Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Script tags not stripped from feed titles on /feeds endpoint #490

Closed
rwhogg opened this issue Oct 29, 2018 · 2 comments · Fixed by #492
Closed

Script tags not stripped from feed titles on /feeds endpoint #490

rwhogg opened this issue Oct 29, 2018 · 2 comments · Fixed by #492

Comments

@rwhogg
Copy link

rwhogg commented Oct 29, 2018

I believe I have discovered an XSS issue in Stringer (the most recent version pushed to Docker Hub).

Here's a POC for it:

  1. Run Stringer using the instructions in https://github.com/swanson/stringer/blob/master/docs/docker.md (The SQLite and Docker Compose instructions instructions both work.)
  2. Serve an RSS feed that has an entity-encoded script tag in its title. (i.e. <script>alert('xss')</script> )
  3. Add your webserver for that feed to Stringer
  4. Go to the /feeds endpoint in your browser. You should see the alert.

I have created an example RSS feed that demonstrates this at https://gist.github.com/rwhogg/1a7b9e9f82db6fdfb266af2cd09cfb9a
@swanson
Copy link
Collaborator

swanson commented Oct 29, 2018

Thanks for the report. Here is the relevant section of the code: https://github.com/swanson/stringer/blob/master/app/repositories/story_repository.rb#L106-L117

We are using the loofah gem for sanitization: https://github.com/flavorjones/loofah but it sounds like this case is not being caught. Not sure if there is a problem with the library or our usage of it.

We should be able to add a failing test for this scenario as well: https://github.com/swanson/stringer/blob/master/spec/repositories/story_repository_spec.rb

Koronen added a commit that referenced this issue Nov 1, 2018
@Koronen
Sanitize feed titles
e8dcc9d 
Attempt to fix a recently reported XSS vulnerability.

We reuse the same sanitization strategy as for _story_ titles.

Fixes #490.
Koronen added a commit that referenced this issue Nov 1, 2018
@Koronen
Sanitize feed titles
35b9183 
Attempt to fix a recently reported XSS vulnerability.

We reuse the same sanitization strategy as for _story_ titles.

Fixes #490.
@Koronen Koronen mentioned this issue Nov 1, 2018
Merged
@rwhogg
Copy link
Author

rwhogg commented Nov 6, 2018

Thanks Victor!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Sanitize feed titles stringer-rss/stringer
2 participants
@swanson @rwhogg