Skip to content

Fix XSS (CVE-2020-5497)#1534

Open
irbishop wants to merge 1 commit intomitreid-connect:masterfrom
irbishop:master
Open

Fix XSS (CVE-2020-5497)#1534
irbishop wants to merge 1 commit intomitreid-connect:masterfrom
irbishop:master

Conversation

@irbishop
Copy link

@irbishop irbishop commented Apr 10, 2020

Fix for #1521

#1526 was on the right track - escapeXml works for the instances in topbar.tag because individual values are referenced from userInfo:

						<li class="dropdown">
							<a id="userButton" class="dropdown-toggle" data-toggle="dropdown" href=""><i class="icon-user icon-white"></i> user <span class="caret"></span></a>
							<ul class="dropdown-menu pull-right">
								<li><a href="manage/#user/profile" data-toggle="collapse" data-target=".nav-collapse">Demo &lt;script&gt;alert(1)&lt;/script&gt;User</a></li>
								<li class="divider"></li>
								<li><a href="" data-toggle="collapse" data-target=".nav-collapse" class="logoutLink"><i class="icon-remove"></i> Log out</a></li>
							</ul>
						</li>
	                    
	                    
	                </ul>
	                
	                <!--  use a simplified user button system when collapsed -->
	                <ul class="nav hidden-desktop">
	                    
						<li><a href="manage/#user/profile">Demo &lt;script&gt;alert(1)&lt;/script&gt;User</a></li>
						<li class="divider"></li>
						<li><a href="" class="logoutLink"><i class="icon-remove"></i> Log out</a></li>
	                    
	                    
	                </ul>

Using escapeXml on userInfoJson in header.tag breaks the JSON:

Reference image

I looked at UseInforInterceptor, so using custom UserInfo will be protected as well. It's the simplest way I could think of:

  • Convert the response from UserInfo.toJson to JsonElement
  • Dump the JsonElement with gson

The result is userInfoJson appearing like:

   	function getUserInfo() {
    		return {"sub":"01921.FLANRJQW","name":"Demo \u003cscript\u003ealert(1)\u003c/script\u003eUser","preferred_username":"user","email":"user@example.com","email_verified":true};
    	}

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@irbishop