Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

XSS using data-url when doing SSR #2530

Closed
valterkraemer opened this issue Sep 30, 2021 · 4 comments · Fixed by #2534
Closed

XSS using data-url when doing SSR #2530

valterkraemer opened this issue Sep 30, 2021 · 4 comments · Fixed by #2534
Labels
bug Something isn't working security
Milestone

Comments

@valterkraemer
Copy link

valterkraemer commented Sep 30, 2021

Describe the bug

It is possible to inject a script tag in data-url in the svelte-data script tag.

E.g. if we have the search term in the query params https://www.google.com/search?q=Svelte we can create a malicious term that inject a script tag while SSR.

Happens on Firefox, Brave and Chrome, but Safari seems to protect against my POC, however it should be possible to circumvent it in other scenarios.

Reproduction

Minimal example

term.js
export const term = '/asdf?search="></script><script>alert(1)</script><script type="application/json';
index.svelte
<script context="module">
  import { term } from './term';

  export async function load({ fetch }) {
    const res = await fetch(term);

    return {
      props: {
        results: await res.json()
      }
    };
  }
</script>

<h1>Supersearch</h1>

Deployed POC using query params

POC Deployed: https://debug-app.vkrae.workers.dev/?search=%22%3E%3C/script%3E%3Cscript%3Ealert(1)%3C/script%3E%3Cscript%20type=%22application/json

POC Code: valterkraemer/debug-app@1cc04c8

Logs

No response

System Info

System:
  OS: macOS 11.6
  CPU: (8) arm64 Apple M1
  Memory: 144.72 MB / 8.00 GB
  Shell: 5.8 - /bin/zsh
Binaries:
  Node: 14.17.6 - ~/.nvm/versions/node/v14.17.6/bin/node
  npm: 6.14.15 - ~/.nvm/versions/node/v14.17.6/bin/npm
Browsers:
  Brave Browser: 93.1.29.79
  Chrome: 94.0.4606.61
  Firefox: 92.0.1
  Safari: 14.1.2
npmPackages:
  @sveltejs/adapter-cloudflare-workers: ^1.0.0-next.21 => 1.0.0-next.23 
  @sveltejs/kit: next => 1.0.0-next.178 
  svelte: ^3.42.6 => 3.43.1

Severity

serious, but I can work around it

Additional Information

No response

@Conduitry
Copy link
Member

This is a good catch, thanks!

The data-url attribute rendered at

let attributes = `type="application/json" data-type="svelte-data" data-url="${url}"`;
should presumably be HTML-entity-escaped.

@Conduitry Conduitry added bug Something isn't working security labels Sep 30, 2021
@Conduitry Conduitry added this to the 1.0 milestone Sep 30, 2021
@Conduitry
Copy link
Member

While we're at it, we should probably also take a look at where the JSON inside the attribute is escaped -

json: `{"status":${response.status},"statusText":${s(response.statusText)},"headers":${s(headers)},"body":${escape(body)}}`
- There appear to be some steps taken to make this more safe than just JSON.stringify()ing the whole thing, but it's always good to check again.

@Conduitry
Copy link
Member

Thank you for the report! This should be fixed in 1.0.0-next.179.

@valterkraemer
Copy link
Author

Great! That was quick! ☺️

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Something isn't working security
Projects
None yet
Development

Successfully merging a pull request may close this issue.

2 participants