Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Rewrite tooltip in Streams table code #22196

Closed
timroes opened this issue Feb 1, 2023 · 0 comments · Fixed by #22647
Closed

Rewrite tooltip in Streams table code #22196

timroes opened this issue Feb 1, 2023 · 0 comments · Fixed by #22647
Assignees
@timroes
Labels
area/frontend Related to the Airbyte webapp team/platform-move
Milestone
2023-Q1 Platform ...

Comments

@timroes
Copy link
Collaborator

timroes commented Feb 1, 2023

Currently #21253 introduced a XSS vulnerability that allows injecting bad code into the streams table in

airbyte/airbyte-webapp/src/components/connection/CatalogTree/next/CatalogTreeTableCell.tsx

Line 30 in 09421ce

return <div dangerouslySetInnerHTML={{ __html: text }} />;
. Because we read the content of any Text node and set it's innerHtml via dangerouslySetInnerHtml to the tooltip after decodeUriComponents, you can inject code into the DOM, if e.g. a field is named %3Cimg onerror='alert("should not happen")' src="reallynotgood" /%3E, which will execute JS once a user hovers over the field.

We luckily don't have the new table design roled out to any user yet, thus this is not critical enough to need to be reverted, but this should be fixed asap still.

The correct implementation here would be to simply clone the original text node and attach it to the tooltip.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@timroes timroes

Labels
area/frontend Related to the Airbyte webapp team/platform-move
Projects
None yet
Milestone
2023-Q1 Platform Move Frontend
2 participants
@edmundito @timroes