Reporting a vulnerability?

sxcurity's Avatar

sxcurity

06 Feb, 2018 04:33 PM

Hey there, I've found a pretty high impact vulnerability in Marked, how can I report it?
Thanks much,
Corben

  1. Support Staff 1 Posted by Brett on 06 Feb, 2018 06:10 PM

    Brett's Avatar

    This would be the proper channel, you can set a conversation to private
    if needed.

    -Brett

  2. 2 Posted by sxcurity on 06 Feb, 2018 06:15 PM

    sxcurity's Avatar

    Hi Brett,
    I set the conversation to private and I have attached the report.
    Regards,
    Corben Leo

  3. Support Staff 3 Posted by Brett on 06 Feb, 2018 06:47 PM

    Brett's Avatar

    So do you have any suggestions on how to prevent this vulnerability?
    Marked requires network requests to work with hosted resources, so
    blocking outgoing requests isn't an option. I used to strip script tags
    from documents automatically, but that stops people from loading their
    own libraries like Mermaid and other tools. I'd be open to suggestions.

    -Brett

  4. 4 Posted by sxcurity on 06 Feb, 2018 07:17 PM

    sxcurity's Avatar

    Hi Brett,
    I would probably suggest implementing a Content Security Policy (https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-S...) of some sort. Blocking outgoing requests isn't a good idea as it would indeed mess with the usability of the application.

  5. 5 Posted by sxcurity on 06 Feb, 2018 07:50 PM

    sxcurity's Avatar

    You could always accept the risk as well and remove the preview part of the URL handler, which would make this much harder to exploit.

  6. Support Staff 6 Posted by Brett on 06 Feb, 2018 08:31 PM

    Brett's Avatar

    I don't think CSP is feasible in this case. But just removing/limiting
    the preview function might be fair, I'm not sure many use that anyway.

    What if when using the /preview handler, Marked stripped all scripts
    from the input? I'd list it as a security feature, and I don't think
    that in the use case for that query handler the functionality would be
    missed.

    -Brett

  7. 7 Posted by sxcurity on 06 Feb, 2018 08:39 PM

    sxcurity's Avatar

    Yeah, a CSP would indeed be a bit hard to implement. I think limiting the preview function would be a feasible way to remediate this. Stripping event handlers and <script> tags would make this quite hard to exploit. There's not really a need for javascript to be executed from that URL preview function.

    -Corben

  8. Support Staff 8 Posted by Brett on 06 Feb, 2018 08:43 PM

    Brett's Avatar

    Sounds good. I'll prep the change for the next update, thanks for pointing this out.

    Thanks,
    Brett

  9. 9 Posted by sxcurity on 06 Feb, 2018 10:36 PM

    sxcurity's Avatar

    Hey Brett,
    Is it alright if I publish this? I will make note that the next update will patch this issue.

    Thanks,
    Corben Leo

  10. Support Staff 10 Posted by Brett on 06 Feb, 2018 11:35 PM

    Brett's Avatar

    I'll leave that up to you. I'll try to get the update out as soon as possible.

    Thanks,
    Brett

  11. 11 Posted by sxcurity on 07 Feb, 2018 02:47 AM

    sxcurity's Avatar

    Awesome, thanks Brett.
    -Corben

  12. 12 Posted by sxcurity on 07 Feb, 2018 04:32 AM

    sxcurity's Avatar

    This has been assigned a CVE: CVE-2018-6806

  13. 13 Posted by sxcurity on 07 Feb, 2018 04:50 PM

    sxcurity's Avatar

    By the way, I truly do appreciate your quick responses: keep up the good work.

  14. Support Staff 14 Posted by Brett on 11 May, 2018 06:50 PM

    Brett's Avatar

    I'm not sure how to go about updating the CVE, but as of 2.5.11 this issue is mitigated as discussed. Marked strips all <script> tags, and also parses out any on[Click/Load/mouse(enter|leave),etc.] attributes on tags.

Reply to this discussion

Internal reply

Formatting help / Preview (switch to plain text) No formatting (switch to Markdown)

Attaching KB article:

»

Attached Files

You can attach files up to 10MB

If you don't have an account yet, we need to confirm you're human and not a machine trying to post spam.

Keyboard shortcuts

Generic

? Show this help
ESC Blurs the current field

Comment Form

r Focus the comment reply box
^ + ↩ Submit the comment

You can use Command ⌘ instead of Control ^ on Mac