ondrejhenek
commented
8 months ago Hi! I have a security review here. Security tiself is okay but the QA part of "trying to break it" showed some flaws. I marked the critical stuff with a dragon 🐲. Fix it please ASAP and then we are ready to release it.
Then we can take a look at the rest.
Security unrelated issues/bugs 🐞: ❌ You can change “SnippetType” parameter in save code snippet request, to the opposite value of what you are saving, which will cause some inconsistencies and weird behaviors e.g.:
Create code snippet with type “Custom code snippet”
Intercept Save request for this code snippet and change “SnippetType” parameter to GTM.
See that “Code snippet” field in code snippets listing shows the original Custom code snippet value instead of GTM ID, but when you open it, its type is indeed GTM. At this point original custom code snippet is still included on live site. Listing field “Code snippet“ will now be stuck with original Custom code snippet value, even when you try to change it in the UI.
Now, when you enter and save the GTM ID, it will replace the custom code snippet on the live site with GTM script, but once you set the Code snippet type back to Custom code snippet, it won't project any changes on live site - it will always show only the GTM script tag no matter the code snippet type.
🐲❌ Sorting code snippets by any field (Channel, consent etc..) results in error
🐲❌ “Code Snippet” field for code snippets listing shows “Google Tag Manager ID:“ even when Code snippet type is set to “Custom code snippet“, if the “Code” field is empty.
🐲❌User roles other than admin can't access “Custom channel settings” (code snippets) even with all available permissions for this application - it always returns error 500 and following error:
Security review: ✅ Found no problems in source code (no secrets or improper usage of innerHTML/RawHtml etc..)
✅ Code snippet locations work as expected
✅ Code snippet - can’t set more than 1 channel/consent at once; Can't set it to non-existing channel/consent
✅ GTM iframe src attribute can’t be escaped with malicious id parameter - can’t cause xss
✅ SnippetType request parameter does not accept invalid values
✅ Code snippets are not included on page at all, if relevant consent was not given.
❓ Code snippet listing, field Code snippet, reflects the value of script in the “title“ attribute. Attribute can't be escaped to cause XSS. In any case it might be better to add new field “code snippet name“ which could be used for title attribute instead of the code itself, as copying whole scripts into an html attribute does not seem like a best practice.
❌ There is no validation for channel type for “Save code snippet“ request. You can change the channel ID to the ID of some other channel type like email channel and it will work. As a result of this, the code snippet won't be included in the live site, and it won't be listed in the list of code snippets in the administration - it will be only in the DB, but with no way to display it in the UI.
xsustek
Motivation
Tag Manager implementation enabling marketers to author custom tags that can be embedded in a website channel. Example: GA4, cookie banners, custom CSS.
Checklist
How to test
DancingGoat - Custom channel settings - Code snippets - Create a code snippet. DancingGoat - Privacy page - https://localhost:44351/privacy