prevent XSS in event handlers

[pythonissam]

Variable interpolation in Hamlet automatically applies toHtml. So it can ensure that converted Html is entity-escaped and the value is sanitized correctly. However, if the value contains the value of other types (i.e. Javascript), sanitizing can fail.

For example, let's think about the following code:

#!/usr/bin/env stack
-- stack script --resolver lts-12.4
{-# LANGUAGE OverloadedStrings     #-}
{-# LANGUAGE QuasiQuotes           #-}
{-# LANGUAGE TemplateHaskell       #-}
{-# LANGUAGE TypeFamilies          #-}
import           Yesod

data App = App

mkYesod "App" [parseRoutes|
/ HomeR GET
|]

instance Yesod App

getHomeR :: Handler Html
getHomeR = defaultLayout $ do
  mname <- lookupGetParam "name"

  [whamlet|
    $maybe name <- mname
      <img onload="init('#{name}')" src="https://www.yesodweb.com/static/logo-home2-no-esod-smaller2.png">
    $nothing
      Parameter 'name' isn't set
  |]

  toWidget [julius|
    function init(text) {
      // Do whatever you want
    }
  |]

main :: IO ()
main = warp 3000 App

In this case, Hamelt totally expects that the variable is used in HTML, so no JS sanitizing occurs. Therefore, we can include malicious JS code in name parameter, and execute it.

For instance, this executes alert(1):

http://localhost:3000/?name=%27),alert(1)//

The cause of this problem is that there's no type information of how the given variable should be sanitized. Any good ideas to prevent this?

[snoyberg]

This is basically unsolvable: there's no way for the template to know that you intend for the value to be treated as Javascript inside HTML. I'd recommend keeping the Javascript in Julius files instead.

…

On Wed, Aug 1, 2018 at 5:13 AM pythonissam ***@***.***> wrote: Variable interpolation in Hamlet automatically applies toHtml. So it can ensure that converted Html is entity-escaped and the value is sanitized correctly. However, if the value contains the value of other types (i.e. Javascript), sanitizing can fail. For example, let's think about the following code: #!/usr/bin/env stack-- stack script --resolver lts-12.4 {-# LANGUAGE OverloadedStrings #-} {-# LANGUAGE QuasiQuotes #-} {-# LANGUAGE TemplateHaskell #-} {-# LANGUAGE TypeFamilies #-}import Yesod data App = App mkYesod "App" [parseRoutes| / HomeR GET |] instance Yesod App getHomeR :: Handler Html getHomeR = defaultLayout $ do mname <- lookupGetParam "name" [whamlet| $maybe name <- mname <img onload="init('#{name}')" src="https://www.yesodweb.com/static/logo-home2-no-esod-smaller2.png"> $nothing Parameter 'name' isn't set |] toWidget [julius| function init(text) { // Do whatever you want } |] main :: IO () main = warp 3000 App In this case, Hamelt totally expects that the variable is used in HTML, so *no JS sanitizing occurs*. Therefore, we can include malicious JS code in name parameter, and execute it. For instance, this executes alert(1): http://loacalhost:3000/?name=%27),alert(1)// The cause of this problem is that there's no type information how the given variable should be sanitized. Any good ideas to prevent this? — You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub <#1547>, or mute the thread <https://github.com/notifications/unsubscribe-auth/AADBBwAoqpeiJoB8WesObSZo2yhNCl1-ks5uMQ63gaJpZM4Vpusu> .

