Coordinated Disclosure Timeline
- 2023-02-09: Report sent to [email protected]
- 2023-02-13: Report is acknowledged
- 2023-02-13: Mozilla security team suggests a fix
- 2023-02-13: Reporter agrees on the fix
- 2023-03-20: Security Lab asks for an update
- 2023-05-09: Security Lab asks for an update
- 2023-05-11: Deadline expires
Summary
Common Voice is vulnerable to Cross-Site Scripting (XSS).
Product
Common Voice
Tested Version
Details
Issue: User-controlled data used in path expression in fetchLegalDocument
(GHSL-2023-026
)
Common Voice is vulnerable to reflected Cross-Site Scripting given that user-controlled data flows to a path expression (path of a network request).
// https://github.com/mozilla/common-voice/blob/9d6ffd755e29b81918b86b9f5218b9c27d9c1c1a/server/src/server.ts#L214
private setupPrivacyAndTermsRoutes() {
this.app.get(
'/privacy/:locale.html',
async ({ params: { locale } }, response) => {
response.send(await fetchLegalDocument('privacy_notice', locale));
}
);
setupPrivacyAndTermsRoutes
takes locale
and passes it to fetchLegalDocument
.
// https://github.com/mozilla/common-voice/blob/9d6ffd755e29b81918b86b9f5218b9c27d9c1c1a/server/src/fetch-legal-document.ts#LL21-L62C2
export default async function fetchLegalDocument(
name: string,
locale: string
): Promise<string> {
...
const legalLocale = localeMapping[locale] ?? locale;
const [status, text] = await request({
uri: `https://raw.githubusercontent.com/mozilla/legal-docs/master/${legalLocale}/common_voice_${name}.md`,
resolveWithFullResponse: true,
})
.then((response: any) => [response.statusCode, response.body])
.catch(response => [response.statusCode, null]);
if (status >= 400 && status < 500) {
...
} else if (status < 300) {
textHTML = new commonmark.HtmlRenderer().render(
new commonmark.Parser().parse(
// There's a parseable datetime string in the legal documents, which we don't need to show
(text as string).replace(/{:\sdatetime=".*" }/, '')
)
);
}
...
return textHTML;
}
fetchLegalDocument
retrieves a file including the provided locale
in the path, allowing an attacker to provide ../
to traverse into another repository like ../../../jorgectf-testing/poc/main/poc.html#
.
Proof of Concept
curl '127.0.0.1:9000/privacy/..%2f..%2f..%2fjorgectf-testing%2fpoc%2fmain%2fpoc.html%23.html'
Impact
This issue may lead to reflected Cross-Site Scripting (XSS) in the context of Common Voice’s server origin.
Resources
- CodeQL for JavaScript - Uncontrolled data used in path expression
- OWASP - Cross Site Scripting (XSS)
CVE
- CVE-2023-42808
Credit
This issue was discovered and reported by GHSL team member @jorgectf (Jorge Rosillo).
Contact
You can contact the GHSL team at [email protected]
, please include a reference to GHSL-2023-026
in any communication regarding this issue.