Commit e7813a9b authored by julian.baeume's avatar julian.baeume
Browse files

Fixed: [OXUIB-645] XSS using script code as module at app loader

Root cause: relative paths in JS module urls might lead browsers to request
    resources outside the actual code loading servlet
Solution: do not allow relative paths as JS module names, those need to be resolved
    elsewhere

(cherry picked from commit aa177349)
parent 4a6f6ef5
Pipeline #140053 failed with stages
in 67 minutes and 41 seconds
......@@ -1874,6 +1874,7 @@ define('io.ox/core/desktop', [
return function (req, data) {
assert(arguments.length <= 1 || arguments.length === 2 && !_.isFunction(data), 'ox.load does not support callback params.');
if (/\.\./.test(req)) throw new Error('module names must not contain relative paths');
def = $.Deferred();
launched = data && data.launched ? data.launched : $.Deferred().resolve();
......
......@@ -27,6 +27,10 @@ define('io.ox/core/main/stages', [
var getAutoLaunchDetails = function (str) {
var pair = (str || '').split(/:/), app = pair[0], method = pair[1] || '';
if (/\.\./.test(app)) {
console.error('app names must not contain relative paths');
return { app: undefined };
}
return { app: (/\/main$/).test(app) ? app : app + '/main', method: method, name: app.replace(/\/main$/, '') };
};
......
......@@ -25,3 +25,28 @@ Scenario('[XSS] [OXUIB-400] No malicious code execution when code loading fails'
// will fail if xss was succesfull -> page is overwritten
drive.waitForApp();
});
Scenario('[OXUIB-645] XSS using script code as module at app loader', async function (I, drive) {
I.login('app=io.ox/files');
drive.waitForApp();
I.clickToolbar('New');
I.clickDropdown('Note');
I.waitForElement('.io-ox-editor .title');
I.fillField('.io-ox-editor .title', 'OXUIB-645.js');
I.fillField('.io-ox-editor .content', 'document.write("XSS");');
I.click('Save');
I.wait(1);
I.click('Close');
I.click(locate('.list-item').withText('OXUIB-645.js'));
drive.shareItem();
I.selectOption('Who can access this folder?', 'Anyone with the link and invited people');
I.waitForNetworkTraffic();
let url = await I.grabValueFrom('.public-link-url-input');
url = new URL(url);
I.click('Share', '.modal');
I.waitToHide('.modal');
const module = `${new Array(60).join('/..')}${url.pathname}?dl=1&cut=`;
I.amOnPage('ui#!!&app=io.ox/files:foo,' + encodeURIComponent(module));
I.refreshPage();
drive.waitForApp();
});
......@@ -407,6 +407,10 @@
while (modules.length > 0) {
url = base;
while (modules[0] && ox.abs.length + url.length + 1 + modules[0].length < limit) {
if (modules[0].indexOf('..') >= 0) {
console.error('module names must not be relative');
modules.shift();
}
url += ',' + modules.shift();
}
requests.push($.ajax({ url: url, dataType: 'text' }));
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment