Fix an XSS issue with certain high-priority remarkup rules embedded inside…
54bcbdaba94a
Actions

Description

Fix an XSS issue with certain high-priority remarkup rules embedded inside lower-priority link rules

Summary:
See https://hackerone.com/reports/758002. The link rules don't test that their parameters are flat text before using them in unsafe contexts.

Since almost all rules are lower-priority than these link rules, this behavior isn't obvious. However, two rules have broadly higher priority (monospaced text, and one variation of link rules has higher priority than the other), and the latter can be used to perform an XSS attack with input in the general form ()[ [[ ... | ... ]] ] so that the inner link rule is evaluated first, then the outer link rule uses non-flat text in an unsafe way.

Test Plan:
Tested examples in HackerOne report. A simple example of broken (but not unsafe) behavior is:

[[ `x` | `y` ]]

Differential Revision: https://secure.phabricator.com/D20937

Details

Provenance

epriestley	Authored on Dec 13 2019, 1:31 PM
sirocyl	Pushed on Oct 16 2024, 5:49 AM

Parents

R1:4cd333b33fb1: Use same method to get object URI as used in DifferentialTransactionEditor and…

Branches

Unknown

Tags

Unknown

Event Timeline

Changes (2)

Path

Size

src/

applications/

phriction/

markup/

PhrictionRemarkupRule.php

infrastructure/

markup/

markuprule/

PhutilRemarkupDocumentLinkRule.php

R1:54bcbdaba94a

View Options

src/applications/phriction/markup/PhrictionRemarkupRule.php