New Issue

CSRF and XSS mitigation #44

Closed

opened by trinity-1686a · 7 comments

trinity-1686a commented

Owner

from what I see, I think there is currently no mitigation against CSRF (ability to post from another website with a specialy crafted link, without secret cookie knoledge), nor against XSS (run js from untrusted input, maybe even from other instances sending comments)

👍 2

trinity-1686a commented

Poster

Owner

XSS are mostly here because templates in .tera are not auto-escaped, we should rename each template file into .html.tera so they are

Is there any rules on where html should be allowed, but then sanitized (like posts i guess), and where it is not and can simply be escaped? I don't think comments requires html but from the code, currently they seems to be allowed to.

XSS are mostly here because templates in `.tera` are not auto-escaped, we should rename each template file into `.html.tera` so they are Is there any rules on where html should be allowed, but then sanitized (like posts i guess), and where it is not and can simply be escaped? I don't think comments requires html but from the code, currently they seems to be allowed to.

elegaanz commented (Migrated from github.com)

There is a crate to help handling CSRF: https://crates.io/crates/csrf

trinity-1686a commented

Poster

Owner

New xss were added when a dashboard was added (only work agaist themself), and during template deduplication (work again anybody and hit any template which include /templates/users/header.tera ). We should take care on not forgeting to add .html before .tera to notify tera we need it to auto-escape html

New xss were added when a dashboard was added (only work agaist themself), and during template deduplication (work again anybody and hit any template which include `/templates/users/header.tera `). We should take care on not forgeting to add `.html` before `.tera` to notify tera we need it to auto-escape html

trinity-1686a commented

Poster

Owner

Tera don't seems to auto escape arguments of functions, this allow an xss on user's name in macro.html.tera, users/followers.html.tera, templates/posts/details.html.tera, via instance name in templates/instance/index.html.tera (which is a bit of a none issue as admin can modify template if they want to), and maybe in other locations, even if the proper extension is used.

Tera don't seems to auto escape arguments of functions, this allow an xss on user's name in `macro.html.tera`, `users/followers.html.tera`, `templates/posts/details.html.tera`, via instance name in `templates/instance/index.html.tera` (which is a bit of a none issue as admin can modify template if they want to), and maybe in other locations, even if the proper extension is used.

elegaanz commented (Migrated from github.com)

I've fixed the two issues you mentioned, I think we are now protected. You can close this issue if you think everything is OK. 🙂

I've fixed the two issues you mentioned, I think we are now protected. You can close this issue if you think everything is OK. :slightly_smiling_face:

trinity-1686a commented

Poster

Owner

I can't spot any xss right now, however there is still a csrf issue on like reshare and follow as they are get requests. I think I'll close this and open another issue so peoples who know how to make a form beautifull can see it.

👍 1

elegaanz commented (Migrated from github.com)

Oh yes, I forgot about them.

No Milestone

No Assignees

2 Participants

Notifications

Due Date

The due date is invalid or out of range. Please use the format 'yyyy-mm-dd'.

No due date set.

Dependencies

No dependencies set.

Loading…

There is no content yet.

Labels Milestones

CSRF and XSS mitigation #44