console.log allows loading images via %c formatter, also bypasses page CSP
Categories
(DevTools :: Console, defect, P2)
Tracking
(firefox-esr102109+ verified, firefox108 wontfix, firefox109+ verified, firefox110+ verified)
People
(Reporter: dveditz, Assigned: nchevobbe)
References
Details
(Keywords: csectype-disclosure, sec-low, Whiteboard: [adv-main109+][adv-esr102.7+])
Attachments
(2 files, 1 obsolete file)
|
48 bytes,
text/x-phabricator-request
|
RyanVM
:
approval-mozilla-beta+
RyanVM
:
approval-mozilla-esr102+
tjr
:
sec-approval+
|
Details | Review |
|
313 bytes,
text/plain
|
Details |
Despite attempting to filter out loading URLs from the styles supported by the console.log() %c format directive, this is done by fragile regexp and can be bypassed.
Inspired by recently-unhidden https://bugs.chromium.org/p/chromium/issues/detail?id=1349493.
#1 loading a remote image
The second example in that chrome bug works in Firefox, for pretty much the same reasons: the regexp is trying to forbid bad stuff rather than saying "no url() at all unless it's a data: url" (support for data: was added in bug 1579663 by removing it from the list of bad schemes). Find a weakness in the regexp and you can get around it. You can copy the line below and run it in a devtool console
console.log("%cMozilla", "background:url(https\\0009://www.mozilla.org/favicon.ico); font-size:50px; border:solid green; margin:50px; padding:50px; display:inline-block;")
#2 CSP bypass
If you make the console.log() call from the page content this also bypasses the page CSP. On the one hand the image isn't being incorporated into the page content, but on the other it could be used as a way to exfiltrate data. I assume we can't apply the page's CSP to the toolbox without breaking a bunch of things, so fixing this comes down to preventing console logging from loading external images at all.
The intended "data:" urls might also violate the CSP, but since there's no exfiltration avenue it seems fine to allow it.
#3 no restriction on other schemes
There is a forbidden list of schemes which means any new scheme we think up won't be on it. For example, Firefox supports moz-extension urls so you could use any web-accessible resource, if you can figure out the random UUID assigned to each extension at install time. Some extensions make this easy by injecting elements into web content where they can be detected.
Take the case of Firefox Relay, for example. If your victim has Relay installed and active you could go to a page with an email field (like any page on www.mozilla.org) and do something like:
let relayUrl = document.querySelector("#fx-relay-button")?.style["background-image"];
console.log("%cMozilla", `background:${relayUrl}; font-size:50px; border:solid green; margin:50px; padding:50px; display:inline-block;`)
moz-extension:// itself isn't a problem (like data:, nothing is exfiltrated) but it shows the limitations of the regexp.
|
||
Updated•2 years ago
|
|
Assignee | |
Updated•2 years ago
|
|
|
Assignee | |
Comment 1•2 years ago
|
||
|
|
Assignee | |
Comment 2•2 years ago
|
||
|
||
Updated•2 years ago
|
|
|
||
Comment 3•2 years ago
|
||
Comment on attachment 9306057 [details]
Bug 1800832 - [devtools] Fix require call in console stubs template. r=jdescottes
Revision D163489 was moved to bug 1803508. Setting attachment 9306057 [details] to obsolete.
|
|
Assignee | |
Comment 4•2 years ago
|
||
Comment on attachment 9305124 [details]
Bug 1800832 - [devtools] Explicitly allow data urls in cleanupStyle. r=jdescottes.
Security Approval Request
- How easily could an exploit be constructed based on the patch?: quite easily I guess if people can make the link from this patch to using console API with custom styling
- Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem?: No
- Which older supported branches are affected by this flaw?: all supported branches
- If not all supported branches, which bug introduced the flaw?: None
- Do you have backports for the affected branches?: No
- If not, how different, hard to create, and risky will they be?:
- How likely is this patch to cause regressions; how much testing does it need?: quite unlikely
this is a very localized changed, covered by an automated test, on a small visual feature for console.log - Is Android affected?: No
|
||
Comment 5•2 years ago
|
||
Comment on attachment 9305124 [details]
Bug 1800832 - [devtools] Explicitly allow data urls in cleanupStyle. r=jdescottes.
Approved to land; and if we're landing the test with it, we should uplift it.
|
|
Assignee | |
Comment 6•2 years ago
|
||
Comment on attachment 9305124 [details]
Bug 1800832 - [devtools] Explicitly allow data urls in cleanupStyle. r=jdescottes.
Beta/Release Uplift Approval Request
- User impact if declined: devtools user would be vulnerable to security issue described in https://bugzilla.mozilla.org/show_bug.cgi?id=1800832#c0
- Is this code covered by automated tests?: Yes
- Has the fix been verified in Nightly?: No
- Needs manual test from QE?: Yes
- If yes, steps to reproduce: 1. Open the console
- Evaluate
console.log("%cMozilla", "background:url(https\\0009://www.mozilla.org/favicon.ico); font-size:50px; border:solid green; margin:50px; padding:50px; display:inline-block;")
-> the Mozilla icon shouldn't be displayed in the resulting message
- List of other uplifts needed: None
- Risk to taking this patch: Low
- Why is the change risky/not risky? (and alternatives if risky): devtools-only change covered by automated test.
- String changes made/needed:
- Is Android affected?: Yes
|
|
Assignee | |
Updated•2 years ago
|
|
||
Comment 7•2 years ago
•
|
||
[devtools] Explicitly allow data urls in cleanupStyle. r=jdescottes.
https://hg.mozilla.org/integration/autoland/rev/6667c879aea4
https://hg.mozilla.org/mozilla-central/rev/6667c879aea4
|
||
Updated•2 years ago
|
|
|
||
Updated•2 years ago
|
|
||
Updated•2 years ago
|
|
||
Comment 8•2 years ago
|
||
I have managed to reproduce this issue using STR from comment 6, on an affected Nightly build (20221115214157), with macOS 11.
The issue is verified as fixed across platforms, Win 10 x64, macOS 11 and Ubuntu 18.04 x64 with latest Nightly 110.0a1.
|
|
||
Comment 9•2 years ago
|
||
Comment on attachment 9305124 [details]
Bug 1800832 - [devtools] Explicitly allow data urls in cleanupStyle. r=jdescottes.
Approved for 109.0b3 and 102.7esr.
|
|
||
Comment 10•2 years ago
|
||
| uplift | ||
|
|
||
Comment 11•2 years ago
|
||
This bug is also verified as fixed on latest Beta 109.0b3 and Esr 102.7, under Win 7 x64, macOS 11 and Ubuntu 18.04 x64.
|
||
Updated•2 years ago
|
|
|
||
Comment 12•2 years ago
|
||
|
||
Updated•2 years ago
|
|
Reporter | |
Updated•1 year ago
|
Description
•