[Security]: Javascript links

[terribleplan]

Requirements

• [X] Is this a bug report? For questions or discussions use https://lemmy.ml/c/lemmy_support
• [X] Did you check to see if this issue already exists?
• [X] Is this only a single bug? Do not put multiple bugs in one issue.
• [X] Is this a backend issue? Use the lemmy-ui repo for UI / frontend issues.

Summary

Javascript is allowed as a scheme in links. This should likely be restricted to only http and https. This should probably be enforced at a federation level as well reject non-http(s) URIs on links. This was reported in the wild here

I tried to contact security@lemmy.ml over a week ago but gotten no response for a separate issue that is made much more severe due to this issue. Please contact me at kegan@keganmyers.com to discuss the other issue that has not yet been publicly disclosed elsewhere yet.

Steps to Reproduce

1. Submit a link with javascript:alert('hacked')
2. Click the link
3. The javascript is executed

Technical Details

You can see a link I tested this with here.

Version

0.17.4 and up

Lemmy Instance URL

lemmy.nrd.li

[necropola]

@dessalines @Nutomic Does this hack still work in 0.18.x?

Update: Tested on lemmy.world (UI: 0.18.1-rc.10 | BE: 0.18.1-rc.9-14-ge7195130) and it still works.

What is lemmy's designated procedure for sanitizing user input:

• UI sanitizes data before generating html (output) from it,
• UI validates data before accepting it from the user,
• UI sanitizes before writing to Backend,
• Backend validates data before accepting it from the UI,
• Backend sanitizes before writing to DB,
• Backend sanitizes before federating
• or all of the above?

[Nutomic]

The fix is deployed on voyager.lemmy.ml so you can test there (signups are open). Looks like the markdown parser already prohibits javascript links so this seems completely fixed to me.

[terribleplan]

@Nutomic

As basically all of what I discovered is being exploited in the wild I have posted what I found: https://akkoma.nrd.li/notice/AXXhAVF7N5ZH1V972W

I did reply to the kind email I was sent, I assume my response and my earlier emails must have gotten caught in a spam filter or something. In my response I did mention that I signed up for a matrix account and my user id is @terribleplan:sakura.ci, and I am around sporadically if you would like to go over what I have found and ways to remediate the issues.

[Nutomic]

@terribleplan Sent you a message.

This issue is finished.