Closed Bug 1838671 Opened 2 years ago Closed 2 years ago

decodeURI (in SourceTreeItem) throws on malformed URI, crashing the Debugger panel

Categories

(DevTools :: Debugger, defect, P2)

Product:
DevTools
Component:
Debugger
Version:
Firefox 114
Type:
defect

Tracking

(firefox-esr102 unaffected, firefox114 wontfix, firefox115 verified, firefox116 verified)

Status:
VERIFIED FIXED
Milestone:
116 Branch
Tracking Flags:
Tracking Status
firefox-esr102 --- unaffected
firefox114 --- wontfix
firefox115 --- verified
firefox116 --- verified

People

(Reporter: 711924474as, Assigned: nchevobbe)

References

(Regression)

Details

(Keywords: regression)

Attachments

(2 files)

POC.png
90.52 KB, image/png
Details
Bug 1838671 - [devtools] Wrap decodeURI in try/catch block in SourcesTreeItem. r=bomsy.
48 bytes, text/x-phabricator-request
dmeehan
: approval-mozilla-beta+
Details | Review
Attached image POC.png

User Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/114.0

Steps to reproduce:

Hello security team:
You have visited the following site "http://hiltonlocalbiz.com" to check the security.
I found this error "The debugger board has crashed."
When I tried to send the following payload:

| echo "||" sleep + 5 "+% 23% 27 + |" sleep + 5` || "sleep + 5" + %23% 5c%22 + | sleep + 5 "

http://hiltonlocalbiz.com/?query=|%20echo%20%22||%22%20sleep%20+%205%20%22+%%2023%%2027%20+%20|%22%20sleep%20+%205`%20||%20%22sleep%20+%205%22%20+%20%23%%205c%22%20+%20|%20sleep%20+%205%20%22

As shown in the picture

Actual results:

The debugger board has crashed

Expected results:

The problem only happened to me on this site.

Version: Firefox 116 → Firefox 114

Thanks for filing.
I can reproduce the issue.
I'm not sure this is a security bug though

Status: UNCONFIRMED → NEW
Ever confirmed: true
Priority: -- → P2

it's probably reproducible with any page with inline scripts + malformed search, e.g. http://hiltonlocalbiz.com/?% is enough to trigger the issue (decodeURI("(index)?%") does throw)

The callsites is here https://searchfox.org/mozilla-central/rev/986024d59bff59819a3ed2f7c1d0f5254cdc3f3d/devtools/client/debugger/src/components/PrimaryPanes/SourcesTreeItem.js#150

This was regressed by Bug 1824910 where we switched from unescape to decodeURI

(probably not a security bug as it only impacts DevTools debugger)

Status: NEW → UNCONFIRMED
Ever confirmed: false
Keywords: regression
Priority: P2 → --
Regressed by: 1824910
Status: UNCONFIRMED → NEW
Ever confirmed: true
Priority: -- → P2

Set release status flags based on info from the regressing bug 1824910

status-firefox114: --- → affected
status-firefox115: --- → affected
status-firefox116: --- → affected
status-firefox-esr102: --- → unaffected

The name of the source tree we want to decode might be malformed,
which can make decodeURI to throw.
A test case is added to ensure the issue is fixed.

Assignee: nobody → nchevobbe
Status: NEW → ASSIGNED
Group: firefox-core-security

This doesn't sound like a security issue, so I'm unhiding it. Something throwing an error and then it causing a crash doesn't sound like the sort of unsafe crash that could cause security problems.

Hello security team:
An attacker can enter operating system commands at the address "http://hiltonlocalbiz.com"
I noticed the following payload:
console.warn(";echo '<script>alert(1)</script>'")
The client or query string locates the value information that the client has discovered
To prove the concept further, we copy the following address:
http://hiltonlocalbiz.com/?nodomainuid=console.warn(%22;echo%20%27%3Cscript%3Ealert(1)%3C/script%3E%27%22)
Then go to Firefox
The reason is due to encryption problems

Hello team:
May I know the latest developments regarding this report.
And how can I help

I am able reproduce this consistently for any site on fresh Firefox 114.0.1 on Windows 11 Pro 22H2 and macOS 14.

It pretty much blocks all Web Devs depending on debugger and there's no workaround so is there any reason this is still not critical?

(In reply to [:anutrix] from comment #8)

I am able reproduce this consistently for any site on fresh Firefox 114.0.1 on Windows 11 Pro 22H2 and macOS 14.

It pretty much blocks all Web Devs depending on debugger and there's no workaround so is there any reason this is still not critical?

It's not security critical, but we (the devtools team) think it's critical to fix, which is why there's already a patch waiting for review before we can land it (and hopfully uplift it)

(In reply to ibrahim mohammed abdo mohammed ali from comment #6)

Hello security team:
An attacker can enter operating system commands at the address "http://hiltonlocalbiz.com"
I noticed the following payload:
console.warn(";echo '<script>alert(1)</script>'")
The client or query string locates the value information that the client has discovered
To prove the concept further, we copy the following address:
http://hiltonlocalbiz.com/?nodomainuid=console.warn(%22;echo%20%27%3Cscript%3Ealert(1)%3C/script%3E%27%22)
Then go to Firefox
The reason is due to encryption problems

please file another bug, it's not the same issue as the original one you reported

Summary: The Debugger panel has crashed. → decodeURI (in SourceTreeItem) throws on malformed URI, crashing the Debugger panel
Pushed by nchevobbe@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/ef725e0a6e5d [devtools] Wrap decodeURI in try/catch block in SourcesTreeItem. r=bomsy,devtools-reviewers.

Hello, I hope you are well. May I know when is the date of receiving the reward?

https://hg.mozilla.org/mozilla-central/rev/ef725e0a6e5d

Status: ASSIGNED → RESOLVED
Closed: 2 years ago
status-firefox116: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → 116 Branch

The patch landed in nightly and beta is affected.
:nchevobbe, is this bug important enough to require an uplift?

  • If yes, please nominate the patch for beta approval.
  • If no, please set status-firefox115 to wontfix.

For more information, please visit BugBot documentation.

Flags: needinfo?(nchevobbe)

Comment on attachment 9339566 [details]
Bug 1838671 - [devtools] Wrap decodeURI in try/catch block in SourcesTreeItem. r=bomsy.

Beta/Release Uplift Approval Request

  • User impact if declined: DevTools debugger is unusable if a source URI is malformed
  • Is this code covered by automated tests?: Yes
  • Has the fix been verified in Nightly?: No
  • Needs manual test from QE?: Yes
  • If yes, steps to reproduce: See Comment 2
  • List of other uplifts needed: None
  • Risk to taking this patch: Low
  • Why is the change risky/not risky? (and alternatives if risky): Small patch wrapping code in a try/catch block, DevTools only, has automated test
  • String changes made/needed:
  • Is Android affected?: No
Flags: needinfo?(nchevobbe)
Attachment #9339566 - Flags: approval-mozilla-beta?
Flags: qe-verify+

(In reply to ibrahim mohammed abdo mohammed ali from comment #12)

Hello, I hope you are well. May I know when is the date of receiving the reward?

Hello ibrahim mohammed abdo mohammed ali , this is not a security bug so it's not eligible for a bounty.
But this was extremely helpful for the DevTools team and we're grateful you reported this issue!

Comment on attachment 9339566 [details]
Bug 1838671 - [devtools] Wrap decodeURI in try/catch block in SourcesTreeItem. r=bomsy.

Approved for 115.0b8.

Attachment #9339566 - Flags: approval-mozilla-beta? → approval-mozilla-beta+
QA Whiteboard: [qa-triaged]

Reproduced the issue with Firefox 115.0b7 Windows 10 x64.
Verified as fixed in Firefox 115.0b8 and Nightly 116.0a1 Windows 10 x64, Ubuntu 18.4 and macOS 10.12.

Status: RESOLVED → VERIFIED
status-firefox115: fixedverified
status-firefox116: fixedverified
Flags: qe-verify+
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: