Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Default formatter error can cause XSS rendering issue #1762

Closed
ctennis opened this issue May 22, 2018 · 4 comments
Closed

Default formatter error can cause XSS rendering issue #1762

ctennis opened this issue May 22, 2018 · 4 comments
Labels
bug?

Comments

@ctennis
Copy link
Contributor

ctennis commented May 22, 2018

If you issue a request into an API endpoint with a format specified that is not handled, you get back a 406 error with message 'The requested format 'format' is not supported.'

The name of the specified format is rendered in the error message, which defaults as HTML. You can easily craft a format value that gets passed in and renders as an XSS. An example:

http://example.com/api/endpoint?format=%3Cscript%3Ealert(document.cookie)%3C/script%3E

Renders as html:

The requested format '<script>alert(document.cookie)</script>' is not supported.

Which will cause a javascript popup if you visit this page in a browser.
@dblock dblock added the bug? label May 23, 2018
@dblock
Copy link
Member

dblock commented May 23, 2018

Looks legit. Would appreciate at least a spec, maybe a fix, please. We can just drop the actual value I think.

@ctennis
Copy link
Contributor Author

ctennis commented May 23, 2018

Happy to do so, but I'm not sure the best approach for fixing. The use of the format name in the script was done intentionally (#322 I believe). Ideally we'd sanitize the output before displaying it as html, but we don't know it's going to be displayed as html. ActionSupport has a safebuffer that could be used for sanitizing the html text prior to rendering, but we don't want to do that if the text won't be rendered as html.

@ctennis
Copy link
Contributor Author

ctennis commented May 23, 2018

Actually I think I figured out a solution, PR forthcoming.

@ctennis ctennis mentioned this issue May 23, 2018
Merged
dblock pushed a commit that referenced this issue May 26, 2018
@ctennis @dblock
When returning an HTML error, make sure it's safe (#1763)
6876b71 
* When calling into an API specifying a crafted format that is HTML,
the returned error renders the HTML back to the user, causing a potential XSS
issue.  For example:

http://example.com/api/endpoint?format=%3Cscript%3Ealert(document.cookie)%3C/script%3E

Renders as html:

The requested format '<script>alert(document.cookie)</script>' is not supported.

When an error generates html back to the user, make sure it's properly escaped.

Fixes issue #1762

* Add changelog entry

* Use a method that also works in rails3

* Add spec formatting for older rails/activesupport version
@dblock
Copy link
Member

dblock commented Jun 6, 2018

Closed via #1763.

@dblock dblock closed this as completed Jun 6, 2018
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug?
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@ctennis @dblock