dkoes
commented
5 months ago My argument is that an attacker needs to have control of the DOM at the time of the initial page load in order to exploit the eval. In order for the code to be untrusted, the user would have to load untrusted html during the initial page load (could not come from user input). The one issue is the developer may think they have properly sanitized this HTML to remove script tags only for data-callback to provide a workaround for the sanitation. Of course, if they are aware of this issue they can easily sanitize away the data-callback.
Hello everyone :wave:
Description
3Dmol.js uses
eval()to execute arbitrary strings.https://github.com/3dmol/3Dmol.js/blob/b038d7b8cd64dcd68455f96e18ff8e14ec788f64/src/autoload.ts#L233-L238
This means that if the
data-callbackattribute is controlled by an attacker, they can execute any JS code they want on the victim computer (the victim loads the page that contains the nefarious attribute, and 3Dmol.js will happily execute it).This is a (major) security vulnerability in my book, but @dkoes disagrees, so I'll try and argument my point.
I'm skipping the arguments about eval's speed and worsen DX, because that's not the point.
The main problems are:
the mere presence of this
eval()call that will be blocked by most Content Security Policy, unless unsafe-eval is set but this is clearly not a possibility for any web application serious about security. This means that the application will not work properly in this context, and code should be modified to avoid the use ofeval()completely.It is entirely possible for an attacker to have control of the data attributes, you cannot know how apps can behave and as such should not dismiss this problem by assuming only the dev can modify data attributes of elements. A first bug/vuln could also allow an attacker to get this access, and then they use this problematic
eval()in 3dmol code to inject the payload to the visitor of the infected page.Further points:
Simply look at this MDN page for eval
Does it look like something that should exist in a codebase? I'd say no. If a big red banner on MDN website is not enough, feel free to read more about it:
https://javascript.plainenglish.io/javascript-eval-is-it-evil-a8cd935d0daa https://security.stackexchange.com/questions/94017/what-are-the-security-issues-with-eval-in-javascript https://www.codiga.io/blog/javascript-eval-best-practices/ https://www.digitalocean.com/community/tutorials/js-eval https://medium.com/@eric_lum/the-dangerous-world-of-javascripts-eval-and-encoded-strings-96fd902af2bd
...
I mean there are thousands of articles out there explaining why it is bad.
Fortunately, its usage is pretty limited in 3dmol, so it shouldn't cause too much troubles to address this issue.
To Reproduce
Expected behavior
Arbitrary javascript code present in HTML must not be executed by a library present on the page.
Concluding remarks
I hope you will give sufficient interest towards this issue and consider the workarounds I suggested in my email or think about a way to still keep a similar feature but without this problematic
evalusage.Also, I couldn't find any documentation about this feature so I'm not sure it is being used outside of your own usage.
Finally, from the
testsfolder, it looks like the expected functions are all from 3dmol, so it is not designed for completely arbitrary code execution but rather from a list of existing 3dmol functions. So the "allowlist" approach would work IMHO.Instead of
data-callback="$3dmol.foo()"anddata-callback="$3dmol.bar()", one could use:data-fooanddata-barinstead.I understand using
evalis a quick and dirty working solution, but I hope you understand that it is a bad solution that must be removed from the codebase.Best regards, ~Nicolas