search

kandanapp / kandan

Kandan is an Open Source Alternative to HipChat
GNU Affero General Public License v3.0
2.72k stars 407 forks source link

[Bug] This magic string makes Kandan stop working #341

Closed PythEch closed 10 years ago

PythEch commented 10 years ago

I was trying to exploit youtube embed coffeescript. Not too long ago I said to myself why not type the regex of it. :laughing:

I first thought my internet was cut off. Anyway, if someone writes this string to chat, Kandan stops working.

http(s)?.+www.youtube.com.+watch

Gruyere calls this a vulnerability, but it's more like a bug to me.

By the way, how to reset Kandan? I killed 3 servers of mine to check if that string was related to this...

EDIT: These are the errors that Firefox's giving: 

SyntaxError: Using //@ to indicate sourceMappingURL pragmas is deprecated. Use //# instead faye.js:3
Error: http://lit-fortress-4042.herokuapp.com/remote/faye.js is being assigned a //# sourceMappingURL, but already has one
"Comm link is up!" application-548c9878b86940087cef8da7b8eb056f.js:29
TypeError: t.match(...) is null

Chrome:

Or better yet login to my server: http://lit-fortress-4042.herokuapp.com/

Here's a cleaner one if you get confused with whole mess of xss testings: http://kandan-demo2.herokuapp.com/

Further note, it seems like a javascript bug, because search still works: http://kandan-demo2.herokuapp.com/search?query=youtube.com

While I don't know what's the exact cause of this issue however, I have some ideas.

I guess that string matches with regex but idRegex is null hence javascript fails.

It seems like you need to use regex groups for this thing. Two seperate Regexes smells like a bad code. Although I haven't programmed Rails I mean Coffeescript before, there may be a good reasoning behind this, if so please enlighten me.

alexhulbert commented 10 years ago

@PythEch I was going to make a joke about there not being YouTube in Turkey, but I decided against it :P. Anyway, I'm always eager to do regex golfing, if you'd like.

alexhulbert commented 10 years ago

Awesome! I'll use those if I ever need my privacy invaded by someone other than the NSA ;)

scouttyg commented 10 years ago

I fixed this for youtube -- I've been meaning to push up my fix for youtube embeds (http embeds wouldn't work on https) so this kills two birds with one stone. The downside is there is probably similar Regex issues for some of the other embeds (Vimeo?), which may need to be tested.

PythEch commented 10 years ago

@scouttyg Technically it's not a downside :) Great commit! Last time I tried Vimeo's regex is too broken to cause a real issue.

On a side note: It's possible to break image-embed if you pass two images at the same time. Something like this: http://static.azgor.com/wp-content/uploads/octobiwan.jpg http://static.azgor.com/wp-content/uploads/octobiwan.jpg

I didn't reported it becuase it's just an aesthetical issue. Nevertheless it should be fixed.