Unsafe input

[Leonya]

With sanitizer configured as follows Sanitizers.FORMATTING.and(Sanitizers.IMAGES).and(Sanitizers.LINKS) the following input is not sanitized correctly and it pops up an alert:

<a href='/"&nbsp;xxx=&#39;'>xxx' onmouseover="alert('oops')" style="position:fixed;left:0;right:0;top:0;bottom:0;z-index:100;background:white"></a>

I have tested versions 20160924 and 20170408, both are affected.

[ChALkeR]

@Leonya Are you sure that this is the correct way to report this?

[Leonya]

@ChALkeR https://github.com/OWASP/java-html-sanitizer/blob/master/docs/attack_review_ground_rules.md — apparently it is. I have contacted @mikesamuel by email since labelling of issues is not available to non-members.

[ChALkeR]

Sigh.

I am just not happy that this in fact makes the vulnerability that I privately reported public prior to the fix.

I am considering this disclosed, btw.

[ChALkeR]

@Leonya, the suggested reporting procedure is clearly broken here (as you have already noticed in regard to label being not present), but imo that doesn't mean that this should be immediately dislosed publically.

The procedure got broken in 7ea6673#diff-7924fb07e3115de3a49d641ecc235f90L30 — apparently, this project was hosted elsewhere, which respected the «Private» label previously.

[jmanico]

I'll try these tests against the following policy this evening. Thanks for the report! Sanitizers.FORMATTING.and(Sanitizers.IMAGES).and(Sanitizers.LINKS) - Jim

…

On 4/11/17 8:23 AM, Сковорода Никита Андреевич wrote: As this is dislosed, I will provide some more info (all of this isn't a secret as this is already public and there are at least 21 people that received emails about this). I privately reported an issue today against JetBrains Upsource (which is not a secret right now, as it could be deduced from @Leonya <https://github.com/Leonya> public profile), with the following testcases: <a href='//example.com"></a><script>Set.constructor&#96;alert\x28document.domain\x29&#96;&#96;&#96;</script> <img src='/"><iframe> <a href='/"&nbsp;xxx=&#39;'>xxx' onmouseover="alert('xss')" style="position:fixed;left:0;right:0;top:0;bottom:0;z-index:100;background:white"></a> According to @Leonya <https://github.com/Leonya>, Upsource is using |java-html-sanitizer|, and they think that this is an issue in |java-html-sanitizer|. I personally have not reproduced this with pure |java-html-sanitizer| yet. I am not familiar with it or its configuration, so I did not try hard though. — You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub <#110 (comment)>, or mute the thread <https://github.com/notifications/unsubscribe-auth/AAgcCYggxXUv9p_zGXEvE9m4b6ADUPODks5ru5sEgaJpZM4M6Jux>.

-- Jim Manico Manicode Security https://www.manicode.com

[ChALkeR]

@Leonya, I wasn't able to reproduce this with pure java-html-sanitizer. Could you provide a full listing of the java testcase file?

[Leonya]

I'm really sorry for the false alarm. This is not a bug in java-html-sanitizer after all, it's us doing stupid things with the sanitized output.

[ChALkeR]

@jmanico, well, there is one actual issue in java-html-sanitizer mentioned here — you should probably fix your Reporting Vulnerabilites procedure, as that doesn't work now =).

[ChALkeR]

Note: when providing the actual details above, I was acting under the assumption that this is in fact an issue in java-html-sanitizer, like @Leonya said (as I did not have experience with java-html-sanitizer before, and they had).

If I have had known that this is not an issue in java-html-sanitizer, I probably wouldn't have mentioned those details here.

It is too late to remove that now, though.

[mikesamuel]

I think @Leonya already sorted out the curiosity which prompted this.

I double checked.

Running

    String input = "<a href='/\"&nbsp;xxx=&#39;'>xxx' onmouseover=\"alert('oops')\" style=\"position:fixed;left:0;right:0;top:0;bottom:0;z-index:100;background:white\"></a>";
    assertEquals(
        "TODO",
        Sanitizers.FORMATTING.and(Sanitizers.IMAGES).and(Sanitizers.LINKS)
        .sanitize(input));

I get the output

<a href="/&#34; xxx&#61;&#39;" rel="nofollow">xxx&#39; onmouseover&#61;&#34;alert(&#39;oops&#39;)&#34; style&#61;&#34;position:fixed;left:0;right:0;top:0;bottom:0;z-index:100;background:white&#34;&gt;</a>

which seems to have the payload in the onmouseover shifted to a text node where it should be innocuous.

I loaded that same fragment in a browser via file:///tmp/foo.html, and saw the text xxx' onmouseover="alert('oops')" style="position:fixed;left:0;right:0;top:0;bottom:0;z-index:100;background:white"> linked to file:///%22%C3%82%C2%A0xxx=' so the browser's interpretation of the output seems to be consistent with the sanitizers.

[mikesamuel]

@ChALkeR I think you're right about why the reporting procedure is broken.

The late Google code had a way to mark a bug as private, but Github unfortunately does not.

@Leonya thanks for trying to follow procedure.

@jmanico Should we point people at bugcrowd instead?

[mikesamuel]

I updated instructions with something that's not too terrible while we hash out details.

49f0d1d

now says

Reporting Vulnerabilities

Please report successful attacks with example input via OWASP's bugcrowd queue.