search

keybase / keybase-issues

A single repo for managing publicly recognized issues with the keybase client, installer, and website.
902 stars 37 forks source link

Firefox+NoScript XSS sanitizing breaks Reddit proof #1289

Open smjones opened 9 years ago

smjones commented 9 years ago

Note: This is related to #1167

System
NoScript v2.6.9.9 active in Crunchbang's "Iceweasel" v24.8.1 (Firefox), Crunchbang 11 with not quite the latest updates at time of writing (uname -a: Linux abort 3.2.0-4-amd64 #1 SMP Debian 3.2.60-1+deb7u3 x86_64 GNU/Linux)

Description
Setting up a new Keybase profile & proofs. When I use the Keybase website to generate the CLI [bash + GPG + cURL] method, which I run/post, then click on the Keybase website's dialog to submit the Reddit proof using the "prefilled form," NoScript mangles the URL (see mangled post here)

Trawling through the errors in the NoScript console, NoScript's XSS function throws information-level messages that it is sanitizing a "JavaScript Injection" as follows:

[NoScript InjectionChecker] JavaScript Injection in ///r/KeybaseProofs/submit?selftext=true&title=My Keybase proof [reddit:smj_crash = keybase:smj] (d4dXy8HtNIWzxKjWySrGCldxHd2oADCmLvjS-x4BoGQ)&text=###+Keybase+proofI+hereby+claim:++*+I+am+[smj_crash](https://www.reddit.com/user/smj_crash)+on+reddit.++*+I+am+[smj](https://keybase.io/smj)+on+keybase.++*+I+have+a+public+key+whose+fingerprint+is+FA51+FAC2+CE00+F999+B3D4++CEB3+DD1D+3737+DD71+2857To+claim+this,+I+am+signing+this+object:++++{++++++++"body":+{++++++++++++"key":+{++++++++++++++++"fingerprint":+"fa51fac2ce00f999b3d4ceb3dd1d3737dd712857",++++++++++++++++"host":+"keybase.io",++++++++++++++++"key_id":+"dd1d3737dd712857",++++++++++++++++"kid":+"01012f9785a42a58408a930afd54250dd929f1fe19592d3a327629a020d6d9cc9aa20a",++++++++++++++++"uid":+"6f292b05175a9d15bcd3ac4868424000",++++++++++++++++"username":+"smj"++++++++++++},++++++++++++"revoke":+{++++++++++++++++"sig_ids":+[++++++++++++++++++++"5f2b9d2b471b9d1cd4c7559a4f3a27453792eea08003cbee84b71aeb1ec399160f"++++++++++++++++]++++++++++++},++++++++++++"service":+{++++++++++++++++"name":+