Skip to content
This repository has been archived by the owner on Aug 30, 2021. It is now read-only.

Potential stored xss issue? #1106

Closed
apitts opened this issue Dec 16, 2015 · 14 comments
Closed

Potential stored xss issue? #1106

apitts opened this issue Dec 16, 2015 · 14 comments
Assignees
@lirantal
Labels
feedback:question issue:bug need:pr_required
Milestone
0.5.0

Comments

@apitts
Copy link

apitts commented Dec 16, 2015

Here:

mean/modules/core/server/views/layout.server.view.html

Line 48 in 3a4c51a

var user = {{ user | json | safe }};

I am thinking about stored xss in the user object (e.g. signup with a script as a user name).

Let me know if I've missed where this would be filtered out elsewhere please.
@mg1075
Copy link

mg1075 commented Dec 16, 2015

I am curious as to why that was left that in there because it looks like code testing rather than production code.

Also worth noting that all these properties of the user object will be exposed by angular if the user pries:

"_id":"5661d490ae5c35b85ce9f639",
"displayName":"john smith",
"provider":"local",
"username":"john.smith",
"__v":0,
"created":"2015-12-04T17:59:44.450Z",
"roles": ["user"],
"profileImageURL":"modules/users/client/img/profile/default.png",
"email":"john.smith@notgivingmyemail-because.org",
"lastName":"smith",
"firstName":"john"

Earlier I raised this issue in gitter, and @mleanos replied:

@mg1075 Ok. I must have been thinking about something else that isn't present in Production. > Someone here know's, I'm sure. You can open an issue, if you haven't already, to get to the > bottom of it.
I don't see much of a security rish with this though. Nobody else, but the logged in user can see > this data. It's their own data right? I think there could be an argument to remove the roles & > provider fields (maybe _id too)

@apitts
Copy link
Author

apitts commented Dec 16, 2015

Thanks @mg1075. I am not up to speed on v0.4 I'm afraid but I know in previous versions the embedded user object was referenced directly client-side.

To the extent that people are using mean.js to build very simple apps then I don't think it is a serious security issue....but the moment you create a view that exposes another users' username (i.e. pretty much any social or platform-type app) I believe there is a potential issue.

@apitts
Copy link
Author

apitts commented Dec 16, 2015

I think perhaps here:
https://github.com/meanjs/mean/blob/master/modules/users/client/services/authentication.client.service.js#L7

Which is then referenced in the header at a minimum.

@mg1075
Copy link

mg1075 commented Dec 16, 2015

Yep...

image

@apitts
Copy link
Author

apitts commented Dec 16, 2015

Correction: views with other usernames will of course be sanitized by angular...so, yeah, probably not a major security issue.

@lirantal
Copy link
Member

I don't see a problem with these fields. It shows your username or e-mail to you, so what?
On the stored XSS that's another story - were you actually able to introduce this kind of vulnerability?

@apitts
Copy link
Author

apitts commented Dec 16, 2015

@lirantal I have sent you an email on the XSS topic.

@lirantal
Copy link
Member

thanks, so where should this be fixed?

  1. on the backend to sanitize certain strings? usernames are usually more "open" in the sense of allowing all kinds of utf8 chars
  2. on the frontend to always sanitize strings before outputing?

so (2) is an obvious fix no matter what and we can already provide a PR for. I believe Angular has it's own built in filters for that.

as for (1) that's a more open question, usually data is saved on the db "as is"

@lirantal lirantal self-assigned this Dec 16, 2015
@apitts
Copy link
Author

apitts commented Dec 16, 2015

I believe if we can do 2 that should be enough. Issue is I believe we have escaped swig's sanitization. I for one am not certain how you would apply angular sanitization to a swig object...no doubt it's possible though.

@simison
Copy link
Member

simison commented Dec 16, 2015

I feel like it should be stated clearly at this point — if someone manages to produce an actual XSS vulnerability — how should they disclose that information? Openly here or via emails directly to @lirantal?

@apitts that swig object is visible only to authenticate user him/herself. For others everything is visible only via Angular, which has its own escaping methods as mentioned.

@ilanbiala
Copy link
Member

@simison email to everyone on the team is best.

@lirantal
Copy link
Member

e-mails are best for now, yes.

@apitts
Copy link
Author

apitts commented Dec 16, 2015

@simison Yes - I agree. That is what I was trying to get at with my correction above but you have stated it more clearly. I can envision a situation where some other user-generated content is stored across users...though that would be pretty rare.

@lirantal
Copy link
Member

Hi @apitts

Getting back to this - I did see that the script tags are breaking the HTML and messing it up but I don't see any popups, though I bet it's easier to still attack it via XSS with a proper query.

Were there any specific areas in the view that you noticed suffering from the XSS?

@lirantal lirantal mentioned this issue Dec 27, 2015
Merged
@lirantal lirantal added this to the 0.5.0 milestone Dec 27, 2015
lirantal added a commit to lirantal/meanjs that referenced this issue Dec 30, 2015
@lirantal
fix(security): fixing possible xss issue in parsed objects
2b0ae86 
Fixes meanjs#1106
@mleanos mleanos mentioned this issue Jan 18, 2016
Merged
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@lirantal lirantal

Labels
feedback:question issue:bug need:pr_required
Projects
None yet
Milestone
0.5.0
Development

No branches or pull requests
5 participants
@simison @lirantal @mg1075 @ilanbiala @apitts