Javascript injection via notification messages #7283
Comments
akosyakov
added
help wanted
|
cc @AlexTugarev |
Extensions already have access to all operating systems APIs. There is no need to inject JS in the notification center 😆 I think we should fix it anyway.
In order to be completely safe, we need to enable web security in electron and run remote content like mini browser as webviews, otherwise any loaded JS code can user Node.js API to access everything directly. |
|
While we're changing the way we render notifications, can we make sure that line breaks in the notification text are displayed as such? I already found myself "using" this exploit in the past by replacing |
|
Will align with vscode for that matter. @spoenemann, that's not supported, cf. https://github.com/Microsoft/vscode/blob/5651fa0a8a482ba8427797ba2c053b1943ff15fb/src/vs/workbench/common/notifications.ts#L493 |
|
I've assigned CVE-2021-28162 with this description:
Let me know if updates are required. |
Description
In the notification messages there is no an HTML escaping, so Javascript code can run. I'm not sure, but I think the issue is in packages/messages/src/browser/notification-component.tsx:76
<span dangerouslySetInnerHTML={{ __html: message }} onClick={this.onMessageClick} />In Electron app an arbitrary JS code can lead to dangerous exploits.
Reproduction Steps
launch.jsontypefield write the Javascript payload (e.g.<details open ontoggle=confirm(2)>)OS and Theia version:
I think this bug is a vulnerability, I can exfiltrate data from victim's computer by using JS. Here a proof-of-concept video.
Theia_PoC.zip
The text was updated successfully, but these errors were encountered: