Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Security Vulnerability #1477

Closed

Comments

@EgidioRomano
Copy link

Hi!

On December 23, 2020 I've tried to reach out to you in order to report details about a security vulnerability in Docsify.js, but I still haven't received any response to my email. Is there an appropriate channel where I should report the security issue?

@anikethsaha
Copy link
Member

Can you mail Snyk first regarding the vulnerability. And we will take action once there is a confirmation from them.
Also, feel free to DM us in discord if it helps.
Thanks.

jhildenbiddle added a commit that referenced this issue Feb 5, 2021
sy-records added a commit that referenced this issue Feb 5, 2021
* Prevent loading remote content via URL hash

Fixes #1477. Fixes #1126.

* Restore ability to execute remote content scripts

Co-authored-by: 沈唁 <52o@qq52o.cn>
Co-authored-by: Koy <koy@ko8e24.top>
jhildenbiddle added a commit that referenced this issue Feb 14, 2021
Koooooo-7 pushed a commit that referenced this issue Feb 18, 2021
@EgidioRomano
Copy link
Author

Hi @anikethsaha,

I can still reproduce the vulnerability with docsify version 4.12.0. By using more than two forward slashes (i.e. ///) is still possible to load an external URL and its HTML content is not correctly sanitized, both in the sidebar and main page:

Schermata da 2021-02-22 15-13-20

@sy-records
Copy link
Member

sy-records commented Feb 23, 2021

@EgidioRomano Can you use this for testing?

<link rel="stylesheet" href="//cdn.jsdelivr.net/gh/sy-records/docsify-nightly/lib/themes/vue.css" />

<script src="//cdn.jsdelivr.net/gh/sy-records/docsify-nightly/lib/docsify.min.js"></script>

or use https://docsify-preview.now.sh/ testing

@EgidioRomano
Copy link
Author

Hi @sy-records,

My Proof of Concept doesn't work on https://docsify-preview.now.sh.
Is it running a different version than the one at https://docsify.js.org ?

@sy-records
Copy link
Member

Yes, docsify-preview.now.sh is the develop branch preview, docsify.js.org is the master branch.
You can use my nightly version https://github.com/sy-records/docsify-nightly

@snoopysecurity
Copy link

If the fix is with the dev branch, is it possible to push it to master and publish a new release @sy-records?

@sy-records
Copy link
Member

If the fix is with the dev branch, is it possible to push it to master and publish a new release @sy-records?

cc @docsifyjs/reviewers

@Koooooo-7
Copy link
Member

@sy-records I think we can release a patch on this recently, maybe next week.
I will review some new PRs at this weekend.

@jhildenbiddle
Copy link
Member

@sy-records Yes, we should push a patch release to address the security issue ASAP.

@snoopysecurity
Copy link

Any update on this? thanks

@sy-records
Copy link
Member

#1524

@volosied
Copy link

volosied commented Jun 15, 2023

This vulnerability seems to still exist. I'm able to reproduced it against 4.13.

I cannot produce it against https://docsify-preview.vercel.app/#/ (which just gives a 404 - Not found instead).

So I think it's fixed in development? Can a new release be done? Thanks.

@sy-records
Copy link
Member

@volosied I think it should have been released, can you send me the reproduction script?

@volosied
Copy link

@sy-records

This issue was discovered by another individual. He provided the following page to test with. See here:

@sy-records
Copy link
Member

yeah, I know, fixed via #2093

@henningn
Copy link

@sy-records thanks for your work! When can we expect a new release?

@Koooooo-7
Copy link
Member

Hi @henningn , I think we gonna have a patch of this asap.

Hi @sy-records , could u plz raise the new release based on the last release commit as a hotfix instead of current dev branch? since we have marked changes need more clarify... if u are not free for this recently, u could ask me to do so as well.

@sy-records
Copy link
Member

see #2101

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment