Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Cypress.env() fails to escape <script></script> tags in the cypress.json file #4952

Closed
MarkCarbonell98 opened this issue Aug 8, 2019 · 5 comments · Fixed by #5155
Closed

Cypress.env() fails to escape <script></script> tags in the cypress.json file #4952

MarkCarbonell98 opened this issue Aug 8, 2019 · 5 comments · Fixed by #5155
Assignees
@flotwig
Labels
type: bug

Comments

@MarkCarbonell98
Copy link

Current behavior:

Cypress executes <script></script> tags written on the cypress.json file

<script>alert('this should not have happened')</script> gets executed while running EVERY test where Cypress.env() is called. A part of the cypress.json is logged to the browser, and the script gets executed too.

Desired behavior:

I want to safely write <script></script> tags in cypress.json for JS injection testing

I want <script></script> tags to be executed as raw text, and ones too.

Steps to reproduce: (app code and test code)

1)Go to your cypress.json, and in you env object, paste this "<script>alert('this should not have happened')</script>"
2) Create a .spec.js file and write the context() function, in the scope of the function call Cypress.env()
3) To to the Cypress tests GUI and execute the test
4) You will see the console logged "this should not have happened" and the screen will be filled with json raw data.

Versions

Chrome
@MarkCarbonell98
Copy link
Author

tags too

CYPRESS VERSION ^3.4.1

@jennifer-shehane jennifer-shehane added the type: unexpected behavior User expected result, but got another label Sep 9, 2019
@flotwig flotwig added type: bug and removed type: unexpected behavior User expected result, but got another labels Sep 9, 2019
@flotwig
Copy link
Contributor

flotwig commented Sep 9, 2019
edited by kuceb
Loading

Hey @MarkCarbonell98, thanks for reporting this. It sounds like the option isn't being properly sanitized when Cypress starts, which is definitely a bug.

However, this doesn't seem like a security vulnerability because the Javascript is in control of the person who is running the tests in the first place, so there is no privilege escalation.

@flotwig flotwig changed the title Cypress.env() is vulnerable to JavaScript injection attacks when <script></script> tags are present in the cypress.json file Cypress.env() fails to escape <script></script> tags in the cypress.json file Sep 9, 2019
@flotwig flotwig mentioned this issue Sep 17, 2019
Merged
2 tasks
@flotwig
Copy link
Contributor

flotwig commented Sep 17, 2019
edited
Loading

When the Cypress runner is loaded, it embeds the config as embedded JSON, like this:

<script type="text/javascript">
Runner.start({ "env": { "foo": "<script>alert('this should not have happened')</script>" } })
</script>

Despite what the syntax highlighting on GitHub seems to show, the quoted </script> on line 2 in this actually breaks out of the <script> tag on line 1, which causes a SyntaxError that prevents tests from running.

The PR #5155 base64-encodes the config object before embedding it to prevent issues like this from occurring.

@cypress-bot cypress-bot bot added stage: needs review The PR code is done & tested, needs review and removed stage: work in progress labels Sep 17, 2019
@cypress-bot
Copy link
Contributor

cypress-bot bot commented Sep 17, 2019

The code for this is done in cypress-io/cypress#5155, but has yet to be released.
We'll update this issue and reference the changelog when it's released.

@cypress-bot cypress-bot bot removed the stage: needs review The PR code is done & tested, needs review label Sep 17, 2019
@cypress-bot
Copy link
Contributor

cypress-bot bot commented Oct 23, 2019

Released in 3.5.0.

@snyk-bot snyk-bot mentioned this issue Nov 1, 2019
Merged
@snyk-bot snyk-bot mentioned this issue Nov 9, 2019
Closed
@cypress-io cypress-io locked as resolved and limited conversation to collaborators Dec 24, 2019
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@flotwig flotwig

Labels
type: bug
Projects
None yet
Milestone
No milestone
3 participants
@flotwig @jennifer-shehane @MarkCarbonell98