Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

XSS in Debug Console [Theia v1.8.0] #8794

Closed
luigigubello opened this issue Nov 28, 2020 · 6 comments · Fixed by #9339
Closed

XSS in Debug Console [Theia v1.8.0] #8794

luigigubello opened this issue Nov 28, 2020 · 6 comments · Fixed by #9339
Assignees
Labels
console issues related to the console security issues related to security
Milestone

Comments

@luigigubello
Copy link

Bug Description:

In the debug console there is no HTML escaping, so arbitrary Javascript code can be injected. I think the issue is dangerouslySetInnerHTML in ansi-console-item.tsx (L41)

Schermata da 2020-11-29 00-10-44

I think this issue is similar to #7283

Steps to Reproduce:

See also the attached PoC video.

Theia_XSS_Debug

Additional Information

  • Theia Version: Theia 1.8.0

Questions

  • Theia is an important open source project, but it hasn't set a Github security policy. Should it have one?
@vince-fugnitto vince-fugnitto added console issues related to the console security issues related to security labels Nov 30, 2020
@luigigubello luigigubello mentioned this issue Dec 16, 2020
1 task
@waynebeaton
Copy link

I've assigned CVE-2021-28161 with this description:

In Eclipse Theia versions up to and including 1.8.0, in the debug console there is no HTML escaping, so arbitrary Javascript code can be injected.

CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"

Let me know if updates are required.

@bobbyz007
Copy link

Any progress about this issue?

@marcdumais-work
Copy link
Contributor

There is a tentative fix, under review: #9339

@marcdumais-work
Copy link
Contributor

Any help validating the proposed fix is welcome.

@vince-fugnitto
Copy link
Member

@waynebeaton @marcdumais-work is there anything we need to do regarding the cve?

@waynebeaton
Copy link

@waynebeaton @marcdumais-work is there anything we need to do regarding the cve?

The CVE has been assigned and promoted. Nothing more to do there (unless an update is required).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
console issues related to the console security issues related to security
Projects
None yet
Development

Successfully merging a pull request may close this issue.

5 participants