search

PrimalHQ / primal-web-app

Primal's web app for Nostr, as experienced on primal.net.
https://primal.net
MIT License
190 stars 37 forks source link

Unsafe use of innerHTML and inadequate HTML sanitization #38

Open geeknik opened 10 months ago

geeknik commented 10 months ago

Security Incident Report

Executive Summary

This report outlines multiple security vulnerabilities found in the Primal Web App repository. The issues are primarily related to Cross-Site Scripting (XSS) vulnerabilities due to the unsafe use of innerHTML and inadequate HTML sanitization.

Detailed Findings

  1. HIGH: Dangerous dynamic HTML insert detected. [CWE-79]

    • File: primal-web-app/src/components/Toaster/Toaster.tsx
    • Line: 21
    • Code: toaster.innerHTML = message;
    • Recommendation: Use React's JSX to dynamically insert content, which automatically escapes HTML. 
      // Replace
toaster.innerHTML = message;
// With
toaster.textContent = message;

  2. HIGH: Dangerous dynamic HTML insert detected. [CWE-79]

    • File: primal-web-app/src/pages/EditProfile.tsx
    • Line: 72
    • Code: banner.innerHTML = <div class="${styles.bannerPlaceholder}"></div>;
    • Recommendation: Use React's JSX to create the banner. 
      // Replace
banner.innerHTML = `<div class="${styles.bannerPlaceholder}"></div>`;
// With
const bannerElement = <div className={styles.bannerPlaceholder}></div>;

  3. HIGH: Dangerous dynamic HTML insert detected. [CWE-79]

    • File: primal-web-app/src/pages/Profile.tsx
    • Line: 144
    • Code: banner.innerHTML = <div class="${styles.bannerPlaceholder}"></div>;
    • Recommendation: Similar to the above, use React's JSX. 
      // Replace
banner.innerHTML = `<div class="${styles.bannerPlaceholder}"></div>`;
// With
const bannerElement = <div className={styles.bannerPlaceholder}></div>;

  4. MEDIUM: Manual HTML sanitization detected. [CWE-79]

    • File: primal-web-app/src/lib/notes.tsx
    • Line: 25
    • Code: return html.replaceAll('<', '&lt;').replaceAll('>', '&gt;');
    • Recommendation: Use a well-tested library for HTML sanitization like DOMPurify. 
      import DOMPurify from "dompurify";
// Replace
return html.replaceAll('<', '&lt;').replaceAll('>', '&gt;');
// With
return DOMPurify.sanitize(html);

Conclusion

The identified vulnerabilities should be addressed immediately to prevent potential security incidents. Adopting best practices for HTML sanitization and secure coding can mitigate these risks. 🤙🏻