[lexical] Bug Fix: DOM Clobbering Gadget found in rollup bundled scripts that leads to XSS

[lamcodeofpwnosec]

We discovered a DOM Clobbering vulnerability in rollup when bundling scripts that use import.meta.url or with plugins that emit and reference asset files from code in cjs/umd/iife format. The DOM Clobbering gadget can lead to cross-site scripting (XSS) in web pages where scriptless attacker-controlled HTML elements (e.g., an img tag with an unsanitized name attribute) are present.

Backgrounds
DOM Clobbering is a type of code-reuse attack where the attacker first embeds a piece of non-script, seemingly benign HTML markups in the webpage (e.g. through a post or comment) and leverages the gadgets (pieces of js code) living in the existing javascript code to transform it into executable code. More for information about DOM Clobbering, here are some references:

• https://scnps.co/papers/sp23_domclob.pdf
• https://research.securitum.com/xss-in-amp4email-dom-clobbering/

Gadget found in rollup
We have identified a DOM Clobbering vulnerability in rollup bundled scripts, particularly when the scripts uses import.meta and set output in format of cjs/umd/iife. In such cases, rollup replaces meta property with the URL retrieved from document.currentScript.

PoC

Considering a website that contains the following main.js script, the devloper decides to use the rollup to bundle up the program: rollup main.js --format cjs --file bundle.js.

var s = document.createElement('script')
s.src = import.meta.url + 'extra.js'
document.head.append(s)

The output bundle.js is shown in the following code snippet.

'use strict';

var _documentCurrentScript = typeof document !== 'undefined' ? document.currentScript : null;
var s = document.createElement('script');
s.src = (typeof document === 'undefined' ? require('u' + 'rl').pathToFileURL(__filename).href : (_documentCurrentScript && False && _documentCurrentScript.src || new URL('bundle.js', document.baseURI).href)) + 'extra.js';
document.head.append(s);

Patch
Patching the following two functions with type checking would be effective mitigations against DOM Clobbering attack.

const getRelativeUrlFromDocument = (relativePath: string, umd = false) =>
	getResolveUrl(
		`'${escapeId(relativePath)}', ${
			umd ? `typeof document === 'undefined' ? location.href : ` : ''
		}document.currentScript && document.currentScript.tagName.toUpperCase() === 'SCRIPT' && document.currentScript.src || document.baseURI`
	);

const getUrlFromDocument = (chunkId: string, umd = false) =>
	`${
		umd ? `typeof document === 'undefined' ? location.href : ` : ''
	}(${DOCUMENT_CURRENT_SCRIPT} && ${DOCUMENT_CURRENT_SCRIPT}.tagName.toUpperCase() === 'SCRIPT' &&${DOCUMENT_CURRENT_SCRIPT}.src || new URL('${escapeId(
		chunkId
	)}', document.baseURI).href)`;

Impact

This vulnerability can result in cross-site scripting (XSS) attacks on websites that include rollup-bundled files (configured with an output format of cjs, iife, or umd and use import.meta) and allow users to inject certain scriptless HTML tags without properly sanitizing the name or id attributes.

CVE-2024-47068
CWE-79

[vercel]

The latest updates on your projects. Learn more about Vercel for Git ↗︎

Name	Status	Preview	Comments	Updated (UTC)
lexical	✅ Ready (Inspect)	Visit Preview	💬 Add feedback	Oct 23, 2024 8:47am
lexical-playground	✅ Ready (Inspect)	Visit Preview	💬 Add feedback	Oct 23, 2024 8:47am

[github-actions]

size-limit report 📦

Path	Size
lexical - cjs	29.94 KB (0%)
lexical - esm	29.78 KB (0%)
@lexical/rich-text - cjs	38.6 KB (0%)
@lexical/rich-text - esm	31.64 KB (0%)
@lexical/plain-text - cjs	37.2 KB (0%)
@lexical/plain-text - esm	29 KB (0%)
@lexical/react - cjs	40.34 KB (0%)
@lexical/react - esm	33 KB (0%)

[potatowagon]

hi i see a couple of dependency updates in the test fixtures lexical-esm-astro-react package-lock.json.

could u help me understand which dependencies in particular introduced this vulnerability?

[etrepum]

I think it's just rollup, we are probably better off fixing this in package.json and it's not in an area that's deployed anywhere so probably not urgent

[lamcodeofpwnosec]

Hi @potatowagon

DOM Clobbering is a type of code-reuse attack where the attacker first embeds a piece of non-script, seemingly benign HTML markups in the webpage (e.g. through a post or comment) and leverages the gadgets (pieces of js code) living in the existing javascript code to transform it into executable code. More for information about DOM Clobbering, here are some references:

[1] https://scnps.co/papers/sp23_domclob.pdf
[2] https://research.securitum.com/xss-in-amp4email-dom-clobbering/

PoC
Considering a website that contains the following main.js script, the devloper decides to use the rollup to bundle up the program: rollup main.js --format cjs --file bundle.js.

var s = document.createElement('script')
s.src = import.meta.url + 'extra.js'
document.head.append(s)

Rollup is a module bundler for JavaScript. Versions prior to 3.29.5 and 4.22.4 are susceptible to a DOM Clobbering vulnerability when bundling scripts with properties from import.meta (e.g., import.meta.url) in cjs/umd/iife format. The DOM Clobbering gadget can lead to cross-site scripting (XSS) in web pages where scriptless attacker-controlled HTML elements (e.g., an img tag with an unsanitized name attribute) are present. Versions 3.29.5 and 4.22.4 contain a patch for the vulnerability.

[potatowagon]

I think it's just rollup, we are probably better off fixing this in package.json and it's not in an area that's deployed anywhere so probably not urgent

got it about rollup. i did receive an alert about the same vulnerablity. have updated rollup here: #6764

im not too sure what this PR is doing, eg. why only target scripts/tests/integration/fixtures/lexical-esm-astro-react/package-lock.json, and why "node_modules/yjs" being deleted

[potatowagon]

ill close this PR first since rollup vulnerablity is addressed in another PR. if this PR has to be reopen, please add the steps done to generate the changes (eg. cmds ran)

[potatowagon]

the PR description is also a copy paste of the contents in

https://github.com/rollup/rollup/security/advisories/GHSA-gcx4-mw62-g8wm?fbclid=IwZXh0bgNhZW0CMTEAAR3JcDL-xLDAA3vmk38x0rkpUSC0Lxv4VTFp57mm0CeSl-aD01HQaf_BWGs_aem_NiBB9VS_kGm-TPqleMHsUQ