search

node-red / flow-library

Node-RED Flow Library
Apache License 2.0
70 stars 44 forks source link

XSS vulnerability in markdown descriptions #112

Closed Taiwar closed 1 month ago

Taiwar commented 1 month ago

Expected Behavior

Malicious users should not be able to embed scripts in node/flow/collection descriptions which execute when any user navigates to the node/flow/collection detail page.

Current Behavior

The marked library is used to render user-submitted markdown code on the node/flow/collection detail pages. Neither the user input nor the rendered HTML output are sanitized before being inserted into the respective templates. This allows malicious users to exploit markdown functionalities such as <script> tags to achieve XSS. Code references: flow-library/routes/nodes.js:141. flow-library/routes/flows.js:189 and flow-library/routes/collections.js:116.

Additionally, no content security policy (CSP) headers are set by the server, allowing scripts from any sources (e.g. inline <script>) to be executed.

Possible Solution

As suggested by the marked README, the HTML output should be sanitized before displaying it. This can be achieved by using libraries such as DOMPurify and would not impact the functionality of the description field.

Another way of mitigating XSS would be to set CSP headers, restricting which scripts are allowed to be executed for example by requiring a nonce property.

Context (Environment)

We found this vulnerability during a security evaluation of the Node-RED ecosystem as part of a university project. Amongst other security issues, we believe that this XSS vulnerability in combination with the minimal security Node-RED deployments have by default (no authentication required for the API, all origins allowed), can lead to malicious actors achieving remote code execution.

knolleary commented 1 month ago

As part of your university project did you discuss the principle of responsible disclosure? If you believe you have found a security matter, your first place to go should be the project's security policy to see how best to disclose it. Whilst this repo doesn't have an explicit security policy, the Node-RED project does: https://github.com/node-red/node-red?tab=security-ov-file#readme

By disclosing this issue on a public issue list, you have not given us any opportunity to fix the issue before it becomes public knowledge.

Taiwar commented 1 month ago

I apologize for the misstep and not looking far enough for a security policy or maintainer contact of this project. I falsely believed this was the only place for making the community aware of the issue.

knolleary commented 1 month ago

Fixed via https://github.com/node-red/flow-library/commit/e103f7091c8c87699761ab5b9802fd7afd68c46d