XSS in Blazegraph workbench

[lucaswerkmeister]

TL;DR: apply #145

The Blazegraph workbench, the default web UI of Blazegraph, doesn’t HTML-escape results. If you run a query like

SELECT("<script>alert('😱')</script>"AS?x){}

then the embedded JavaScript will run:

This means that an attacker who can to some extent control the content of a Blazegraph database (for example, by editing some upstream data storage that Blazegraph is automatically synchronized with) may be able to gain full control over an administrator’s workbench if they can guess what queries the administrator is likely to run, or manipulate the administrator into running a certain query that will display the attacker’s malicious result.

For example, the attacker could set the label of a Wikidata item to something like <script>fetch('/bigdata/namespace/wdq', { method: 'DELETE' })</script>, then complain about a supposed data corruption issue on this item and hope the administrator will run some query like DESCRIBE wd:[item ID] in the workbench, bypassing whatever proxy usually protects Blazegraph against such requests.

I reported this issue via email in accordance with the security policy months ago, but did not receive any response (as detailed in BLZG-9163). To give other Blazegraph users a chance of protecting themselves against the issue, I am now reporting it publicly, along with the fix we implemented for it at Wikimedia, which may be found in #145.