Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

push on the history object returned by createBrowserHistory can allow arbitrary JS execution #850

Open
zeusdeux opened this issue Dec 15, 2020 · 5 comments
Open

push on the history object returned by createBrowserHistory can allow arbitrary JS execution #850

zeusdeux opened this issue Dec 15, 2020 · 5 comments

Comments

@zeusdeux
Copy link

Hey folks!

If the input given to push is not sanitized, arbitrary JS can be executed in the user's context.
We came across this issue originally in @reach/router but the same seems to exist in this package.

The iOS 100 pushState calls limit fix is what causes this.
The browser correctly throws when the url given to pushState or replaceState contains javascript: which is caught by this catch clause causing window.location.assign to be used to update the url. This call isn't safe with unsanitized input and causes execution of JS.

But why not sanitize your input you might ask? Sure. We missed a spot and have fixed it on our end.
Nevertheless, the push behaviour here circumvents the browser's security system and hence this report.

Codesandbox with the reproduction
@adrianzielonka
Copy link

@chaance we're currently using react-router v6 within a production SPA and this is listed as a vulnerability by our code scanning tool Sonatype Nexus IQ due to it being a transient dependency of react-router. Is there any plan to remediate this issue?

@RundaScath
Copy link

I recently started using AuditJS and scanning my Ract18 libraries. I found this library is being flagged for Cross-Site Scripting (XSS) as mentioned by @zeusdeux in December of last year ...

pkg:npm/history@5.3.0 - 1 vulnerability found!

  Vulnerability Title:  [sonatype-2021-0015] CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
  ID:  sonatype-2021-0015
  Description:  history - Cross-Site Scripting (XSS)
  
  The software does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
  CVSS Score:  6.1
  CVSS Vector:  CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
  Reference:  https://ossindex.sonatype.org/vulnerability/sonatype-2021-0015?component-type=npm&component-name=history&utm_source=auditjs&utm_medium=integration&utm_content=4.0.37

Like @adrianzielonka asked back in April, is there any work being done to remediate this?

syakirsyed added a commit to syakirsyed/history that referenced this issue Aug 4, 2022
@syakirsyed
Sanitize url to remediate remix-run#850
c2d6277 
Sanitize function courtesy of https://jonlabelle.com/snippets/view/javascript/sanitize-a-url-in-javascript
@StringEpsilon StringEpsilon mentioned this issue Oct 1, 2022
Closed
@mickelsonmichael
Copy link

Couple years down the road on this, any update on this one? It is still being flagged by the Sonatype IQ Server as of v5.3.0

@zeusdeux
Copy link
Author

zeusdeux commented Dec 7, 2023

I found a vulnerability 1y before any tools found it?

I am now Bot.

@praneybehl
Copy link

praneybehl commented Feb 21, 2024
edited
Loading

Did anyone manage to resolve the Sonatype IQ Server flag? @mickelsonmichael @RundaScath @adrianzielonka @zeusdeux

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@zeusdeux @praneybehl @adrianzielonka @RundaScath @mickelsonmichael