Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

vulnerability report #1126

Closed
1 task
Sharifi-Amin opened this issue Apr 19, 2020 · 17 comments · Fixed by #1489 or #1510 · May be fixed by #1227
Closed
1 task

vulnerability report #1126

Sharifi-Amin opened this issue Apr 19, 2020 · 17 comments · Fixed by #1489 or #1510 · May be fixed by #1227
Labels
pinned This is to pinned the PR/Issue in order to keep it open

Comments

@Sharifi-Amin
Copy link

Sharifi-Amin commented Apr 19, 2020
edited
Loading

Bug Report

I have found a security vulnerability in docsify.sj. How would you like me to report it?

Steps to reproduce

What is current behaviour

What is the expected behaviour

Other relevant information

  • Bug does still occur when all/other plugins are disabled?

  • Your OS:

  • Node.js version:

  • npm/yarn version:

  • Browser version:

  • Docsify version:

  • Docsify plugins:

Please create a reproducible sandbox

Edit 307qqv236

Mention the docsify version in which this bug was not present (if any)
@anikethsaha
Copy link
Member

here only. fill the template and you can submit the report here

@Sharifi-Amin
Copy link
Author

I would advise against disclosing security vulnerabilities in a public manner before there is fix. please confirm that you want me to disclose details of the vulnerability here. I'll be happy to provide a detailed report and try to help to push a fix as soon as possible .

@anikethsaha
Copy link
Member

I would advise against disclosing security vulnerabilities in a public manner before there is fix.

thanks for the alert. no don't report here.
Actually we didn't set up any security policy as of now (I know its bad, I will set up this as soon as possible after discussing with the team ).

  • I would suggest reporting it to Snyk Security Team first. They will help triage the security issue and work with all involved parties to remediate and release a fix.
  • if you want to contact me, you can contact through my email
    and if you want to share some sensitive report ( still I would suggest to reach snyk team first ), mention in the mail and we can discuss there how to do so !

@trusktr
Copy link
Member

trusktr commented Apr 20, 2020

How severe is this issue? Is it in an NPM module that affects local development?

It is hard to imagine any issue with static HTML (markdown) sites being insecure. Docsify sites are purely static by default, with no user information (or did I miss something?).

@anikethsaha Maybe we can make a security issue template, and it can specify contact instructions there.

@anikethsaha
Copy link
Member

we need to set up a policy here

@trusktr
Copy link
Member

trusktr commented Apr 20, 2020

Ah cool, I didn't know about that.

@anikethsaha
Copy link
Member

It is hard to imagine any issue with static HTML (markdown) sites being insecure. Docsify sites are purely static by default, with no user information (or did I miss something?).

true, but we do support GA, codefund plugins and markdown may contain embedded files so it may be harmful in those cases. not sure though 😅 .

I will still suggest reporting first in snyk for any cases even if it is in our dependencies,

@Sharifi-Amin
Copy link
Author

I'll get in touch with snyk team asap. I'll contact you through email for a detailed report

@Sharifi-Amin
Copy link
Author

we need to set up a policy here

please let me know if I can contribute in any way

@anikethsaha
Copy link
Member

I'll get in touch with snyk team asap. I'll contact you through email for a detailed report

great. 👍

please let me know if I can contribute in any way

contribution of any kind are always welcome. you can share some idea or submit as a policy for better approach. We can discuss there

@Sharifi-Amin
Copy link
Author

The Snyk team have verified the vulnerability. they will try to get in touch with you to discuss a fix. if you want to close this issue, you can always reach me at amin.sharifi691@gmail.com.

@anikethsaha
Copy link
Member

Thanks a lot for the reports and responses.
this issue also was a reminder that we need a policy for security reports.

you can always reach me at amin.sharifi691@gmail.com.

sure.

Thanks 👍

@anikethsaha
Copy link
Member

I think it's better to keep it open until a response from snyk just to mark it. 👍

@Sharifi-Amin
Copy link
Author

Thanks a lot for the reports and responses.
this issue also was a reminder that we need a policy for security reports.

you can always reach me at amin.sharifi691@gmail.com.

sure.

Thanks 👍

my pleasure

@stale stale bot removed the wontfix label Apr 20, 2020
@Sharifi-Amin
Copy link
Author

I think it's better to keep it open until a response from snyk just to mark it. 👍

I agree

@anikethsaha anikethsaha added the pinned This is to pinned the PR/Issue in order to keep it open label Apr 20, 2020
@Koooooo-7
Copy link
Member

I can't imagine the vulnerability in Docsify either.
As a static website, all congratulations can be reached in the browser. including the GA or something stuff(all websites deployed it in same way).

@anikethsaha
Copy link
Member

I got a mail from snyk and I think we should fix it cause it may be serious. there is a PoC as well. I will share the mail with @docsifyjs/reviewers chat room soon so that we can discuss the fix.

@anikethsaha anikethsaha mentioned this issue Apr 21, 2020
Merged
15 tasks
@trusktr trusktr mentioned this issue Jun 17, 2020
Draft
21 tasks
jhildenbiddle added a commit that referenced this issue Feb 5, 2021
@jhildenbiddle
Prevent loading remote content via URL hash
e6c6abb 
Fixes #1477. Fixes #1126.
This was referenced Feb 5, 2021
Merged
Merged
sy-records added a commit that referenced this issue Feb 5, 2021
@jhildenbiddle @sy-records @Koooooo-7
fix: Prevent loading remote content via URL hash (#1489)
14ce7f3 
* Prevent loading remote content via URL hash

Fixes #1477. Fixes #1126.

* Restore ability to execute remote content scripts

Co-authored-by: 沈唁 <52o@qq52o.cn>
Co-authored-by: Koy <koy@ko8e24.top>
jhildenbiddle added a commit that referenced this issue Feb 14, 2021
@jhildenbiddle
fix: isExternal check with malformed URL + tests
8c1ae12 
Fix #1477. Fix #1126. Follow-up to #1489.
@jhildenbiddle jhildenbiddle mentioned this issue Feb 14, 2021
Merged
8 tasks
Koooooo-7 pushed a commit that referenced this issue Feb 18, 2021
@jhildenbiddle
fix: isExternal check with malformed URL + tests (#1510)
ff2a66f 
Fix #1477. Fix #1126. Follow-up to #1489.
This was referenced Mar 9, 2021
Merged
Open
Closed
Merged
@dependabot dependabot bot mentioned this issue Mar 17, 2021
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
pinned This is to pinned the PR/Issue in order to keep it open
Projects
None yet
Milestone
No milestone
4 participants
@trusktr @anikethsaha @Koooooo-7 @Sharifi-Amin