-
Notifications
You must be signed in to change notification settings - Fork 2.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
XSS in markdown rendering #7788
Comments
Please specify exactly what you're doing. |
when for example a adding a site in
if this wasn't helpful please refer to the video i recorded for the POC |
sorry for giving you hard time reproducing it. It is :
i forgot a |
Duplicate of #4717 - the recommended solution for python-markdown is to filter the html with bleach. Another solution could be to swap it out for another parser that enforces rules for links. Third option would be to try to patch the regex filter in render_markdown. You don't have to do all that weird stuff he's doing in the payload though, a simple example like this should work:
|
That does not work, at least under a normally configured instance |
Found the hole... So, you need to use a reference style link:
|
You are misunderstanding the one I posted. You need the newline to bypass the regex. I verified on both docker and local versions, also you can see it here on the demo instance. https://demo.netbox.dev/dcim/devices/17/ Again, it's all mentioned in the duplicate issue I linked. The reference style version is new though I guess, but not really the main issue. |
Yes, but if you look at the reference style, that is exactly the style that he is using (he just omited the actual link and only included the reference) So it looks like both methods do bypass the allowed URL schemes. |
Summary: ALLOWED_URLS_SCHEMES check is bypassed on either of the following conditions:
The question is, do we want to sink time into this. To quote from the previous issue which quotes from the bleach docs:
As NetBox is not a end-user facing application, do we want to worry about this too much? |
A few thoughts:
|
i suggest something such as navigate-to which will prevent opening stuff like |
My understanding is no browser supports that tag. Additionally, as stretch mentioned, there may be instances where javascript: links are desired. |
I've modified and extended the regular expressions to match both examples above (the multi-line link and the reference link). I believe this addresses the concern raised by the bug report. |
NetBox version
v3.0.9
Python version
3.8
Steps to Reproduce
https://hub.docker.com/r/netboxcommunity/netbox/
Expected Behavior
the payload is dangerous and allowing XSS attack
Observed Behavior
executing javascript in admin dashboard
The text was updated successfully, but these errors were encountered: