Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[fix] harden attribute escaping during ssr #7530

Merged
merged 3 commits into from Jun 20, 2022
Merged

[fix] harden attribute escaping during ssr #7530

merged 3 commits into from Jun 20, 2022

Conversation

mrkishi
Copy link
Member

@mrkishi mrkishi commented May 13, 2022

Upon reviewing #5701 I noticed we don't escape attributes when using objects during SSR. This introduces a (small) vulnerability where objects with a custom toString() implementation turn seemingly safe components into an XSS vector:

<!-- SeeminglySafe.svelte -->
<script>
	export let attr = undefined;
	export let attrs = {};

	const safe_attrs = {
		foo: 'foo',
		bar: 'bar'
	};
</script>

{#if attr !== undefined}
	Variant 1: <div {...safe_attrs} {attr}/>
{:else}
	Variant 2: <div {...attrs}/>
{/if}

<!-- Component.svelte -->
<script>
	import ActuallyVulnerable from './SeeminglySafe.svelte';

	export let untrusted = '"><script>alert("xss")<\/script>';

	const model = {
		data: untrusted,

		// I'm so helpful! Don't you _love_ OOP?
		toString() {
			return this.data.toString();
		}
	};
</script>

<ActuallyVulnerable attr={model} />
<ActuallyVulnerable attrs={{ foo: 'foo', bar: model }} />

<!-- SSRed html -->
Variant 1: <div foo="foo" bar="bar" attr=""><script>alert("xss")</script>"></div>
Variant 2: <div foo="foo" bar=""><script>alert("xss")</script>"></div>

Before submitting the PR, please make sure you do the following

  • It's really useful if your PR references an issue where it is discussed ahead of time. In many cases, features are absent for a reason. For large changes, please create an RFC: https://github.com/sveltejs/rfcs
  • Prefix your PR title with [feat], [fix], [chore], or [docs].
  • This message body should clearly illustrate what problems it solves.
  • Ideally, include a test that fails without this PR but passes with it.

Tests

  • Run the tests with npm test and lint the project with npm run lint

@m-mercuri
Copy link
Contributor

Any reason why this cannot be merged?
This should solve this vulnerability.

@dummdidumm dummdidumm merged commit f8605d6 into sveltejs:master Jun 20, 2022
@Wninayyds
Copy link

Hello, will this vulnerability really be reproduced? My version is 3.45.0. I tried it according to your method, and there is no XSS.

@mrkishi
Copy link
Member Author

mrkishi commented Jul 20, 2022

@Wninayyds Yeah, it's present in 3.45.0—the fix was released in 3.49.0. Note that it only affects SSR, not components running in the browser.

You should be safe as long as you aren't overriding toString, so it's extremely likely you're okay.

@mrkishi mrkishi deleted the xss-vuln branch July 20, 2022 01:45
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@baseballyama baseballyama baseballyama approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
5 participants
@mrkishi @m-mercuri @Wninayyds @baseballyama @dummdidumm