Unsafe input #110
Comments
|
@Leonya Are you sure that this is the correct way to report this? |
|
@ChALkeR https://github.com/OWASP/java-html-sanitizer/blob/master/docs/attack_review_ground_rules.md — apparently it is. I have contacted @mikesamuel by email since labelling of issues is not available to non-members. |
|
Sigh. I am just not happy that this in fact makes the vulnerability that I privately reported public prior to the fix. I am considering this disclosed, btw. |
|
@Leonya, the suggested reporting procedure is clearly broken here (as you have already noticed in regard to label being not present), but imo that doesn't mean that this should be immediately dislosed publically. The procedure got broken in 7ea6673#diff-7924fb07e3115de3a49d641ecc235f90L30 — apparently, this project was hosted elsewhere, which respected the «Private» label previously. |
|
I'll try these tests against the following policy this evening. Thanks
for the report!
Sanitizers.FORMATTING.and(Sanitizers.IMAGES).and(Sanitizers.LINKS)
- Jim
…On 4/11/17 8:23 AM, Сковорода Никита Андреевич wrote:
As this is dislosed, I will provide some more info (all of this isn't
a secret as this is already public and there are at least 21 people
that received emails about this).
I privately reported an issue today against JetBrains Upsource (which
is not a secret right now, as it could be deduced from @Leonya
<https://github.com/Leonya> public profile), with the following testcases:
<a href='//example.com"></a><script>Set.constructor`alert\x28document.domain\x29```</script>
<img src='/"><iframe>
<a href='/" xxx=''>xxx' onmouseover="alert('xss')" style="position:fixed;left:0;right:0;top:0;bottom:0;z-index:100;background:white"></a>
According to @Leonya <https://github.com/Leonya>, Upsource is using
|java-html-sanitizer|, and they think that this is an issue in
|java-html-sanitizer|.
I personally have not reproduced this with pure |java-html-sanitizer|
yet. I am not familiar with it or its configuration, so I did not try
hard though.
—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub
<#110 (comment)>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/AAgcCYggxXUv9p_zGXEvE9m4b6ADUPODks5ru5sEgaJpZM4M6Jux>.
--
Jim Manico
Manicode Security
https://www.manicode.com
|
|
@Leonya, I wasn't able to reproduce this with pure |
|
I'm really sorry for the false alarm. This is not a bug in |
|
@jmanico, well, there is one actual issue in |
|
Note: when providing the actual details above, I was acting under the assumption that this is in fact an issue in If I have had known that this is not an issue in It is too late to remove that now, though. |
|
I think @Leonya already sorted out the curiosity which prompted this. I double checked. Running String input = "<a href='/\" xxx=''>xxx' onmouseover=\"alert('oops')\" style=\"position:fixed;left:0;right:0;top:0;bottom:0;z-index:100;background:white\"></a>";
assertEquals(
"TODO",
Sanitizers.FORMATTING.and(Sanitizers.IMAGES).and(Sanitizers.LINKS)
.sanitize(input));I get the output <a href="/" xxx='" rel="nofollow">xxx' onmouseover="alert('oops')" style="position:fixed;left:0;right:0;top:0;bottom:0;z-index:100;background:white"></a>which seems to have the payload in the I loaded that same fragment in a browser via |
Github does not support private issues which makes responsible disclosure tough. Discussed in issue #110.
|
I updated instructions with something that's not too terrible while we hash out details. now says Reporting VulnerabilitiesPlease report successful attacks with example input via OWASP's bugcrowd queue. |
With sanitizer configured as follows
Sanitizers.FORMATTING.and(Sanitizers.IMAGES).and(Sanitizers.LINKS)the following input is not sanitized correctly and it pops up an alert:I have tested versions 20160924 and 20170408, both are affected.
The text was updated successfully, but these errors were encountered: