Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Inproper data handling leads to crashes and local code execution #25

Closed
ecneladis opened this issue Feb 24, 2014 · 3 comments
Closed

Inproper data handling leads to crashes and local code execution #25

ecneladis opened this issue Feb 24, 2014 · 3 comments

Comments

@ecneladis
Copy link

ecneladis commented Feb 24, 2014
edited
Loading

Multiple outputs are not properly sanitised.

Examples

Filenames in perspectiveList

Filenames are not properly sanitised. Proof of concept:

touch "<img src=x onerror=alert(1)>qwerty"

viewerBrowser, viewerMD, viewerText and editorHTML

It's is possible to render any html code and because of node-webkit architecture we have ability to access the file system or execute arbitrary command using nodejs modules.

<script>
   var exec = require('child_process').exec;
   exec('uname -a',function (error, stdout, stdin) {alert(stdout)});
</script>
Location name in remove dialog

Same situation as in viewers

Tag names

Special characters lead to unspecified behaviour and crashes.

Solutions
@uggrock
Copy link
Member

uggrock commented Feb 24, 2014

Thank you for your great input! I will try to fix these issues for the next release.

uggrock added a commit that referenced this issue Feb 26, 2014
@uggrock
partly fixing #25 by removing script tags from the md content
85c2ceb
uggrock added a commit that referenced this issue Feb 26, 2014
@uggrock
partly fixing #25 by sanitizing the file paths
1a9d99a
uggrock added a commit that referenced this issue Feb 26, 2014
@uggrock
partly fixing #25 by removing script tags from the content
216cfc4
ecneladis added a commit to ecneladis/tagspaces that referenced this issue Feb 27, 2014
@ecneladis
Proper escaping of filenames and pathes. tagspaces#25
e7bb44a
@ecneladis
Copy link
Author

Regarding 85c2ceb and 216cfc4, use some existing library to prevent javascript injection. Preventing XSS is not a trivial task, it's very difficult to blacklist all the possibilities.

@uggrock
Copy link
Member

uggrock commented Feb 28, 2014

I am aware of the fact that XSS fixing is not trivial task. In my commits I was searching for a quick fix of the issues you mentioned. In a future releases of tagspaces I will definitely consider integrating of some library for the XSS prevention.

@uggrock uggrock closed this as completed Oct 2, 2015
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@uggrock @ecneladis