GHSL-2023-026: Cross-site scripting (XSS) in Common Voice - CVE-2023-42808

Coordinated Disclosure Timeline

• 2023-02-09: Report sent to security@mozilla.org
• 2023-02-13: Report is acknowledged
• 2023-02-13: Mozilla security team suggests a fix
• 2023-02-13: Reporter agrees on the fix
• 2023-03-20: Security Lab asks for an update
• 2023-05-09: Security Lab asks for an update
• 2023-05-11: Deadline expires

Summary

Common Voice is vulnerable to Cross-Site Scripting (XSS).

Product

Common Voice

Tested Version

release-v1.88.2

Details

Issue: User-controlled data used in path expression in fetchLegalDocument (GHSL-2023-026)

Common Voice is vulnerable to reflected Cross-Site Scripting given that user-controlled data flows to a path expression (path of a network request).

// https://github.com/mozilla/common-voice/blob/9d6ffd755e29b81918b86b9f5218b9c27d9c1c1a/server/src/server.ts#L214
private setupPrivacyAndTermsRoutes() {
    this.app.get(
      '/privacy/:locale.html',
      async ({ params: { locale } }, response) => {
        response.send(await fetchLegalDocument('privacy_notice', locale));
      }
    );

setupPrivacyAndTermsRoutes takes locale and passes it to fetchLegalDocument.

// https://github.com/mozilla/common-voice/blob/9d6ffd755e29b81918b86b9f5218b9c27d9c1c1a/server/src/fetch-legal-document.ts#LL21-L62C2
export default async function fetchLegalDocument(
  name: string,
  locale: string
): Promise<string> {
  ...
  const legalLocale = localeMapping[locale] ?? locale;

  const [status, text] = await request({
    uri: `https://raw.githubusercontent.com/mozilla/legal-docs/master/${legalLocale}/common_voice_${name}.md`,
    resolveWithFullResponse: true,
  })
    .then((response: any) => [response.statusCode, response.body])
    .catch(response => [response.statusCode, null]);

  if (status >= 400 && status < 500) {
    ...
  } else if (status < 300) {
    textHTML = new commonmark.HtmlRenderer().render(
      new commonmark.Parser().parse(
        // There's a parseable datetime string in the legal documents, which we don't need to show
        (text as string).replace(/{:\sdatetime=".*" }/, '')
      )
    );
  }
  ...
  return textHTML;
}

fetchLegalDocument retrieves a file including the provided locale in the path, allowing an attacker to provide ../ to traverse into another repository like ../../../jorgectf-testing/poc/main/poc.html#.

Proof of Concept

curl '127.0.0.1:9000/privacy/..%2f..%2f..%2fjorgectf-testing%2fpoc%2fmain%2fpoc.html%23.html'

Impact

This issue may lead to reflected Cross-Site Scripting (XSS) in the context of Common Voice’s server origin.

Resources

• CodeQL for JavaScript - Uncontrolled data used in path expression
• OWASP - Cross Site Scripting (XSS)

CVE

• CVE-2023-42808

Credit

This issue was discovered and reported by GHSL team member @jorgectf (Jorge Rosillo).

Contact

You can contact the GHSL team at securitylab@github.com, please include a reference to GHSL-2023-026 in any communication regarding this issue.