XSS reported by npm audit #306
Comments
|
I have no idea why it refers to |
Could be because |
|
It is technically, though I've rewritten the majority of the library. If anyone wants to take a stab at fixing it, open to a PR. Not looking to add much payload for it though. |
|
I'm confused by the advisory -- wouldn't the more obvious XSS exploit be to simply inline a <script> tag? |
|
I agree. 🤷♂️ |
|
A potential solution would be to not render script tags by default without an opt-in option I guess. |
|
Secure-by-default is always a good position. :) |
|
Well I guess npm‘s support can be reasoned with 😊: security@npmjs.com |
|
@fabb I'm actually drafting an email right now :) |
|
Hey, I maintain simple-markdown.
I can take a look and see if i can fix the vulns here; do any contributors to this project have more context/repros? |
|
Ok, after looking at this more, I believe that advisory is not about script tags (although... that would be worth considering too), but just about malicious data: or vscript: urls. #307 pulls some fixes for those cases from simple-markdown and adds test cases |
|
Just published 6.11.4, which I believe mitigates this vulnerability. I'll keep an eye on the status of this and check that the vulnerability report agrees with that. If you run into trouble with 6.11.4 or believe it didn't solve the issue; please comment here or make a new issue :). (I'll look into the script tag vulnerability next week, as that may take a bit more time to understand.) |
|
And thanks @probablyup for your help writing up how to contribute and helping me publish this ❤️ |
|
Well, the advisory says it still considers 6.11.4 is vulnerable, but I haven't found any more information about how or why (whether that's I need to somehow mark the version as safe, or if there's an automated script checking the vuln and where I can find out more about it). If anyone has experience with these I'd love their help, otherwise I'll be asking around on twitter to learn what the right next steps are. |
Looking at another security issue I'm following it seems that you might have to reach out to npm to get this new version cleared! |
|
@Bazze ah, really helpful! thank you! |
|
Any updates on this one? |
|
well, as we've been on a holiday weekend here in the states and other spots like the UK(even with most tech workers at home) it may be that it won't get reviewed by NPM until after tomorrow. |
|
No response from npm yet; if they don't respond tomorrow I'll follow up. As @acroyear says, it's a holiday here so npm support is likely not working until tomorrow In the meantime, please upgrade to 6.11.4, which should be safe from this vulnerability, and I think will pass npm audit once npm support looks at it. |
This updates the markdown-to-jsx package to v6.11.4 in order to patch a security vulnerability as reported at #1596 and addressed here at quantizor/markdown-to-jsx#306
|
6.11.4 has been whitelisted 🎉 Thanks everyone! |
|
Awesome! Great job to everyone involved ❤️ |
|
Hello everyone: I'm listed as the reporter of https://www.npmjs.com/advisories/1219, so I'll comment here even though this is already closed. I apologize for not doing so sooner - I only learned yesterday that this issue was opened. First of all, big thanks to @ariabuckles and @probablyup . I'm very glad to see this issue resolved and the speed with which you responded to this issue is very impressive. Second, I can confirm from my end that 6.11.4 fixes the issue I reported. I'll refrain from posting the specific details here (unless Evan would prefer I do so) but I will say that from my point of view this is definitely resolved. Third, I apologize for mishandling the communication around this issue. I should have been watching this repo and also should have reached out to npm about this issue more frequently, but unfortunately did not. I'm sorry for the pain and frustration this has caused. When I initially contacted npm, I used the following language in describing the issue:
This is the reason that the advisory mentioned VBScript and data URI's in particular: because I was specifically checking if https://www.npmjs.com/advisories/815 applied to I agree that advertising that the library does not guarantee untrusted data will be sanitized would also have been an appropriate fix. I have not personally communicated with npm about this issue since October. It is entirely possible that they attempted to contact me but the email never reached me, or I otherwise lost it. Either way, I should have been significantly more proactive in speaking with them about this. I realize most of the hard work was already done before I commented, but if there is any assistance I can provide: please feel free to reach out. |
|
Hi @rwhogg ! Thanks for reporting this! Although I was confused initially, I'm really glad to get the chance to address it and think it's important to! I figured out the vbscript/data thing once I started looking at it since I was also familiar with https://www.npmjs.com/advisories/815 :). Thanks for the comment and for the offer to help! And it's really helpful to have your confirmation that 6.11.4 fixes this! Unrelatedly: npm responded to me and it seems like my initial reach out to them at security@npmjs.com didn't make it to their issue tracker until I CC'd support@npmjs.com ; I'll follow up with them about that so that maybe next time it gets resolved a bit faster :). |
|
Is it the goal of markdown-to-jsx that you should be able to render arbitrary untrusted Markdown and include in your React app without creating XSS vulnerabilities (and any exception to this is a bug in markdown-to-jsx, not a misuse)? I see various issues like this out about fixing XSS bugs but the docs don't actually say whether one ought to feel comfortable using this package on untrusted Markdown in the first place. |
At the end of the day, allowing user input universally creates vulnerability. We do common sense things in the library to handle some typical attack vectors but the overall goal of the library is to be lightweight and extensible. |
https://www.npmjs.com/advisories/1219
The text was updated successfully, but these errors were encountered: