Fix XSS vuln

[makotech222]

Description

Screenshots

Before

After

[rystaf]

With this fix, XSS is still possible in the emoji creation form.

[jamesmanes]

To be clear, is this the vulnerability assumed to actively being exploited in the wild? i.e., on lemmy dot world?

[geneccx]

To be clear, is this the vulnerability assumed to actively being exploited in the wild? i.e., on lemmy dot world?

Yes.

[DraconicNEO]

To be clear, is this the vulnerability assumed to actively being exploited in the wild? i.e., on lemmy dot world?

It has been used both on Lemmy.world and lemmy.blahaj.zone

[Nutomic]

I can confirm that this fixes the vulnerability.

@rystaf That is an unrelated problem and has nothing to do with the hack.

[Daniel15]

Is there a plan to audit the codebase to ensure that there's no other places that build HTML using string concatenation, and to rewrite this call site so it doesn't do that? Would you like help with that?

[ubergeek77]

I very much doubt an audit is going to be affordable, but there are some free SAST/SCA scanners that may be beneficial to use in this project. The number of tests per month may not cover every commit Lemmy goes through, but Snyk would be a very good option as a baseline, and it's much better than nothing:

https://snyk.io/plans/

I haven't scanned Lemmy with Snyk, but I have worked with it before, and I'm pretty confident it would have caught this.

It can be set up to scan on PRs and block builds if a new vulnerability is about to be introduced, so this could be a good way to manage security over time without it being completely overwhelming.

[Daniel15]

@ubergeek77

I very much doubt an audit is going to be affordable,

Maybe not an official audit, but at least have some volunteers familiar with web security look through the code (both backend and frontend) and see if they can find any common issues.

[0mWh]

Building HTML strings can be error prone.
Perhaps directly using the DOM should be prioritized?

function emoji(src: string, title: string, alt_text: string) {
    const node = document.createElement('img');
    node.classList.add('icon', 'icon-emoji');
    node.src = src;
    node.title = title;
    node.alt = alt_text;
    return node;
}

//example usage
const src: string = '<><><><><><>?,./,/\\\t|>>>\\,<\'';
const title: string = '<script>alert("xss?")</script>';
const alt_text: string = '%*(!&(%@#&!%!!%!))';

const x: any = emoji(src, title, alt_text);

//directly use document element node
document.body.appendChild( x );

//convert to html string via browser
console.log( x.outerHTML );

[Nutomic]

@Daniel15 All the code is open source, everyone is welcome to look through it for potential problems and report/fix them. But like ubergeek said we dont have any money to pay for a professional audit. Maybe there are some organizations which would do audits of open source projects for free, might be worth searching for.

[Daniel15]

@Nutomic

everyone is welcome to look through it for potential problems and report/fix them.

I'll try to take a look if I get some free time :)