Merge pull request #148 from szTheory/hotfix/fix-xss-and-remote-shell

Fix XSS and Electron remote shell vulnerabilities by sanitizing HTML output
szTheory · May 4, 2021 · c6a8627 · c6a8627
2 parents 18da3bd + 64753a7
commit c6a8627
Show file tree

Hide file tree

Showing 4 changed files with 35 additions and 3 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,5 +1,23 @@
 # Changelog
 
+## 3.6.0 - 4 May 2021
+
+### Security
+
+- Fix for XSS and Electron reverse shell vulnerabilities by sanitizing `exiftool` HTML output in the UI. To take advantage of this, an attacker would have had to write image metadata containing malicious script code to a file that you then download and run through ExifCleaner. Proofs of concept:
+
+XSS:
+
+```bash
+exiftool -Comment='<img src=x onerror=alert("ok") /><b>OverJT</b>' -PixelUnits='meters' image.png
+```
+
+Electron reverse shell:
+
+```bash
+exiftool -Comment='<img src=x onerror=window.require("child_process").exec("/usr/bin/firefox") /><b>OverJT</b>' -PixelUnits='meters' image.png
+```
+
 ## 3.5.1 - 1 May 2021
 
 ## Infrastructure

diff --git a/README.md b/README.md
@@ -6,9 +6,9 @@
 
 ![ExifCleaner demo](https://user-images.githubusercontent.com/28652/71770980-f04e8b80-2f2b-11ea-90f1-4393ec57adc0.gif)
 
-## !!!!! NOTE - UPGRADE TO 3.5.0 OR GREATER ASAP !!!!!
+## !!!!! NOTE - UPGRADE TO 3.6.0+ ASAP !!!!!
 
-If you are running 3.4.0 or earlier of ExifCleaner, update immediately! A security vulnerability was found in exiftool, the command-line application that powers ExifCleaner under the hood, and this was updated in ExifCleaner 3.5.0.
+If you are running a version of ExifCleaner before 3.6.0, upgrade immediately! A security vulnerability was found in exiftool, the command-line application that powers ExifCleaner under the hood, and this was updated in ExifCleaner 3.5.0. There was also an XSS and Electron remote shell vulnerability due to unsanitized HTML output that was fixed in ExifCleaner 3.6.0.
 
 ## Benefits
 

diff --git a/src/renderer/sanitize.ts b/src/renderer/sanitize.ts
@@ -0,0 +1,7 @@
+// Sanitize HTMl to prevent XSS and Electron remote shell attacks
+export function sanitizeHTML(text: string): string {
+	const element = document.createElement("div");
+	element.innerText = text;
+
+	return element.innerHTML;
+}
diff --git a/src/renderer/table_update_row.ts b/src/renderer/table_update_row.ts
@@ -1,3 +1,5 @@
+import { sanitizeHTML } from "./sanitize";
+
 export function updateRowWithExif(
 	tdNode: HTMLTableDataCellElement,
 	exifData: any
@@ -34,9 +36,14 @@ export function updateRowWithExif(
 
 function buildExifString({ exifData }: { exifData: any }): string {
 	let str = "";
+
 	for (const [key, value] of Object.entries(exifData)) {
-		str += key + " " + "<strong>" + value + "</strong>" + "<br>";
+		if (typeof value !== "string") {
+			continue;
+		}
+		str += key + " " + "<strong>" + sanitizeHTML(value) + "</strong>" + "<br>";
 	}
+
 	return str;
 }