[MaxGabriel]

I think Rails requires you to manually escape jacascript using the `j` function in this case On Wednesday, August 1, 2018, Michael Snoyman <notifications@github.com> wrote:

…

This is basically unsolvable: there's no way for the template to know that you intend for the value to be treated as Javascript inside HTML. I'd recommend keeping the Javascript in Julius files instead. On Wed, Aug 1, 2018 at 5:13 AM pythonissam ***@***.***> wrote: > Variable interpolation in Hamlet automatically applies toHtml. So it can > ensure that converted Html is entity-escaped and the value is sanitized > correctly. However, if the value contains the value of other types (i.e. > Javascript), sanitizing can fail. > > For example, let's think about the following code: > > #!/usr/bin/env stack-- stack script --resolver lts-12.4 > {-# LANGUAGE OverloadedStrings #-} > {-# LANGUAGE QuasiQuotes #-} > {-# LANGUAGE TemplateHaskell #-} > {-# LANGUAGE TypeFamilies #-}import Yesod > data App = App > > mkYesod "App" [parseRoutes| > / HomeR GET > |] > instance Yesod App > getHomeR :: Handler Html > getHomeR = defaultLayout $ do > mname <- lookupGetParam "name" > > [whamlet| > $maybe name <- mname > <img onload="init('#{name}')" src="https://www.yesodweb.com/ static/logo-home2-no-esod-smaller2.png"> > $nothing > Parameter 'name' isn't set > |] > > toWidget [julius| > function init(text) { > // Do whatever you want > } > |] > main :: IO () > main = warp 3000 App > > In this case, Hamelt totally expects that the variable is used in HTML, so *no > JS sanitizing occurs*. Therefore, we can include malicious JS code in name > parameter, and execute it. > > For instance, this executes alert(1): > > http://loacalhost:3000/?name=%27),alert(1)// > > The cause of this problem is that there's no type information how the > given variable should be sanitized. Any good ideas to prevent this? > > — > You are receiving this because you are subscribed to this thread. > Reply to this email directly, view it on GitHub > <#1547>, or mute the thread > <https://github.com/notifications/unsubscribe-auth/ AADBBwAoqpeiJoB8WesObSZo2yhNCl1-ks5uMQ63gaJpZM4Vpusu> > . > — You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub <#1547 (comment)>, or mute the thread <https://github.com/notifications/unsubscribe-auth/ABNxIXAZXkKHAn0jHTgHWdw_d7q3Idw7ks5uMYhZgaJpZM4Vpusu> .

[pythonissam]

@snoyberg @MaxGabriel

This is basically unsolvable: there's no way for the template to know that you intend for the value to be treated as Javascript inside HTML.

I think Rails requires you to manually escape jacascript using the j
function in this case

I understand, it's unfortunate though. So instead of that, I suggest implementing equivalent function to j in Rails (to escape Julius in Hamlet).

Furthermore, we found a problem when interpolating Julius value in Julius (this is not interpolating Julius value in Hamlet!).

ToJavascript instance of Value is as follows:

instance ToJavascript Value where toJavascript = Javascript . encodeToTextBuilder

and encodeToTextBuilder applies string to String value of Value. string function seems to be used to escape JavaScript-meaningful chars such as ". However, there's no apostrophe escape:

string :: T.Text -> Builder
string s = {-# SCC "string" #-} singleton '"' <> quote s <> singleton '"'
  where
    quote q = case T.uncons t of
                Nothing      -> fromText h
                Just (!c,t') -> fromText h <> escape c <> quote t'
        where (h,t) = {-# SCC "break" #-} T.break isEscape q
    isEscape c = c == '\"' ||
                 c == '\\' ||
                 c == '<'  ||
                 c == '>'  ||
                 c == '&'  ||
                 c < '\x20'
    escape '\"' = "\\\""
    escape '\\' = "\\\\"
    escape '\n' = "\\n"
    escape '\r' = "\\r"
    escape '\t' = "\\t"
    escape '<' = "\\u003c"
    escape '>' = "\\u003e"
    escape '&' = "\\u0026"

    escape c
        | c < '\x20' = fromString $ "\\u" ++ replicate (4 - length h) '0' ++ h
        | otherwise  = singleton c
        where h = showHex (fromEnum c) ""

So, same here, I think there's room for being injected malicious JavaScript code via variable interpolation...

