Closed Taiwar closed 1 month ago
As part of your university project did you discuss the principle of responsible disclosure? If you believe you have found a security matter, your first place to go should be the project's security policy to see how best to disclose it. Whilst this repo doesn't have an explicit security policy, the Node-RED project does: https://github.com/node-red/node-red?tab=security-ov-file#readme
By disclosing this issue on a public issue list, you have not given us any opportunity to fix the issue before it becomes public knowledge.
I apologize for the misstep and not looking far enough for a security policy or maintainer contact of this project. I falsely believed this was the only place for making the community aware of the issue.
Expected Behavior
Malicious users should not be able to embed scripts in node/flow/collection descriptions which execute when any user navigates to the node/flow/collection detail page.
Current Behavior
The
marked
library is used to render user-submitted markdown code on the node/flow/collection detail pages. Neither the user input nor the rendered HTML output are sanitized before being inserted into the respective templates. This allows malicious users to exploit markdown functionalities such as<script>
tags to achieve XSS. Code references:flow-library/routes/nodes.js:141
.flow-library/routes/flows.js:189
andflow-library/routes/collections.js:116
.Additionally, no content security policy (CSP) headers are set by the server, allowing scripts from any sources (e.g. inline
<script>
) to be executed.Possible Solution
As suggested by the
marked
README, the HTML output should be sanitized before displaying it. This can be achieved by using libraries such asDOMPurify
and would not impact the functionality of the description field.Another way of mitigating XSS would be to set CSP headers, restricting which scripts are allowed to be executed for example by requiring a nonce property.
Context (Environment)
We found this vulnerability during a security evaluation of the Node-RED ecosystem as part of a university project. Amongst other security issues, we believe that this XSS vulnerability in combination with the minimal security Node-RED deployments have by default (no authentication required for the API, all origins allowed), can lead to malicious actors achieving remote code execution.