examples

Tool Rule ID Source
CodeQL js/redos
/host/Quickstart/Account/AccountController.cs#L95-L9 
 this.$target = $(this.options.target)

Issues

Recommendation

Document all options that can lead to cross-site scripting attacks, and guard against unsafe inputs where dynamic HTML construction is not intended.

Keep packages up to date with the latest distribution to patch previously discovered vulnerablites.

Review identified issues and guard against unsafe input for each issue.

Example

The following example shows a jQuery plugin that selects a DOM element, and copies its text content to another DOM element. The selection is performed by using the plugin option sourceSelector as a CSS selector.

jQuery.fn.copyText = function(options) {
	// BAD may evaluate `options.sourceSelector` as HTML
	var source = jQuery(options.sourceSelector),
	    text = source.text();
	jQuery(this).text(text);
}

This is, however, not a safe plugin, since the call to jQuery interprets sourceSelector as HTML if it is a string that starts with <.

Instead of documenting that the client is responsible for sanitizing sourceSelector, the plugin can use jQuery.find to always interpret sourceSelector as a CSS selector:

jQuery.fn.copyText = function(options) {
	// GOOD may not evaluate `options.sourceSelector` as HTML
	var source = jQuery.find(options.sourceSelector),
	    text = source.text();
	jQuery(this).text(text);
}

References
@alexhiggins732 alexhiggins732 added bug Something isn't working dependencies Pull requests that update a dependency file labels Feb 16, 2024
@alexhiggins732 alexhiggins732 self-assigned this Feb 16, 2024
@alexhiggins732 alexhiggins732 mentioned this issue Feb 17, 2024
Merged
@alexhiggins732 alexhiggins732 linked a pull request Feb 17, 2024 that will close this issue
Identity Server 8 - Release/8.0.4 #34
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@alexhiggins732 alexhiggins732

Labels
bug Something isn't working dependencies Pull requests that update a dependency file
Projects
None yet
Milestone
Patched DotNet8 Top-Level Statements ...
Development

Successfully merging a pull request may close this issue.

Identity Server 8 - Release/8.0.4 alexhiggins732/IdentityServer8
1 participant
@alexhiggins732