asf-tooling opened a new issue, #960:
URL: https://github.com/apache/tooling-trusted-releases/issues/960
**ASVS Level(s):** [L1, L2]
**Description:**
### Summary
The application converts markdown vulnerability descriptions from external
sources (OSV API, CycloneDX SBOM files) to HTML using
`cmarkgfm.github_flavored_markdown_to_html()`, then wraps the output in
`markupsafe.Markup()` to bypass htpy's automatic escaping. The markdown library
preserves raw HTML tags in the input, enabling stored XSS attacks. An attacker
can upload a malicious CycloneDX SBOM file with crafted `vulnerability.detail`
field containing embedded HTML/JavaScript, which executes in victim's browser
when viewing SBOM reports. This affects authenticated committer sessions.
### Details
**Affected Files and Lines:**
- `atr/get/sbom.py:290-310` - Markdown conversion without sanitization
- `atr/get/sbom.py:370` - Markup() wrapper bypassing escaping
Data flow: Attacker uploads malicious CycloneDX SBOM file → SBOM contains
crafted vulnerability.detail field with embedded HTML/JavaScript → cmarkgfm
preserves raw HTML tags → markupsafe.Markup() marks output as safe, bypassing
htpy escaping → htm.div[details] renders without escaping → JavaScript executes
in victim's browser.
### Recommended Remediation
**Option A (Recommended):** Use cmarkgfm safe mode with `CMARK_OPT_SAFE`
flag which replaces dangerous HTML with comments.
**Option B (Most Robust):** Use dedicated HTML sanitizer (nh3>=0.2.14 or
bleach) with allowed tags whitelist:
```python
import nh3
allowed_tags = {'p', 'br', 'strong', 'em', 'code', 'pre', 'a', 'ul', 'ol',
'li',
'h1', 'h2', 'h3', 'h4', 'blockquote'}
allowed_attributes = {'a': {'href', 'title'}}
html = cmarkgfm.github_flavored_markdown_to_html(markdown_text)
sanitized_html = nh3.clean(html, tags=allowed_tags,
attributes=allowed_attributes)
return markupsafe.Markup(sanitized_html)
```
Additional recommendations:
1. Audit all `markupsafe.Markup()` calls
2. Establish code review rule requiring sanitization before `Markup()` calls
on non-constant values
3. Add automated XSS testing for SBOM uploads
4. Pin cmarkgfm version with known safe defaults
### Acceptance Criteria
- [ ] HTML sanitization implemented
- [ ] Allowed tags whitelist configured
- [ ] Allowed attributes whitelist configured
- [ ] XSS testing added for SBOM uploads
- [ ] Code review guidelines updated
- [ ] Unit test verifying the fix
### References
- Source reports: L1:1.2.3.md, L2:1.3.10.md
- Related findings: FINDING-065, FINDING-209
- ASVS sections: 1.2.3, 1.3.10
### Priority
High
---
---
**Triage notes:** confirm this is in audit_guidance
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
