Problem/Motivation

I added <strong>foo</strong> as a company I have worked for (https://www.drupal.org/u/sam152), this appears in bold on the status report page (see screenshot).

Proposed resolution

Work information from d.o should likely be escaped (\Drupal\Component\Render\HtmlEscapedText).

CommentFileSizeAuthor
#8 2936914-8.patch735 bytesjrockowitz
#2 Screen Shot 2018-01-16 at 1.34.19 AM.png132.27 KBmarkhalliwell
#2 Screen Shot 2018-01-16 at 1.34.08 AM.png159.81 KBmarkhalliwell
Screen Shot 2018-01-16 at 1.38.27 pm.png27.61 KBsam152

Comments

Sam152 created an issue. See original summary.

markhalliwell’s picture

markhalliwell
Primary language English
commented
Status: Active » Closed (cannot reproduce)
Issue tags: -Security
StatusFileSize
new Screen Shot 2018-01-16 at 1.34.08 AM.png159.81 KB
new Screen Shot 2018-01-16 at 1.34.19 AM.png132.27 KB
  1. You should probably read https://www.drupal.org/security-team/report-issue
  2. Allowing HTML doesn't automatically make it an XSS vulnerability. What would have made it an XSS vulnerability is if you added <script>alert('test')</script> and an alert popped up... which it doesn't:

sam152’s picture

sam152 commented

The "Report a security vulnerability" link on the project page literally links to submitting a public issue with the "security" tag prefilled with the message:

This project is not covered by the Drupal Security Team’s advisory policy. Security issues do not need to be privately reported for the Contribute project.

For the the actual issue at hand, I've looked into this in some more detail.

If markup is not an instance of MarkupInterface (see \Drupal\Core\Render\Renderer::ensureMarkupIsSafe it's run through Xss::filterAdmin with the following allowed tags. I don't know about you, but I'd rather someone not be able to stick images, divs and links into my status page remotely without even having an account on the site. I can imagine a few scenarios where such markup could encourage a site admin to expose some sensitive information...

At the very least, shouldn't this be an open issue?

edit by @markcarver: removed the unnecessarily long list of allowed Xss::filterAdmin tags which can easily be referenced elsewhere.

sam152’s picture

sam152 commented

I also think this technically still would have qualified for a security advisory had this module been stable, given the docblock of \Drupal\Component\Utility\Xss::filterAdmin reads:

Applies a very permissive XSS/HTML filter for admin-only use.

Having a profile on drupal.org !== an admin on my site.

sam152’s picture

sam152 commented
Status: Closed (cannot reproduce) » Active
markhalliwell’s picture

markhalliwell
Primary language English
commented
Title: Module contains XSS issues » Work info pulled from d.o displays HTML
Category: Bug report » Feature request
Issue summary: View changes
Priority: Normal » Minor

I don't know about you, but I'd rather someone not be able to stick images, divs and links into my status page remotely without even having an account on the site.

Because they can also remotely change which user's information is pulled from d.o? No...

Clearly, one has to put their own username/company in here manually. I'd hope you're smart enough not to "annoy" yourself with your own "images, divs and links" that were not designed to go in the "Work" section of d.o.... to begin with.

I can imagine a few scenarios where such markup could encourage a site admin to expose some sensitive information...

Again, your "reasoning" here makes no sense and appears to be fabricating imaginary scenarios to imply some "risk" when there really is none. This is a passive pull of remote content, which is intended to be a username/company that you (the administrator, who has access to the status page) must provide in the first place.

At the very least, shouldn't this be an open issue?

Perhaps, but it's not a "security" issue at all. The OP clearly insinuated it was without actually providing any real evidence. That's why I proved that it wasn't in #2 and closed the issue.

If @jrockowitz wants to "fix" this, then that is certainly his prerogative. I just don't like issues that cry wolf, especially when it's a new module (and a noble one at that!). Cheers!

sam152’s picture

sam152 commented

Yeah, this title for the issue makes sense. Before digging into it in #3 I believed it was full blown XSS which is clearly isn't, hence the original title. Good clarification 👍

With regards to the security impact, it's more about attack surface than individuals trying to be annoying. Exploits are used in combination with each other to open holes.

jrockowitz’s picture

jrockowitz commented
Status: Active » Needs review
StatusFileSize
new 2936914-8.patch735 bytes

Wow, a module that is less than 1 week old with 2 installations and already has a security ticket filed.

Thanks for catching that mistake and I would like to give Twig credit for preventing major issue on my part.

The attached patch renders the organization information as #plain_text instead of #markup.

sam152’s picture

sam152 commented
Status: Needs review » Reviewed & tested by the community

Checked if any other instances of user supplied data was being used with #markup, looks good to me 👌

jrockowitz’s picture

jrockowitz commented
Status: Reviewed & tested by the community » Fixed

  • jrockowitz committed 2c228f5 on 8.x-1.x 
    Issue #2936914 by jrockowitz, markcarver, Sam152: Work info pulled from...

Status: Fixed » Closed (fixed)

Automatically closed - issue fixed for 2 weeks with no activity.