Skip to content

Commit

Permalink
Rollup merge of #120250 - chadnorvell:rustdoc-xss, r=notriddle
Browse files Browse the repository at this point in the history 
rustdoc: Prevent JS injection from localStorage

It turns out that you can execute arbitrary JavaScript on the rustdocs settings page. Here's how:

1. Open `settings.html` on a rustdocs site.
2. Set "preferred light theme" to "dark" to initialize the corresponding localStorage value.
3. Plant a payload by executing this in your browser's dev console: ``Object.keys(localStorage).forEach(key=>localStorage.setItem(key,`javascript:alert()//*/javascript:javascript:"/*'/*\`/*--></noscript></title></textarea></style></template></noembed></script><html " onmouseover=/*&lt;svg/*/onload=alert()onload=alert()//><svg onload=alert()><svg onload=alert()>*/</style><script>alert()</script><style>`));``
4. Refresh the page -- you should see an alert.

This could be particularly dangerous if rustdocs are deployed on a domain hosting some other application. Malicious code could circumvent `same-origin` policies and do mischievous things with user data.

This change ensures that only defined themes can actually be selected (arbitrary strings from localStorage will not be written to the document), and for good measure sanitizes the theme name.
  • Loading branch information
@GuillaumeGomez
GuillaumeGomez authored Jan 30, 2024
2 parents d3d621b + 32a0afe commit b60707e
Showing 1 changed file with 9 additions and 1 deletion.
10 changes: 9 additions & 1 deletion src/librustdoc/html/static/js/storage.js
View file
Original file line number Diff line number Diff line change
Expand Up @@ -101,6 +101,14 @@ const getVar = (function getVar(name) {
});

function switchTheme(newThemeName, saveTheme) {
const themeNames = getVar("themes").split(",").filter(t => t);
themeNames.push(...builtinThemes);

// Ensure that the new theme name is among the defined themes
if (themeNames.indexOf(newThemeName) === -1) {
return;
}

// If this new value comes from a system setting or from the previously
// saved theme, no need to save it.
if (saveTheme) {
Expand All @@ -115,7 +123,7 @@ function switchTheme(newThemeName, saveTheme) {
window.currentTheme = null;
}
} else {
const newHref = getVar("root-path") + newThemeName +
const newHref = getVar("root-path") + encodeURIComponent(newThemeName) +
getVar("resource-suffix") + ".css";
if (!window.currentTheme) {
// If we're in the middle of loading, document.write blocks
Expand Down

0 comments on commit b60707e

Please sign in to comment.