Summary
The CSP policy applied on the tips.hushline.app website and bundled by default in this repository is trivial to bypass.
Details
Having whitelisted a source that allows for user-uploaded package is like not having a policy at all.
script-src 'self' https://js.stripe.com https://unpkg.com;
In unpkg.com words:
unpkg is a fast, global content delivery network for everything on npm. Use it to quickly and easily load any file from any package using a URL like:
Chained with the persistent XSS reported together this allows an attacker with HTML injection capabilities full JavaScript execution.
PoC
To demo, just submit in the tip submission form:
"><script src="https://unpkg.com/[email protected]/dist/sval-classic.js"></script>
<br csp="alert(1)">
(as mentioned in the other issue, even if encryption is on it is trivial to bypass)
Impact
The CSP is fully bypassed.
Note: I tried to report this as suggested in Security.md via the scidsg tipline. Received no reply in ~5 days. It is also quite unsettling that someone has specifically audited the CSP and stated "All versions of Hush Line also implemented a hardened Content Security Policy (CSP).".
lsd-cat Reporter
Summary
The CSP policy applied on the
tips.hushline.appwebsite and bundled by default in this repository is trivial to bypass.Details
Having whitelisted a source that allows for user-uploaded package is like not having a policy at all.
In unpkg.com words:
Chained with the persistent XSS reported together this allows an attacker with HTML injection capabilities full JavaScript execution.
PoC
To demo, just submit in the tip submission form:
(as mentioned in the other issue, even if encryption is on it is trivial to bypass)
Impact
The CSP is fully bypassed.
Note: I tried to report this as suggested in Security.md via the scidsg tipline. Received no reply in ~5 days. It is also quite unsettling that someone has specifically audited the CSP and stated "All versions of Hush Line also implemented a hardened Content Security Policy (CSP).".