[Issue 17391] SECURITY:=?UTF-8?Q?=20XSS=C2=A0through=20DDOC=20comments?=

May 10, 2017

Vladimir Panteleev

May 10, 2017

May 10, 2017

May 10, 2017

May 10, 2017

May 10, 2017

May 10, 2017

May 13, 2017

github-bugzilla@puremagic.com

May 13, 2017

github-bugzilla@puremagic.com

Jun 17, 2017

github-bugzilla@puremagic.com

Aug 14, 2017

github-bugzilla@puremagic.com

https://issues.dlang.org/show_bug.cgi?id=17391 Vladimir Panteleev <thecybershadow@gmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |thecybershadow@gmail.com --- Comment #1 from Vladimir Panteleev <thecybershadow@gmail.com> --- Hmm... DDoc allows embedding HTML "by design", so this is not a bug. It might be an issue for websites which display documentation of third-party packages though. Perhaps it would make sense to forbid certain HTML tags in .d files (i.e. inline documentation comments and the "Macros" section), while still allowing them in macro definitions in .ddoc files. --

https://issues.dlang.org/show_bug.cgi?id=17391 --- Comment #2 from Cédric Picard <cpicard@openmailbox.org> --- I was not aware that it is so by design. However if it is a design decision I believe the security consequences should be made very explicit and clear in DDOC's documentation so that people avoid distributing third-party projects' documentation or do it very carefuly. Limiting the use to some tags would help the usability issue but not the security one. --

https://issues.dlang.org/show_bug.cgi?id=17391 --- Comment #3 from Vladimir Panteleev <thecybershadow@gmail.com> --- (In reply to Cédric Picard from comment #2) > I was not aware that it is so by design. However if it is a design decision I believe the security consequences should be made very explicit and clear in DDOC's documentation so that people avoid distributing third-party projects' documentation or do it very carefuly. As I understand, this only matters from a security standpoint when DDoc output is placed on the same domain as some dynamic content being targeted. > Limiting the use to some tags would help the usability issue but not the security one. As I understand, there is no usability issue here because it's working as designed. Use $(LT) and $(GT) (or < and > if you don't care about any output formats other than HTML) for < and >. Anyway, limiting the use of some tags probably wouldn't work because the document template is likely to have some macros involving script tags (or allowing constructing aribitrary HTML tags, such as dlang.org's $(TAG) macro). Fixing it from this angle would be much more complicated. --

May 10, 2017

[Issue 17391] SECURITY:=?UTF-8?Q?=20XSS=C2=A0through=20DDOC=20comments?=

Posted by Cédric Picard

Permalink

Cédric Picard

Permalink

https://issues.dlang.org/show_bug.cgi?id=17391

--- Comment #4 from Cédric Picard <cpicard@openmailbox.org> ---
(In reply to Vladimir Panteleev from comment #3)
> As I understand, this only matters from a security standpoint when DDoc output is placed on the same domain as some dynamic content being targeted.

Not at all, while what you describe is the most common case there are many things that are possible through XSS that do not target the current domain. Also bugs in browsers are a common thing.

> > Limiting the use to some tags would help the usability issue but not the security one.
> 
> As I understand, there is no usability issue here because it's working as
> designed. Use $(LT) and $(GT) (or &lt; and &gt; if you don't care about any
> output formats other than HTML) for < and >.

Well, I first discovered the thing because I hit it. But sure, if it's as designed, no comment here.

> Anyway, limiting the use of some tags probably wouldn't work because the document template is likely to have some macros involving script tags (or allowing constructing aribitrary HTML tags, such as dlang.org's $(TAG) macro). Fixing it from this angle would be much more complicated.

Indeed, also there are much more subtle XSSs than <script>. Given how DDOC works I don't think it is fixable at all if not dropping all support for inlined html which I didn't realize was an issue at the time.

I suppose it's a won't fix, at least a bug report will be there for the next person to discover this.

--

https://issues.dlang.org/show_bug.cgi?id=17391 --- Comment #5 from Vladimir Panteleev <thecybershadow@gmail.com> --- (In reply to Cédric Picard from comment #4) > Not at all, while what you describe is the most common case there are many things that are possible through XSS that do not target the current domain. Could you provide some examples which would be applicable to us? > Given how DDOC > works I don't think it is fixable at all if not dropping all support for > inlined html which I didn't realize was an issue at the time. > > I suppose it's a won't fix, at least a bug report will be there for the next person to discover this. Yep, I think documenting this is the immediate fix. --

https://issues.dlang.org/show_bug.cgi?id=17391 --- Comment #7 from Cédric Picard <cpicard@openmailbox.org> --- (In reply to Vladimir Panteleev from comment #5) > (In reply to Cédric Picard from comment #4) > > Not at all, while what you describe is the most common case there are many things that are possible through XSS that do not target the current domain. > > Could you provide some examples which would be applicable to us? Well, I'm not sure this is the right place to talk about that, but it's an XSS, it can do anything JS in a webpage can, so making external calls to APIs, executing an IRC bot, delivering malware... With some timing tricks it is also possible to scan the user's network for available ports on local and nearby computers. With a browser bug such as https://www.brokenbrowser.com/sop-bypass-uxss-stealing-credentials-pretty-fast/ (taking one from today, those are pretty common) it's possible to bypass any security tying the code to the local domain. From there you can get data from other pages, read and send local files etc. Anything a normal malicious webpage can do, this is in no way specific to D. --

https://issues.dlang.org/show_bug.cgi?id=17391 --- Comment #8 from github-bugzilla@puremagic.com --- Commits pushed to master at https://github.com/dlang/dlang.org https://github.com/dlang/dlang.org/commit/4d69c1abd487319f274b11a44b833e165c57946d Fix Issue 17391 - SECURITY: XSS through DDOC comments Add a documentation note about the security considerations of embeddable HTML in DDoc. https://github.com/dlang/dlang.org/commit/c1d57d6182e8f012122d44479f2168545af9470a Merge pull request #1649 from CyberShadow/pull-20170510-220714 Fix Issue 17391 - SECURITY: XSS through DDOC comments merged-on-behalf-of: Sebastian Wilzbach <sebi.wilzbach@gmail.com> --

https://issues.dlang.org/show_bug.cgi?id=17391 --- Comment #9 from github-bugzilla@puremagic.com --- Commits pushed to stable at https://github.com/dlang/dlang.org https://github.com/dlang/dlang.org/commit/4d69c1abd487319f274b11a44b833e165c57946d Fix Issue 17391 - SECURITY: XSS through DDOC comments https://github.com/dlang/dlang.org/commit/c1d57d6182e8f012122d44479f2168545af9470a Merge pull request #1649 from CyberShadow/pull-20170510-220714 --

Forums