Redirects can be used to bypass AJAX trusted URLs

Background information

This was originally reported as a private security issue, but has been approved for handling in the public queue by the Drupal Security Team.

• security.drupal.org private issue: https://git.drupalcode.org/security/185131-redirect-security/-/work_items/1
  (included for reference. Please do not report access denied as an error.)

Problem/Motivation

This check in ajax.js can be bypassed if the URL corresponds to an existing property of the ajaxTrustedUrl object (for example .constructor) :

if (drupalSettings.ajaxTrustedUrl[originalUrl]) {

In order to exploit this an attacker would need the following permissions:

• Create redirects
• Upload files (any extension would work)
• Insert HTML with data attributes (or be able to set the URL of some existing AJAX call)

Steps to reproduce

1. Upload a .txt file containing containing this:

[{"command":"insert","method":"html","data":"<img src=x onerror=alert(0)>", "selector": "body"}]

2. Create a new redirect from /constructor to the URL of the uploaded file (for example with the redirect module).
3. Insert this HTML into a page:

<a class="use-ajax" href="constructor" data-ajax-http-method="GET">Click me</a>

4. When the link is clicked, the uploaded JSON is used as a trusted response and the JS is executed.

Proposed resolution

I suppose the easiest fix would be for core to add something like this:

drupalSettings.ajaxTrustedUrl.hasOwnProperty(originalUrl)

Remaining tasks

User interface changes

Introduced terminology

API changes

Data model changes

Release notes snippet