Merge pull request #148 from szTheory/hotfix/fix-xss-and-remote-shell

Fix XSS and Electron remote shell vulnerabilities by sanitizing HTML output

Author: szTheory

CHANGELOG.md

@@ -1,5 +1,23 @@
 # Changelog
 
+## 3.6.0 - 4 May 2021
+
+### Security
+
+- Fix for XSS and Electron reverse shell vulnerabilities by sanitizing `exiftool` HTML output in the UI. To take advantage of this, an attacker would have had to write image metadata containing malicious script code to a file that you then download and run through ExifCleaner. Proofs of concept:
+
+XSS:
+
+```bash
+exiftool -Comment='<img src=x onerror=alert("ok") /><b>OverJT</b>' -PixelUnits='meters' image.png
+```
+
+Electron reverse shell:
+
+```bash
+exiftool -Comment='<img src=x onerror=window.require("child_process").exec("/usr/bin/firefox") /><b>OverJT</b>' -PixelUnits='meters' image.png
+```
+
 ## 3.5.1 - 1 May 2021
 
 ## Infrastructure

README.md

@@ -6,9 +6,9 @@
 
 ![ExifCleaner demo](https://user-images.githubusercontent.com/28652/71770980-f04e8b80-2f2b-11ea-90f1-4393ec57adc0.gif)
 
-## !!!!! NOTE - UPGRADE TO 3.5.0 OR GREATER ASAP !!!!!
+## !!!!! NOTE - UPGRADE TO 3.6.0+ ASAP !!!!!
 
-If you are running 3.4.0 or earlier of ExifCleaner, update immediately! A security vulnerability was found in exiftool, the command-line application that powers ExifCleaner under the hood, and this was updated in ExifCleaner 3.5.0.
+If you are running a version of ExifCleaner before 3.6.0, upgrade immediately! A security vulnerability was found in exiftool, the command-line application that powers ExifCleaner under the hood, and this was updated in ExifCleaner 3.5.0. There was also an XSS and Electron remote shell vulnerability due to unsanitized HTML output that was fixed in ExifCleaner 3.6.0.
 
 ## Benefits
 

src/renderer/sanitize.ts

@@ -0,0 +1,7 @@
+// Sanitize HTMl to prevent XSS and Electron remote shell attacks
+export function sanitizeHTML(text: string): string {
+	const element = document.createElement("div");
+	element.innerText = text;
+
+	return element.innerHTML;
+}

src/renderer/table_update_row.ts

@@ -1,3 +1,5 @@
+import { sanitizeHTML } from "./sanitize";
+
 export function updateRowWithExif(
 	tdNode: HTMLTableDataCellElement,
 	exifData: any
@@ -34,9 +36,14 @@ export function updateRowWithExif(
 
 function buildExifString({ exifData }: { exifData: any }): string {
 	let str = "";
+
 	for (const [key, value] of Object.entries(exifData)) {
-		str += key + " " + "<strong>" + value + "</strong>" + "<br>";
+		if (typeof value !== "string") {
+			continue;
+		}
+		str += key + " " + "<strong>" + sanitizeHTML(value) + "</strong>" + "<br>";
 	}
+
 	return str;
 }