"reddit",++++++++++++++++"username":+"smj_crash"++++++++++++},++++++++++++"type":+"web_service_binding",++++++++++++"version":+1++++++++},++++++++"ctime":+1419930556,++++++++"expire_in":+157680000,++++++++"prev":+"3b85a29ec5b896a1a943f4f64c5ee7b1213e181b3bea1b43be8556dfcd96bd49",++++++++"seqno":+7,++++++++"tag":+"signature"++++}with+the+PGP+key+referenced+above,+yielding+the+PGP+signature:++++-----BEGIN+PGP+MESSAGE-----++++Version:+GnuPG+v2.0.19+(GNU/Linux)++++++++owFtUm1QVFUYXkD8ykRmEtBhLS4xESHez717tkRoawxMLSIYIIRz7j13uXzsbruw++++LK0EIoqkGDgROiA5BDWOhhHQxIcNkgwjohJE0GSlQSLDjDOIDDNU0FnGftWf8855++++z/M87/O+56180kvj6bF897mq+0lN+z2uTyNNfEPWqItCFrmAMrioLLwSFNVswjar++++TTXnUgZKgQKjQImVME0rAADEybyEySkzMidyoiyLDKsXRCqcyrDY3Qwig6AdR6gW++++kiOXNFUm2f/BZ6080AzNsAoQ9QLkWSjoeVoPAUdDRRZ4VqBlGbBAYRTMAAGwMgc5++++VtSxANIsLetkIEkAQpaGRC5vRU6nsIBFtMCIAgQyIyCJcCRer9PzLE/TtBtoxzYz++++zMEEbc/JpArDKRt2WLKwu3m7aiJ+7ZQhhRIUFgGZRbzIkMhIpG9READkFQ6yIi9w++++ImAxhrSepjkJYaznkchAjBgscQAwOlqhUok2KeZQpRXxx0VtWJbV3P8YSZNs0J7h++++tpNbYHXn8jFKe8xOQ6pZJv9CSA5ss6sWM2VgCFLKVd10hmcAmZkg6MIp7LSqNpym++++uhGCqCPuaDqcspIWiSSHyJhZgCUB6UGcDjIQ8JzCKzpeEjAWEcMyHGb0DOIQhgzi++++SdATVVmRZKBDMg8od0Pvmi2UQSQ+ocltXTWZYW6eDVOF68s9A1dpPDw1q7093bul++++Wb9u078L912qz5JhdVtWq22vh2vYP6x296PaWNM5n1fOZtcX5YPGkOv12sTiWcrQ++++ZRyuehi0PBQ2Pdj6ec3WlpE+Z9n3Dx7GdvVULVSfT247CzLPGJsfRGrMg2+v5SNO++++tpszX2hvj6YGSo6p43GT9cEJ6cFHmi//FTjUH1wa2T/z+vSnjuKM2LijV6bCMk46++++Y67i0Bd3BL7jWPgi7q2WyQ8PflLqLHTNDdWgpdG5Z6vnD+clbpvp2fW3Zc2Jo2V7++++7i++8eqbTT/c8dMuBs2G1r20cHNgId60qfrUouq99ZdLHXfSfwqY8Pn4g37pxra5++++6iVTW93ImFfY1fAQ14GJmN8u3tI2dp244rNm88Uk6/y5KDX50jr77eZD+wYCjVui++++NnR6X2itA/7JNX3f1g54HCox1jYg3fQfU/PZoH9DUl5z0eWIUN+8zqejArbDjgtd++++FZEox9TwTXdX6kZjf+8zp2/aJ4M2V3a3RfuVzg3tPTK8b/vyvYXsR4k5vyffOB0A+++++lICE9ILXts5tr/QydyeaupIeDnHyHlpB76cD90dPXpqdmwuHfX0pjrArQncot21++++OPPZyL2hZL/BA/FOV90q3x/Xlh8O+jqg5P3er/yLmsdjtjyhFRtLN4bwvuNjeAHE++++XXuvonfHsTNhBzuO77zbabI+texdVrmn+1ePlD9rq2u8y0sr2msNsT6FxYn5H53/+++++flrx0dS/wE=++++=8QL0++++-----END+PGP+MESSAGE-----Finally,+I+am+proving+my+reddit+account+by+posting+it+in+[KeybaseProofs](https://www.reddit.com/r/KeybaseProofs).

