Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Giscus session ID may be leaked when discussion is created #8

Closed
Maronato opened this issue Nov 13, 2021 · 5 comments · Fixed by #13
Closed

Giscus session ID may be leaked when discussion is created #8

Maronato opened this issue Nov 13, 2021 · 5 comments · Fixed by #13
Labels
released

Comments

@Maronato
Copy link

When commenting/reacting on a page that doesn't have a discussion yet, the user's session ID is leaked in the page URL attached to the discussion.

This allows anyone to impersonate the user in the comments just by clicking the page URL provided in the discussion.

Reproducing

With Giscus installed on a website using a giscus component:

  1. Clear your giscus session id from the browser if it is set (log out)
  2. Access a page that does not have a matching discussion yet
  3. Go to the comment section and log in
  4. Immediately after, post a reaction or a comment

Giscus will create a new discussion and attach a link to the related page. The link will have the format: https://<host>/<page>?giscus=<user-session-id>

Anyone that clicks this link, will be redirected to the page and logged into giscus using the leaked session id, therefore being able to comment and react as the user who created the discussion.

Possible cause

I haven't gone too deep into the code, but it seems to be caused by the use of location.href in the body of the discussion.

location.href also contains search parameters, so after the user returns from the oauth login flow with the session id in the URL, it is used as the page origin and included in the discussion.

Notes

I faced this leak when using @giscus/react and possibly traced the issue back to this line.

The script client does not seem to be vulnerable to this issue since it removes the parameter from the url.
@laymonage laymonage transferred this issue from giscus/giscus Nov 14, 2021
laymonage added a commit that referenced this issue Nov 14, 2021
@laymonage
🔒 (react) Update iframe src after deleting session param
e1318fa 
Closes #8
@laymonage laymonage mentioned this issue Nov 14, 2021
Merged
laymonage added a commit that referenced this issue Nov 14, 2021
@laymonage
🔒 (react) Update iframe src after deleting session param
51fbb5b 
Closes #8
github-actions bot pushed a commit that referenced this issue Nov 14, 2021
@semantic-release-bot
🔖 1.0.1 [skip ci]
273657b 
# [v@giscus/react-v1.0.1](https://github.com/giscus/giscus-component/compare/@giscus/react-v1.0.0...@giscus/react-v1.0.1) (2021-11-14)

## 🔒 Security Issues
- [`51fbb5b`](51fbb5b)  (react) Update iframe src after deleting session param (Issues: [`#8`](#8))
@laymonage
Copy link
Member

🎉 This issue has been resolved in version @giscus/react-v1.0.1 🎉

The release is available on:

Your semantic-release bot 📦🚀

@laymonage
Copy link
Member

laymonage commented Nov 14, 2021
edited
Loading

@Maronato Thanks for the report, could you verify that the issue has been fixed in the latest release (v1.0.1)?

@dfeng
Copy link

dfeng commented Jan 28, 2022

From what I can tell, this update seems to have introduced some bugs:

  • your github account no longer seems to persist, and when you navigate to a new page, it "resets", and you have to login again (despite the fact that I am already logged in – going back to 1.0.0, I didn't even need to login and it was signed in).
  • I have some code that dynamically changes the theme. this no longer works with this version.

Reverting back to 1.0.0 resolves these problems.

@laymonage
Copy link
Member

@dfeng could you check with the latest version (v1.1.1)? It should fix the issue.

@laymonage laymonage mentioned this issue Feb 8, 2022
Closed
@dfeng
Copy link

dfeng commented Feb 8, 2022

looks like it's working! cheers :)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
released
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Prevent session param from being passed as origin URL giscus/giscus-component
3 participants
@dfeng @laymonage @Maronato