Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[security] XSS vulnerability in markdown preview #7954

Closed
caseyflynn-google opened this issue Jun 3, 2020 · 16 comments
Closed

[security] XSS vulnerability in markdown preview #7954

caseyflynn-google opened this issue Jun 3, 2020 · 16 comments
Assignees
Labels
security issues related to security

Comments

@caseyflynn-google
Copy link
Contributor

caseyflynn-google commented Jun 3, 2020

Bug Description: XSS vulnerability in markdown preview

The Markdown Preview can exploited to execute arbitrary code.

Steps to Reproduce:

  1. Create markdown file and append the following text: <style onload="alert(0)">
  2. Save and close the file.
  3. Right click the file and select Open With -> Preview
  4. Observe the alert has fired.

The root cause of the vulnerability is the current usage of markdown-it to render html then subsequently adding the output to the DOM via innerHtml without sanitizing. Moreover, there are several potential xss sinks within the Theia code base that could potentially be exploited in a similar fashion (e.g. innerHtml, dangerouslySetInnerHtml). Would the community be open to accepting contributions to mitigate these vulnerabilities, and accompanying lint rules that would bar future usages of xss sinks?

Additional Information

  • Operating System: Linux
  • Theia Version: 1.2.0
@caseyflynn-google caseyflynn-google added the security issues related to security label Jun 3, 2020
@akosyakov
Copy link
Member

Would the community be open to accepting contributions to mitigate these vulnerabilities, and accompanying lint rules that would bar future usages of xss sinks?

I would be fine with it. @marcdumais-work @eclipse-theia/ecd-theia-committers any concerns?

@akosyakov
Copy link
Member

I think the ideal solution would be to run any remote HTML content as webviews: #6562 And let them do whatever they want.

@spoenemann
Copy link
Contributor

Here's another piece of code where this problem is relevant:

dangerouslySetInnerHTML={{ __html: readme }} />}

@thegecko
Copy link
Member

thegecko commented Jun 4, 2020

Would the community be open to accepting contributions to mitigate these vulnerabilities

I don't see any drawbacks, this would be great!

@jbicker jbicker self-assigned this Jun 5, 2020
@jbicker
Copy link
Contributor

jbicker commented Jun 5, 2020

Here's another piece of code where this problem is relevant:

dangerouslySetInnerHTML={{ __html: readme }} />}

This should be already solved here:
https://github.com/eclipse-theia/theia/blob/master/packages/vsx-registry/src/browser/vsx-extensions-model.ts#L208

jbicker added a commit that referenced this issue Jun 5, 2020
Fixes #7954

Signed-off-by: Jan Bicker <jan.bicker@typefox.io>
@jbicker
Copy link
Contributor

jbicker commented Jun 5, 2020

@caseyflynn-google I created a PR where I sanitize the md. However this does not contain any solutions regarding lint rules. Another PR for that is still welcome.

jbicker added a commit that referenced this issue Jun 8, 2020
Fixes #7954

Signed-off-by: Jan Bicker <jan.bicker@typefox.io>
@jbicker jbicker closed this as completed in 309b218 Jun 8, 2020
@akosyakov akosyakov reopened this Jun 8, 2020
@akosyakov
Copy link
Member

@caseyflynn-google Is anything else has to be done?

@caseyflynn-google
Copy link
Contributor Author

caseyflynn-google commented Jun 9, 2020

Sorry for the delayed response, this looks great! I am digging into a few options for flagging usage of xss sinks via eslint rules. https://github.com/mozilla/eslint-plugin-no-unsanitized looks promising, but I will need to reach out to the owner to ensure they are willing to accept a contribution to enable running the rule over typescript: mozilla/eslint-plugin-no-unsanitized#111 (comment) It looks like the code is licensed under MPL-2.0 would that be a problem?

@akosyakov
Copy link
Member

It looks like the code is licensed under MPL-2.0 would that be a problem?

@marcdumais-work ? fyi we will use it only as a dev dependency.

@marcdumais-work
Copy link
Contributor

marcdumais-work commented Jun 10, 2020

@marcdumais-work ? fyi we will use it only as a dev dependency.

MPL-1.1/MPL-2.0 (Mozilla Public License) is fine even as runtime dependency, being part of the Eclipse Foundation approved license list

@JLLeitschuh
Copy link

Has this had a CVE assigned to it?

@AdamGold
Copy link

AdamGold commented Feb 16, 2021

Hey, Adam from Snyk here. Would you like us to issue a CVE for this?

@waynebeaton
Copy link

The Eclipse Foundation is a CNA can assign a CVE at the project team's request. Specifically, the request needs to be initiated by a committer.

We need the project team to provide some information; this is described in the handbook.

@marcdumais-work
Copy link
Contributor

marcdumais-work commented Feb 24, 2021

Hi,

Sorry for the delay. Here it is:


Description: In Eclipse Theia versions up to and including 1.2.0, the Markdown Preview (@theia/preview), can be exploited to execute arbitrary code.
Categorization: CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Versions: 0 to 1.2
This vulnerability has been patched in Eclipse Theia v1.3.0

(PR: #7971)

@waynebeaton
Copy link

Thanks, @marcdumais-work.

I've assigned CVE-2020-27224. I've pushed the report and it has been merged, it should go live shortly.

@marcdumais-work
Copy link
Contributor

Thanks Wayne. I think we can close this issue.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
security issues related to security
Projects
None yet
Development

No branches or pull requests

9 participants