[snoyberg]

Can you clarify how this can be used as an attack?

[pythonissam]

For example, please consider the following code:

#!/usr/bin/env stack
-- stack script --resolver lts-12.4

{-# LANGUAGE OverloadedStrings     #-}
{-# LANGUAGE QuasiQuotes           #-}
{-# LANGUAGE TemplateHaskell       #-}
{-# LANGUAGE TypeFamilies          #-}
{-# LANGUAGE BangPatterns #-}

import Yesod
import Data.Text.Lazy.Builder (fromText, Builder, singleton, fromString)
import qualified Data.Text as T
import Numeric (showHex)
import Data.Maybe (fromJust)
import Text.Julius (RawJavascript(..))

data App = App

mkYesod "App" [parseRoutes|
/ HomeR GET
|]

instance Yesod App

getHomeR :: Handler Html
getHomeR = defaultLayout $ do
  name <- fromJust <$> lookupGetParam "name"
  let (String text) = toJSON name

  toWidget [julius|
    function init(text) {
      console.log(text);
    }

    var img = document.createElement("img");
    img.setAttribute("src", "https://www.fpcomplete.com/hs-fs/hubfs/fp-complete-logo-small.png?t=1533860342655&width=470&name=fp-complete-logo-small.png");
    img.onload = init('#{toJSON name}');

    var img2 = document.createElement("img");
    img2.setAttribute("src", "https://www.fpcomplete.com/hs-fs/hubfs/fp-complete-logo-small.png?t=1533860342655&width=470&name=fp-complete-logo-small.png");
    img2.onload = init('#{RawJavascript $ string text}');

    var body = document.getElementsByTagName("body")[0];
    body.appendChild(img);
    body.appendChild(img2);
  |]

string :: T.Text -> Builder
string s = {-# SCC "string" #-} singleton '"' <> quote s <> singleton '"'
  where
    quote q = case T.uncons t of
                Nothing      -> fromText h
                Just (!c,t') -> fromText h <> escape c <> quote t'
        where (h,t) = {-# SCC "break" #-} T.break isEscape q
    isEscape c = c == '\"' ||
                 c == '\\' ||
                 c == '<'  ||
                 c == '>'  ||
                 c == '&'  ||
                 c == '\'' || -- HERE!
                 c < '\x20'
    escape '\"' = "\\\""
    escape '\\' = "\\\\"
    escape '\n' = "\\n"
    escape '\r' = "\\r"
    escape '\t' = "\\t"
    escape '<' = "\\u003c"
    escape '>' = "\\u003e"
    escape '&' = "\\u0026"
    escape '\'' = "\\\'"      -- HERE!

    escape c
        | c < '\x20' = fromString $ "\\u" ++ replicate (4 - length h) '0' ++ h
        | otherwise  = singleton c
        where h = showHex (fromEnum c) ""

main :: IO ()
main = warp 3000 App

There's a DOM based XSS. Loading http://localhost:3000/?name=%27),alert(1)// shows you a prompt once. This is caused by the first interpolation. Currently, there's no escaping for ' so this line

img.onload = init('#{toJSON name}');

seems to generate this code:

img.onload=init('"'),alert(1);

I'm not sure why a double quote is there and a comment disappeared, though.

However, if we update function string to also escape ', as img2 illustrates, JS code injection fails. This is because name is evaluated as string in JS world.

img2.onload = init('#{RawJavascript $ string text}');

generates:

img2.onload=init('"\'),alert(1)//"');

[pythonissam]

Well, variable interpolation in Julius includes double quotes, so writing init('#{toJSON name}') might be weird... but I think there's a person who makes a similar mistake.

[snoyberg]

IIRC, there was a push a while ago to have aeson escape single quotes for these kinds of cases, but it was rejected. If there's somewhere inside Yesod we can add such escaping, that seems like a good addition. PR would be welcome.

[jezen]

This appears to have been fixed by the merged pull request, so I will close this issue.