Agreed, I recommended filtering to only http(s) links in the github issue, I just made this x-post. I don't see a strong reason to let people link to weird things like file: and data:, or deeplink to installed apps on your computer/phone. Filtering the scheme to just http(s) is how Nutomic seems to have fixed it in the backend from what I can tell (I am not a rust dev).
Yeah, it can certainly help in some cases, defense in depth and all that. If the CSP were 'self' (allowing any JS hosted on your domain) this would probably be DoA. Sadly, until the frontend stops using <script> to set things on window to hydrate state from SSR to client-side they won't be able to change it without breaking things.
May the Lord have mercy on us all.
I believe if unsafe-inline were removed from script-src then the CSP would block this.
If the frontend depends on inline script tags then this likely can't be changed super easily... The fact that unsafe-eval is in script-src is kinda worrying as well. Ideally you would lock the CSP down a lot more than they have.
I mean, a dialogue over months, maybe. Over a week of hearing nothing even saying they got your email and are looking into it is pretty bad on the part of the lemmy devs IMO. The "responsibility" part of responsible disclosure goes both ways. Also, this is incredibly low effort to find. This isn't even XSS really, it's just a complete lack of link filtering.
OP is just quoting me there I think. If they aren't quoting me then they did try to contact the developer...
Yeah, I found something that was "holy shit this is bad if someone finds a way to do X" and tried to report that but didn't dig any deeper. This is X.
I tried to email that previously with a different issue and got no response. I was planning to post publicly (on github) about a different issue on Friday, but that other issue is now way too severe to do that now given how this can be leveraged to exploit what I found.
Yeah, I just wrote this up as a bug on github and added in that I tried to email them and to please get in contact about the other thing. Hopefully they see it. I can understand checking that email being overlooked considering how busy they likely are given the sudden influx and scaling issues.
Holy shit holy shit holy shit. Serious vulnerability confirmed. Combined with the issue(s) I have tried to report this is insane. I just tested this (and purged it so as not to publicly disclose just yet). This is really bad.
Damn... seems like there should be filtering to only allow http: and https: URIs...
Did you try the security email on github? I sent a vulnerability (that actually is way fucking worse than I thought given this issue) over a week ago and have heard nothing, so will be posting publicly soon.
If you find a decent alternative let me know. I have been looking for a while and not found anything that supports the full feature set I want (including Twilio).