diff options
| author | Feross Aboukhadijeh <feross@feross.org> | 2019-08-27 23:28:17 +0300 |
|---|---|---|
| committer | Feross Aboukhadijeh <feross@feross.org> | 2019-08-27 23:28:17 +0300 |
| commit | 22546df6d9ba9ca4523142d98b5e70f6db213f3e (patch) | |
| tree | f2488bd5d7880e6b4e0af4c7433755d1540bedc8 /package.json | |
| parent | 885a20066363c88563aa02931c3c43da5c1a1868 (diff) | |
Fix http server XSS
Low risk xss. If the torrent contains a specially crafted title or file name, and the user starts the WebTorrent HTTP server via createServer(), and then the user visits the HTTP server index page (which lists the contents of the torrent), then the attacker can run JavaScript in this browser context.
The reason this seems relatively low risk is that the WebTorrent HTTP server only allows fetching data pieces from the torrent. It doesn't support any other control of the torrent client. So, attacker code could e.g. figure out what content the user is downloading and exfiltrate that to an external domain.
This commit mitigates the issue in two ways (either of which could have prevented this XSS on its own):
1. HTML-escape untrusted torrent metadata (name, path, file names, etc.)
2. Add the strictest possible CSP to prevent all connections, scripts, styles, plugins, frames. Every capability is denied.
Diffstat (limited to 'package.json')
| -rw-r--r-- | package.json | 1 |
1 files changed, 1 insertions, 0 deletions
diff --git a/package.json b/package.json index e409416..f9ba2d4 100644 --- a/package.json +++ b/package.json @@ -42,6 +42,7 @@ "create-torrent": "^4.0.0", "debug": "^4.1.0", "end-of-stream": "^1.1.0", + "escape-html": "^1.0.3", "fs-chunk-store": "^2.0.0", "http-node": "github:feross/http-node#cddd2872f0020ecf5016f326cf5e58c965eef52a", "immediate-chunk-store": "^2.0.0", |