[NoScript XSS] Sanitized suspicious request. Original URL [https://www.reddit.com/r/KeybaseProofs/submit?selftext=true&title=My%20Keybase%20proof%20%5Breddit%3Asmj_crash%20%3D%20keybase%3Asmj%5D%20(d4dXy8HtNIWzxKjWySrGCldxHd2oADCmLvjS-x4BoGQ)&text=%23%23%23+Keybase+proof%0A%0AI+hereby+claim%3A%0A%0A++*+I+am+%5Bsmj_crash%5D(https%3A%2F%2Fwww.reddit.com%2Fuser%2Fsmj_crash)+on+reddit.%0A++*+I+am+%5Bsmj%5D(https%3A%2F%2Fkeybase.io%2Fsmj)+on+keybase.%0A++*+I+have+a+public+key+whose+fingerprint+is+FA51+FAC2+CE00+F999+B3D4++CEB3+DD1D+3737+DD71+2857%0A%0ATo+claim+this%2C+I+am+signing+this+object%3A%0A%0A%0A++++%7B%0A++++++++%22body%22%3A+%7B%0A++++++++++++%22key%22%3A+%7B%0A++++++++++++++++%22fingerprint%22%3A+%22fa51fac2ce00f999b3d4ceb3dd1d3737dd712857%22%2C%0A++++++++++++++++%22host%22%3A+%22keybase.io%22%2C%0A++++++++++++++++%22key_id%22%3A+%22dd1d3737dd712857%22%2C%0A++++++++++++++++%22kid%22%3A+%2201012f9785a42a58408a930afd54250dd929f1fe19592d3a327629a020d6d9cc9aa20a%22%2C%0A++++++++++++++++%22uid%22%3A+%226f292b05175a9d15bcd3ac4868424000%22%2C%0A++++++++++++++++%22username%22%3A+%22smj%22%0A++++++++++++%7D%2C%0A++++++++++++%22revoke%22%3A+%7B%0A++++++++++++++++%22sig_ids%22%3A+%5B%0A++++++++++++++++++++%225f2b9d2b471b9d1cd4c7559a4f3a27453792eea08003cbee84b71aeb1ec399160f%22%0A++++++++++++++++%5D%0A++++++++++++%7D%2C%0A++++++++++++%22service%22%3A+%7B%0A++++++++++++++++%22name%22%3A+%22reddit%22%2C%0A++++++++++++++++%22username%22%3A+%22smj_crash%22%0A++++++++++++%7D%2C%0A++++++++++++%22type%22%3A+%22web_service_binding%22%2C%0A++++++++++++%22version%22%3A+1%0A++++++++%7D%2C%0A++++++++%22ctime%22%3A+1419930556%2C%0A++++++++%22expire_in%22%3A+157680000%2C%0A++++++++%22prev%22%3A+%223b85a29ec5b896a1a943f4f64c5ee7b1213e181b3bea1b43be8556dfcd96bd49%22%2C%0A++++++++%22seqno%22%3A+7%2C%0A++++++++%22tag%22%3A+%22signature%22%0A++++%7D%0A%0Awith+the+PGP+key+referenced+above%2C+yielding+the+PGP+signature%3A%0A%0A%0A++++-----BEGIN+PGP+MESSAGE-----%0A++++Version%3A+GnuPG+v2.0.19+(GNU%2FLinux)%0A++++%0A++++owFtUm1QVFUYXkD8ykRmEtBhLS4xESHez717tkRoawxMLSIYIIRz7j13uXzsbruw%0A++++LK0EIoqkGDgROiA5BDWOhhHQxIcNkgwjohJE0GSlQSLDjDOIDDNU0FnGftWf8855%0A++++z%2FM87%2FO%2B56180kvj6bF897mq%2B0lN%2Bz2uTyNNfEPWqItCFrmAMrioLLwSFNVswjar%0A++++TTXnUgZKgQKjQImVME0rAADEybyEySkzMidyoiyLDKsXRCqcyrDY3Qwig6AdR6gW%0A++++kiOXNFUm2f%2FBZ6080AzNsAoQ9QLkWSjoeVoPAUdDRRZ4VqBlGbBAYRTMAAGwMgc5%0A++++VtSxANIsLetkIEkAQpaGRC5vRU6nsIBFtMCIAgQyIyCJcCRer9PzLE%2FTtBtoxzYz%0A++++zMEEbc%2FJpArDKRt2WLKwu3m7aiJ%2B7ZQhhRIUFgGZRbzIkMhIpG9READkFQ6yIi9w%0A++++ImAxhrSepjkJYaznkchAjBgscQAwOlqhUok2KeZQpRXxx0VtWJbV3P8YSZNs0J7h%0A++++tpNbYHXn8jFKe8xOQ6pZJv9CSA5ss6sWM2VgCFLKVd10hmcAmZkg6MIp7LSqNpym%0A++++uhGCqCPuaDqcspIWiSSHyJhZgCUB6UGcDjIQ8JzCKzpeEjAWEcMyHGb0DOIQhgzi%0A++++SdATVVmRZKBDMg8od0Pvmi2UQSQ%2BocltXTWZYW6eDVOF68s9A1dpPDw1q7093bul%0A++++Wb9u078L912qz5JhdVtWq22vh2vYP6x296PaWNM5n1fOZtcX5YPGkOv12sTiWcrQ%0A++++ZRyuehi0PBQ2Pdj6ec3WlpE%2BZ9n3Dx7GdvVULVSfT247CzLPGJsfRGrMg2%2Bv5SNO%0A++++tpszX2hvj6YGSo6p43GT9cEJ6cFHmi%2F%2FFTjUH1wa2T%2Fz%2BvSnjuKM2LijV6bCMk46%0A++++Y67i0Bd3BL7jWPgi7q2WyQ8PflLqLHTNDdWgpdG5Z6vnD%2Bclbpvp2fW3Zc2Jo2V7%0A++++7i%2B%2B8eqbTT%2Fc8dMuBs2G1r20cHNgId60qfrUouq99ZdLHXfSfwqY8Pn4g37pxra5%0A++++6iVTW93ImFfY1fAQ14GJmN8u3tI2dp244rNm88Uk6%2Fy5KDX50jr77eZD%2BwYCjVui%0A++++NnR6X2itA%2F7JNX3f1g54HCox1jYg3fQfU%2FPZoH9DUl5z0eWIUN%2B8zqejArbDjgtd%0A++++FZEox9TwTXdX6kZjf%2B8zp2%2FaJ4M2V3a3RfuVzg3tPTK8b%2FvyvYXsR4k5vyffOB0A%0A++++%2BlICE9ILXts5tr%2FQydyeaupIeDnHyHlpB76cD90dPXpqdmwuHfX0pjrArQncot21%0A++++OPPZyL2hZL%2FBA%2FFOV90q3x%2FXlh8O%2Bjqg5P3er%2FyLmsdjtjyhFRtLN4bwvuNjeAHE%0A++++XXuvonfHsTNhBzuO77zbabI%2BtexdVrmn%2B1ePlD9rq2u8y0sr2msNsT6FxYn5H53%2F%0A++++%2Bflrx0dS%2FwE%3D%0A++++%3D8QL0%0A++++-----END+PGP+MESSAGE-----%0A%0AFinally%2C+I+am+proving+my+reddit+account+by+posting+it+in+%5BKeybaseProofs%5D(https%3A%2F%2Fwww.reddit.com%2Fr%2FKeybaseProofs).%0A] requested from [https://keybase.io/smj]. Sanitized URL: [https://www.reddit.com/r/KeybaseProofs/submit?selftext=true&title=My%20Keybase%20proof%20%20reddit%3Asmj_crash%20%20%20keybase%3Asmj%20%20%20d4dXy8HtNIWzxKjWySrGCldxHd2oADCmLvjS-x4BoGQ%20&text=%23%23%23+Keybase+proof%20I+hereby+claim%3A%20+*+I+am+%20smj_crash%20%20https%3A//www.reddit.com/user/smj_crash%20+on+reddit.%20+*+I+am+%20smj%20%20https%3A//keybase.io/smj%20+on+keybase.%20+*+I+have+a+public+key+whose+fingerPRINT+is+FA51+FAC2+CE00+F999+B3D4+CEB3+DD1D+3737+DD71+2857%20To+claim+this%2C+I+am+signing+this+object%3A%20+%7B%20+%20body%20%3A+%7B%20+%20key%20%3A+%7B%20+%20fingerPRINT%20%3A+%20fa51fac2ce00f999b3d4ceb3dd1d3737dd712857%20%2C%20+%20host%20%3A+%20keybase.io%20%2C%20+%20key_id%20%3A+%20dd1d3737dd712857%20%2C%20+%20kid%20%3A+%2001012f9785a42a58408a930afd54250dd929f1fe19592d3a327629a020d6d9cc9aa20a%20%2C%20+%20uid%20%3A+%206f292b05175a9d15bcd3ac4868424000%20%2C%20+%20userNAME%20%3A+%20smj%20+%7D%2C%20+%20revoke%20%3A+%7B%20+%20sig_ids%20%3A+%20%20+%205f2b9d2b471b9d1cd4c7559a4f3a27453792eea08003cbee84b71aeb1ec399160f%20+%20%20+%7D%2C%20+%20service%20%3A+%7B%20+%20NAME%20%3A+%20reddit%20%2C%20+%20userNAME%20%3A+%20smj_crash%20+%7D%2C%20+%20type%20%3A+%20web_service_binding%20%2C%20+%20version%20%3A+1%20+%7D%2C%20+%20ctime%20%3A+1419930556%2C%20+%20expire_in%20%3A+157680000%2C%20+%20prev%20%3A+%203b85a29ec5b896a1a943f4f64c5ee7b1213e181b3bea1b43be8556dfcd96bd49%20%2C%20+%20seqno%20%3A+7%2C%20+%20tag%20%3A+%20signature%20+%7D%20with+the+PGP+key+referenced+above%2C+yielding+the+PGP+signature%3A%20+-BEGIN+PGP+MESSAGE-%20+Version%3A+GnuPG+v2.0.19+%20GNU/Linux%20%20+%20+owFtUm1QVFUYXkD8ykRmEtBhLS4xESHez717tkRoawxMLSIYIIRz7j13uXzsbruw%20+LK0EIoqkGDgROiA5BDWOhhHQxIcNkgwjohJE0GSlQSLDjDOIDDNU0FnGftWf8855%20+z/M87/O+56180kvj6bF897mq+0lN+z2uTyNNfEPWqItCFrmAMrioLLwSFNVswjar%20+TTXnUgZKgQKjQImVME0rAADEybyEySkzMidyoiyLDKsXRCqcyrDY3Qwig6AdR6gW%20+kiOXNFUm2f/BZ6080AzNsAoQ9QLkWSjoeVoPAUdDRRZ4VqBlGbBAYRTMAAGwMgc5%20+VtSxANIsLetkIEkAQpaGRC5vRU6nsIBFtMCIAgQyIyCJcCRer9PzLE/TtBtoxzYz%20+zMEEbc/JpArDKRt2WLKwu3m7aiJ+7ZQhhRIUFgGZRbzIkMhIpG9READkFQ6yIi9w%20+ImAxhrSepjkJYaznkchAjBgscQAwOlqhUok2KeZQpRXxx0VtWJbV3P8YSZNs0J7h%20+tpNbYHXn8jFKe8xOQ6pZJv9CSA5ss6sWM2VgCFLKVd10hmcAmZkg6MIp7LSqNpym%20+uhGCqCPuaDqcspIWiSSHyJhZgCUB6UGcDjIQ8JzCKzpeEjAWEcMyHGb0DOIQhgzi%20+SdATVVmRZKBDMg8od0Pvmi2UQSQ+ocltXTWZYW6eDVOF68s9A1dpPDw1q7093bul%20+Wb9u078L912qz5JhdVtWq22vh2vYP6x296PaWNM5n1fOZtcX5YPGkOv12sTiWcrQ%20+ZRyuehi0PBQ2Pdj6ec3WlpE+Z9n3Dx7GdvVULVSfT247CzLPGJsfRGrMg2+v5SNO%20+tpszX2hvj6YGSo6p43GT9cEJ6cFHmi//FTjUH1wa2T/z+vSnjuKM2LijV6bCMk46%20+Y67i0Bd3BL7jWPgi7q2WyQ8PflLqLHTNDdWgpdG5Z6vnD+clbpvp2fW3Zc2Jo2V7%20+7i+8eqbTT/c8dMuBs2G1r20cHNgId60qfrUouq99ZdLHXfSfwqY8Pn4g37pxra5%20+6iVTW93ImFfY1fAQ20GJmN8u3tI2dp244rNm88Uk6/y5KDX50jr77eZD+wYCjVui%20+NnR6X2itA/7JNX3f1g54HCox1jYg3fQfU/PZoH9DUl5z0eWIUN+8zqejArbDjgtd%20+FZEox9TwTXdX6kZjf+8zp2/aJ4M2V3a3RfuVzg3tPTK8b/vyvYXsR4k5vyffOB0A%20+lICE9ILXts5tr/QydyeaupIeDnHyHlpB76cD90dPXpqdmwuHfX0pjrArQncot21%20+OPPZyL2hZL/BA/FOV90q3x/Xlh8O+jqg5P3er/yLmsdjtjyhFRtLN4bwvuNjeAHE%20+XXuvonfHsTNhBzuO77zbabI+texdVrmn+1ePlD9rq2u8y0sr2msNsT6FxYn5H53/%20+flrx0dS/wE%20%20+%208QL0%20+-END+PGP+MESSAGE-%20Finally%2C+I+am+proving+my+reddit+account+by+posting+it+in+%20KeybaseProofs%20%20https%3A//www.reddit.com/r/KeybaseProofs%20.%20#49717420280165925411].

Workaround
If I bring up the NoScript Options dialog, select the Advanced tab, then the XSS sub-tab, all I need to do is de-select the option "Sanitize cross-site suspicious requests" and the pre-filed form will work properly. I re-enabled the feature after the proof was verified.

There may be a more focused method to just exempt scrubbing for a particular site with exception options within NoScript, rather than disabling/re-enabling the entire feature manually.

portablejim commented 9 years ago

Thanks heaps.

I found I could do an "unsafe reload" and it would work correctly.