HTML in Diffusion not escaped in certain circumstances
Closed, ResolvedPublic
Actions

Assigned To

Authored By

	Danny_B
	Jul 2 2016, 7:28 AM

Description

HTML in Diffusion source code listing is not escaped

https://phabricator.wikimedia.org/diffusion/MW/browse/master/tests/parser/parserTests.txt

have the syntax hilight turned on
the file is bigger than 256kB, thus syntax hilight is claimed in header to be turned off automatically, however, plaintext file as with regular (manual) syntax highlight off doesn't display, but the content is being parsed (WARNING: bunch of javascript alerts there, worth to kill page loading soon)

The latter condition may not be mandatory, I didn't find any suitable file to test.

Revisions and Commits

rP Phabricator
	Audited	rP58375fa9e6db (stable) Fix a flipped higlight vs no-highlight condition
	Audited	rPd7b4c50941fa Fix a flipped higlight vs no-highlight condition
	Audited	rPfd33fbbfae8d (stable) Fix an XSS issue where Diffusion files exceeding the highlighting…
	Audited	rP498cb5c09637 Fix an XSS issue where Diffusion files exceeding the highlighting byte limit…

Related Objects

Mentioned In: 2016 Week 27 (Very Early July)
Mentioned Here: T4340: Implement Content-Security-Policy and Strict-Transport-Security headers
D8551: Whitelist allowed editor protocols
T5055: Distribution mechanism for arc extensions
T7413: Build an opt-in "report stats to upstream" workflow to collect version/usage data
rP91a01e57039e: Improve Diffusion browse performance for large files

Event Timeline

Danny_B created this task.Jul 2 2016, 7:28 AM

Herald added subscribers: jdloft, revi, qgil. · View Herald TranscriptJul 2 2016, 7:28 AM

epriestley closed this task as Resolved by committing rP498cb5c09637: Fix an XSS issue where Diffusion files exceeding the highlighting byte limit….Jul 2 2016, 12:18 PM

epriestley added a commit: rP498cb5c09637: Fix an XSS issue where Diffusion files exceeding the highlighting byte limit….

epriestley added a commit: rPfd33fbbfae8d: (stable) Fix an XSS issue where Diffusion files exceeding the highlighting….

epriestley added a commit: rPd7b4c50941fa: Fix a flipped higlight vs no-highlight condition.Jul 2 2016, 12:23 PM

epriestley added a commit: rP58375fa9e6db: (stable) Fix a flipped higlight vs no-highlight condition.

epriestley claimed this task.Jul 2 2016, 12:27 PM

epriestley triaged this task as Unbreak Now! priority.

epriestley added a project: Security.

Herald added subscribers: cburroughs, andypuettmann, eadler. · View Herald TranscriptJul 2 2016, 12:27 PM

In the future, please report security issues via HackerOne:

https://hackerone.com/phabricator

If you'd like to file a duplicate report there, I'd be happy to award you a security bounty. This is one of the more severe security problems ever found in Phabricator.

This should be fixed in HEAD of master, and I've cherry-picked the patch to stable.

This attack is stored XSS, although it requires write access to a repository to execute. There is no way to mitigate it in configuration.

This issue was introduced in rP91a01e57 (January 6). All installs running a newer version of Phabricator are advised to upgrade.

If you can not upgrade immediately, I believe this local patch should apply cleanly to any affected version:

diff --git a/src/applications/diffusion/controller/DiffusionBrowseController.php b/src/applications/diffusion/controller/DiffusionBrowseController.php
index 30c2b82..3ae076a 100644
--- a/src/applications/diffusion/controller/DiffusionBrowseController.php
+++ b/src/applications/diffusion/controller/DiffusionBrowseController.php
@@ -682,17 +682,21 @@ final class DiffusionBrowseController extends DiffusionController {
         $blame_commits,
         $show_blame);
     } else {
-      if ($can_highlight) {
-        require_celerity_resource('syntax-highlighting-css');
+      require_celerity_resource('syntax-highlighting-css');
 
+      if ($can_highlight) {
         $highlighted = PhabricatorSyntaxHighlighter::highlightWithFilename(
           $path,
           $file_corpus);
-        $lines = phutil_split_lines($highlighted);
       } else {
-        $lines = phutil_split_lines($file_corpus);
+        // Highlight as plain text to escape the content properly.
+        $highlighted = PhabricatorSyntaxHighlighter::highlightWithLanguage(
+          'txt',
+          $file_corpus);
       }
 
+      $lines = phutil_split_lines($highlighted);
+
       $rows = $this->buildDisplayRows(
         $lines,
         $blame_list,

epriestley mentioned this in 2016 Week 27 (Very Early July).Jul 2 2016, 12:30 PM

The Phacility cluster has been patched.

Issues like this are rare, but they emphasize our lack of a good security notification channel. I think T7413 (have Phabricator periodically ask the upstream if there are outstanding, unpatched security issues affecting the install) is the most promising way forward there, although it probably makes sense to do that as part of T5055 (i.e., generically for all installed packages).

Danny_B added subscribers: 20after4, Krenair.Jul 2 2016, 1:25 PM

Also worth noting is that Content Security Policy (T4340) would have prevented this. CSP is obviously worth implementing, but I believe the last attack it would have prevented was D4534 in January 2013, so it's hard to prioritize if it only defuses one attack every 3-4 years.

We also had one self-XSS using "Editor" configuration in March 2014 (D8551) but I think CSP would not have prevented it because the URI mishandling was in Javascript, if I remember correctly.

For reference, @Danny_B filed a copy of this on HackerOne here so I could award a bounty for it:

https://hackerone.com/reports/148865

greggrossmeier added a subscriber: greggrossmeier.Jul 2 2016, 6:30 PM

fanis awarded a token.Jul 4 2016, 1:29 PM

HTML in Diffusion not escaped in certain circumstancesClosed, ResolvedPublicActions

Description

Revisions and Commits

Related Objects

Event Timeline

HTML in Diffusion not escaped in certain circumstances
Closed, ResolvedPublic
Actions