-
-
Notifications
You must be signed in to change notification settings - Fork 6.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Placeholder #1940
Labels
Status: Triage
Needs to be verified, categorized, etc
Type: Bug / Error
Something isn't working or is incorrect
Comments
Af ic for this issue is released in version 8.9.2 |
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Labels
Status: Triage
Needs to be verified, categorized, etc
Type: Bug / Error
Something isn't working or is incorrect
XSS vulnerability
Vulnerability description
In version 8.6.0, Mermaid added a support of directives to add more control over styles(themes) applied to the diagrams.
Syntax for declaring the directive is
%%{init: {<JSON_OBJECT>}}%%
Directives can be used to overwrite default theme properties like fontFamily or fontSize to the graph.
Behind the scenes, library takes JSON_OBJECT from directive and merges it with config object. Later that config is used to generate new CSS rules:
Problem is that there is no sanitization of user-supplied values, which are added to style tag via innerHTML method afterwards:
This leads to Cross-Site Scripting attack via following directive:
Steps to reproduce
Create mermaid diagram with following payload:
Or visit following PoC:
https://mermaid-js.github.io/mermaid-live-editor/#/edit/eyJjb2RlIjoiJSV7aW5pdDogeyAnZm9udEZhbWlseSc6ICdcXFwiPjwvc3R5bGU-PGltZyBzcmM9eCBvbmVycm9yPWFsZXJ0KGRvY3VtZW50LmNvb2tpZSk-J30gfSUlXG5zZXF1ZW5jZURpYWdyYW1cbkFsaWNlLT4-Qm9iOiBIaSBCb2JcbkJvYi0-PkFsaWNlOiBIaSBBbGljZSIsIm1lcm1haWQiOnsidGhlbWUiOiJkZWZhdWx0In0sInVwZGF0ZUVkaXRvciI6ZmFsc2V9
Prototype pollution vulnerability
Vulnerability description
In version 8.6.0, Mermaid added a support of directives to add more control over styles(themes) applied to the diagrams.
Syntax for declaring the directive is %%{init: {<JSON_OBJECT>}}%%
The issue is that directive JSON_OBJECT is lacking proper sanitization before merging with default config which means we can specify
__proto__
attribute to overwrite Object prototype.
For example, if we use following payload, it will add attribute
polluted
to every new object in the application:
This can break the app leading to client-side DOS or can be used to achieve XSS. In some rare cases it can even lead to Remote Code Execution.
Steps to reproduce
Open https://mermaid-js.github.io/mermaid-live-editor/#/edit/eyJjb2RlIjoiJSV7aW5pdDogeyAnX19wcm90b19fJzogeydwb2xsdXRlZCc6ICdhc2RmJ319IH0lJVxuc2VxdWVuY2VEaWFncmFtXG5BbGljZS0-PkJvYjogSGkgQm9iXG5Cb2ItPj5BbGljZTogSGkgQWxpY2VcbiIsIm1lcm1haWQiOnt9LCJ1cGRhdGVFZGl0b3IiOmZhbHNlfQ
Then open developer console in the browser and create a new object:
You will see that newly created object already has
polluted
value.
Resources
You can learn more about this type of vulnerability here:
https://portswigger.net/daily-swig/prototype-pollution-the-dangerous-and-underrated-vulnerability-impacting-javascript-applications
The text was updated successfully, but these errors were encountered: