Skip to content

[fix] harden attribute escaping during ssr#7530

Merged
dummdidumm merged 3 commits intosveltejs:masterfrom
mrkishi:xss-vuln
Jun 20, 2022
Merged

[fix] harden attribute escaping during ssr#7530
dummdidumm merged 3 commits intosveltejs:masterfrom
mrkishi:xss-vuln

Conversation

@mrkishi
Copy link
Copy Markdown
Member

@mrkishi mrkishi commented May 13, 2022

Upon reviewing #5701 I noticed we don't escape attributes when using objects during SSR. This introduces a (small) vulnerability where objects with a custom toString() implementation turn seemingly safe components into an XSS vector:

<!-- SeeminglySafe.svelte -->
<script>
	export let attr = undefined;
	export let attrs = {};

	const safe_attrs = {
		foo: 'foo',
		bar: 'bar'
	};
</script>

{#if attr !== undefined}
	Variant 1: <div {...safe_attrs} {attr}/>
{:else}
	Variant 2: <div {...attrs}/>
{/if}

<!-- Component.svelte -->
<script>
	import ActuallyVulnerable from './SeeminglySafe.svelte';

	export let untrusted = '"><script>alert("xss")<\/script>';

	const model = {
		data: untrusted,

		// I'm so helpful! Don't you _love_ OOP?
		toString() {
			return this.data.toString();
		}
	};
</script>

<ActuallyVulnerable attr={model} />
<ActuallyVulnerable attrs={{ foo: 'foo', bar: model }} />

<!-- SSRed html -->
Variant 1: <div foo="foo" bar="bar" attr=""><script>alert("xss")</script>"></div>
Variant 2: <div foo="foo" bar=""><script>alert("xss")</script>"></div>

Before submitting the PR, please make sure you do the following

  • It's really useful if your PR references an issue where it is discussed ahead of time. In many cases, features are absent for a reason. For large changes, please create an RFC: https://github.com/sveltejs/rfcs
  • Prefix your PR title with [feat], [fix], [chore], or [docs].
  • This message body should clearly illustrate what problems it solves.
  • Ideally, include a test that fails without this PR but passes with it.

Tests

  • Run the tests with npm test and lint the project with npm run lint

@m-mercuri
Copy link
Copy Markdown
Contributor

m-mercuri commented Jun 17, 2022

Any reason why this cannot be merged?
This should solve this vulnerability.

@dummdidumm dummdidumm merged commit f8605d6 into sveltejs:master Jun 20, 2022
@Wninayyds
Copy link
Copy Markdown

Wninayyds commented Jul 19, 2022

Hello, will this vulnerability really be reproduced? My version is 3.45.0. I tried it according to your method, and there is no XSS.

@mrkishi
Copy link
Copy Markdown
Member Author

mrkishi commented Jul 20, 2022

@Wninayyds Yeah, it's present in 3.45.0—the fix was released in 3.49.0. Note that it only affects SSR, not components running in the browser.

You should be safe as long as you aren't overriding toString, so it's extremely likely you're okay.

@mrkishi mrkishi deleted the xss-vuln branch July 20, 2022 01:45
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@baseballyama baseballyama baseballyama approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@mrkishi @m-mercuri @Wninayyds @baseballyama @dummdidumm