search

geneontology / amigo

AmiGO is the public interface for the Gene Ontology.
http://amigo.geneontology.org
BSD 3-Clause "New" or "Revised" License
29 stars 17 forks source link

XSS vulnerability in visualize #653

Closed kltm closed 2 years ago

kltm commented 2 years ago

It is currently possible to inject disrupting code into visualize that could be used to create an XSS attack for users on bad links. For example, the following URLs illustrate this, disrupting the variable creation:

https://amigo-staging.geneontology.io/visualize?mode=client_amigoquas%22--%3E %3Csvg/onload=alert(document.domain)%3E%3C!--[2] https://amigo-staging.geneontology.io/visualize?mode=client_amigoquas%22--%3E %3Csvg/onload=alert(document.domain)%3E%3C!-- [https://amigo- staging.geneontology.io/visualize?mode=client_amigoquas%22--%3E%3Csvg/ onload=alert(document.domain)%3E%3C!--]

Noted on staging.

kltm commented 2 years ago

It appears to have been an error in error handling. Fix applied, tested against given URLs, and rolled out to endpoints.

kltm commented 2 years ago

No further report from LBL; closing for now.