XSS in bounty.url

Question

XSS in bounty.url

Closed this issue 2 years ago · 8 comments

The bounty URL can be set to an arbitrary string, and then it is passed to link_to here: https://github.com/excid3/beginnerbounties.com/blob/main/app/views/bounties/_bounty.html.erb#L18
Since link_to accepts any URL schema, a malicious actor can set this to javascript: console.log('xss') and execute an XSS attack, which can have serious consequencies

Answer 1 · 2023-03-01T20:56:04.000Z

Ah yes, I always forget that. Easiest way to handle that is something like this right?

<%= sanitize link_to("View Project", @bounty.url %>

Answer 2 · 2023-03-01T20:56:30.000Z

I created a test bounty for this, but I can't delete it 🤦‍♂️ Can someone delete that please?

Answer 3 · 2023-03-01T20:57:14.000Z

I don't think that sanitize would work. The best way to handle is to add a validation rule to only permit http or https at the beginning of the string.

Answer 4 · 2023-03-01T21:00:55.000Z

Also brakeman or spektr can catch these issues to make sure you don't forget them. spektr didn't catch it though, I will try to figure out why.

Answer 5 · 2023-03-01T21:08:52.000Z

Pretty sure that's what I've done in the past, because it will sanitize the anchor tag. It's probably simpler to validate the URL format though like you mentioned, otherwise would print out the escaped JS string which we don't want.

Answer 6 · 2023-03-01T21:13:46.000Z

You are right, I just checked the docs: https://api.rubyonrails.org/classes/ActionView/Helpers/SanitizeHelper.html#method-i-sanitize
TIL :)
Validation is also better because you do it at one place, and the issue is fixed everywhere, you don't need to worry about forgetting to handle it anywhere when you render a link.

Answer 7 · 2023-03-01T21:23:08.000Z

@gregmolnar you can delete your post now btw. We added the delete button back.

Answer 8 · 2023-03-01T21:27:39.000Z

Deleted. Thanks!