@zenuml/core 2.0.28 → 2.0.29
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/cy/xss.html +21 -0
- package/dist/style.css +1 -1
- package/dist/zenuml.esm.mjs +6 -6
- package/dist/zenuml.js +2 -2
- package/docs/xss.md +47 -0
- package/package.json +1 -1
package/docs/xss.md
ADDED
|
@@ -0,0 +1,47 @@
|
|
|
1
|
+
In this document we are disclosing a cross-site scripting vulnerability in the
|
|
2
|
+
[@zenuml/core](https://www.npmjs.com/package/@zenuml/core) package.
|
|
3
|
+
XSS is a type of security vulnerability that allows an attacker to inject
|
|
4
|
+
malicious code into a web page viewed by other users.
|
|
5
|
+
|
|
6
|
+
# How to reproduce
|
|
7
|
+
|
|
8
|
+
ZenUML generates sequence diagrams from text. If the text contains a
|
|
9
|
+
malicious script, it will be executed when the diagram is rendered.
|
|
10
|
+
|
|
11
|
+
The following content is known to pop an alert box:
|
|
12
|
+
|
|
13
|
+
```
|
|
14
|
+
"><img src=x onerror=alert(1)>ent #FFEBE6
|
|
15
|
+
```
|
|
16
|
+
|
|
17
|
+
# Known affected products
|
|
18
|
+
|
|
19
|
+
| Product | Severity | Comment |
|
|
20
|
+
|-------------------|----------|---------------------------------------------------------------------|
|
|
21
|
+
| Confluence plugin | P3 | Content must be create by registered users; scripts run in sandbox. |
|
|
22
|
+
| Web App | P3 | Only the current user can view content created by themselves. |
|
|
23
|
+
| Chrome Extension | P3 | Only the current user can view content created by themselves. |
|
|
24
|
+
| Desktop (Win/Mac) | P3 | Only the current user can view content created by themselves. |
|
|
25
|
+
| JetBrains plugin | P3 | Scripts run inside sandbox. |
|
|
26
|
+
|
|
27
|
+
# What is the cause of the vulnerability?
|
|
28
|
+
|
|
29
|
+
The cause of the XSS vulnerability in [library name] is due to a lack of proper input validation in the
|
|
30
|
+
WidthProviderFunc.ts file. Specifically, the vulnerability is located in the code that measures the width
|
|
31
|
+
of the message or participant element in the library. The issue is present in line 29 of the file, which
|
|
32
|
+
can be found at [this URL](https://github.com/ZenUml/core/blob/577f2a550a0b82a392215875298bc358a8feff0d/src/positioning/WidthProviderFunc.ts#L29).
|
|
33
|
+
In this line, the code uses unsanitized user input which is passed as an argument in the function, this
|
|
34
|
+
allows an attacker to inject malicious JavaScript code into the web page viewed by other users.
|
|
35
|
+
|
|
36
|
+
```
|
|
37
|
+
let hiddenDiv = document.querySelector('.textarea-hidden-div') as HTMLDivElement;
|
|
38
|
+
if (!hiddenDiv) {
|
|
39
|
+
const newDiv = document.createElement('div');
|
|
40
|
+
...
|
|
41
|
+
document.body.appendChild(newDiv);
|
|
42
|
+
hiddenDiv = newDiv;
|
|
43
|
+
}
|
|
44
|
+
hiddenDiv.innerHTML = text;
|
|
45
|
+
const scrollWidth = hiddenDiv.scrollWidth;
|
|
46
|
+
return scrollWidth;
|
|
47
|
+
```
|