Security Vulnerability

[EgidioRomano]

Hi!

On December 23, 2020 I've tried to reach out to you in order to report details about a security vulnerability in Docsify.js, but I still haven't received any response to my email. Is there an appropriate channel where I should report the security issue?

[anikethsaha]

Can you mail Snyk first regarding the vulnerability. And we will take action once there is a confirmation from them.
Also, feel free to DM us in discord if it helps.
Thanks.

[EgidioRomano]

Hi @anikethsaha,

I can still reproduce the vulnerability with docsify version 4.12.0. By using more than two forward slashes (i.e. ///) is still possible to load an external URL and its HTML content is not correctly sanitized, both in the sidebar and main page:

[sy-records]

@EgidioRomano Can you use this for testing?

<link rel="stylesheet" href="//cdn.jsdelivr.net/gh/sy-records/docsify-nightly/lib/themes/vue.css" />

<script src="//cdn.jsdelivr.net/gh/sy-records/docsify-nightly/lib/docsify.min.js"></script>

or use https://docsify-preview.now.sh/ testing

[EgidioRomano]

Hi @sy-records,

My Proof of Concept doesn't work on https://docsify-preview.now.sh.
Is it running a different version than the one at https://docsify.js.org ?

[sy-records]

Yes, docsify-preview.now.sh is the develop branch preview, docsify.js.org is the master branch.
You can use my nightly version https://github.com/sy-records/docsify-nightly

[snoopysecurity]

If the fix is with the dev branch, is it possible to push it to master and publish a new release @sy-records?

[sy-records]

If the fix is with the dev branch, is it possible to push it to master and publish a new release @sy-records?

cc @docsifyjs/reviewers

[Koooooo-7]

@sy-records I think we can release a patch on this recently, maybe next week.
I will review some new PRs at this weekend.

[jhildenbiddle]

@sy-records Yes, we should push a patch release to address the security issue ASAP.

[snoopysecurity]

Any update on this? thanks

[sy-records]

#1524

[volosied]

This vulnerability seems to still exist. I'm able to reproduced it against 4.13.

I cannot produce it against https://docsify-preview.vercel.app/#/ (which just gives a 404 - Not found instead).

So I think it's fixed in development? Can a new release be done? Thanks.

[sy-records]

@volosied I think it should have been released, can you send me the reproduction script?

[volosied]

@sy-records

This issue was discovered by another individual. He provided the following page to test with. See here:

• https://docsify.js.org/#/\\pontushanssen.github.io/poc/xss.html (vulnerable)
• https://docsify-preview.vercel.app/#/\\pontushanssen.github.io/poc/xss.html (404)

[sy-records]

yeah, I know, fixed via #2093

[henningn]

@sy-records thanks for your work! When can we expect a new release?

[Koooooo-7]

Hi @henningn , I think we gonna have a patch of this asap.

Hi @sy-records , could u plz raise the new release based on the last release commit as a hotfix instead of current dev branch? since we have marked changes need more clarify... if u are not free for this recently, u could ask me to do so as well.

[sy-records]

see #2101