fix: web: b64 encode user controlled input (#1525)

This fixes a reported Stored XSS vulnerability in toBloodhoundJson by encoding the user-controlled values in this payload into base64 and parsing them with atob. In my exploration of the vulnerability with various payloads I and others crafted, it would appear that this is the only available XSS in hledger-web in relation to stored accounts and transaction details. If there is other parts of the UI which may contain user-controlled data, they should be examined for similar things. In this instance, protections provided by yesod and other libraries worked fine, but in a bit of code that hledger-web was generating, the user could insert a </Script> tag (which is valid HTML and equivalent to </script> but not caught by the T.Replace that existed in toBloodhoundJson) in order to switch out of a script context, allowing the parser to be reset, and for arbitrary JavaScript to run. The real fix is a bit more involved, but produces much better results: Content-Security-Policy headers should be introduced, and using sha256-<hash of script> or a different algorithm, they should be marked as trusted in the header. This way, if the (in-browser) parser and hledger-web generator disagree on the source code of the script, the script won't run. Note that this would still be susceptible to attacks that involve changing the script by escaping from the string inside it or something similar to that, which can be avoided additionally by using either the method used in this commit, or a proper JSON encoder. The second approach has the advantage of preventing further XSS, to the extent specified above, in practice, a combination of both should be used, b64 for embedded data and the CSP sha256-hash script-src over everything else, which will eliminate all injected or malformed script blocks (via CSP), in combination with eliminating any HTML closing tags which might occur in stored data (via b64). This vulnerability appears to have been first introduced when autocompletion was added in hledger-web, git tag hledger-0.24, commit hash: ec51d28839 Test payload: </Script><svg onload=alert(1)//> Closes #1525
2024-09-19 10:17:35 +03:00 · 2021-08-22 13:58:46 +02:00 · 2021-08-22 13:58:46 +02:00 · 9ce55146c8
commit 9ce55146c8
parent 0ce518f12d
5 changed files with 15 additions and 3 deletions
--- a/hledger-web/Hledger/Web/Widget/AddForm.hs
+++ b/hledger-web/Hledger/Web/Widget/AddForm.hs
@ -17,6 +17,7 @@ import Data.List (dropWhileEnd, intercalate, unfoldr)
 import Data.Maybe (isJust)
 import qualified Data.Set as S
 import Data.Text (Text)
+import Data.Text.Encoding.Base64 (encodeBase64)
 import qualified Data.Text as T
 import Data.Time (Day)
 import Text.Blaze.Internal (Markup, preEscapedString)
@ -95,13 +96,19 @@ addForm j today = identifyForm "add" $ \extra -> do
        intercalate "," $ map (
          ("{\"value\":" ++).
          (++"}").
-          show .
-          -- avoid https://github.com/simonmichael/hledger/issues/236
-          T.replace "</script>" "<\\/script>"
+          -- This will convert a value such as ``hledger!`` into
+          -- ``atob("aGxlZGdlciE=")``. When this gets evaluated on the client,
+          -- the resulting string is ``hledger!`` again. The same data is
+          -- passed, but the user-controlled bit of that string can only use
+          -- characters [a-zA-Z0-9+=/], making it impossible to break out of
+          -- string context.
+          b64wrap
          ) ts,
        "]"
        ]
      where
+b64wrap :: Text -> String
+b64wrap = ("atob(\""++) . (++"\")") . T.unpack . encodeBase64

 validateTransaction ::
     FormResult Day
--- a/hledger-web/hledger-web.cabal
+++ b/hledger-web/hledger-web.cabal
@ -156,6 +156,7 @@ library
      Decimal >=0.5.1
    , aeson >=1
    , base >=4.11 && <4.16
+    , base64
    , blaze-html
    , blaze-markup
    , bytestring
--- a/hledger-web/package.yaml
+++ b/hledger-web/package.yaml
@ -103,6 +103,7 @@ library:
  - hledger >=1.22.99 && <1.23
  - aeson >=1
  - base >=4.11 && <4.16
+  - base64
  - blaze-html
  - blaze-markup
  - bytestring
--- a/stack8.6.yaml
+++ b/stack8.6.yaml
@ -31,6 +31,8 @@ extra-deps:
 - githash-0.1.4.0
 # for hledger-ui:
 # for hledger-web:
+- ghc-byteorder-4.11.0.0.10
+- base64-0.4.2.3

 # Workaround for https://github.com/commercialhaskell/stack/issues/3922
 # Try dropping this.. after stack 2 has been out a while ? Or now ? How about now ?
--- a/stack8.8.yaml
+++ b/stack8.8.yaml
@ -20,6 +20,7 @@ extra-deps:
 # for hledger:
 # for hledger-ui:
 # for hledger-web:
+- ghc-byteorder-4.11.0.0.10
 # for Shake.hs:

 # for precise profiling, per https://www.tweag.io/posts/2020-01-30-haskell-profiling.html: