Impact
Code that uses KaTeX's trust
option, specifically that provides a function to block-list certain URL protocols, can be fooled by URLs in malicious inputs that use uppercase characters in the protocol. In particular, this can allow for malicious input to generate javascript:
links in the output, even if the trust
function tries to forbid this protocol via trust: (context) => context.protocol !== 'javascript'
.
Patches
Upgrade to KaTeX v0.16.10 to remove this vulnerability.
Workarounds
- Allow-list instead of block protocols in your
trust
function.
- Manually lowercase
context.protocol
via context.protocol.toLowerCase()
before attempting to check for certain protocols.
- Avoid use of or turn off the
trust
option.
Details
KaTeX did not normalize the protocol
entry of the context
object provided to a user-specified trust
-function, so it could be a mix of lowercase and/or uppercase letters.
It is generally better to allow-list by protocol, in which case this would normally not be an issue. But in some cases, you might want to block-list, and the KaTeX documentation even provides such an example:
Allow all commands but forbid specific protocol: trust: (context) => context.protocol !== 'file'
Currently KaTeX internally sees file:
and File:
URLs as different protocols, so context.protocol
can be file
or File
, so the above check does not suffice. A simple workaround would be:
trust: (context) => context.protocol.toLowerCase() !== 'file'
Most URL parsers normalize the scheme to lowercase. For example, RFC3986 says:
Although schemes are case-insensitive, the canonical form is lowercase and documents that specify schemes must do so with lowercase letters. An implementation should accept uppercase letters as equivalent to lowercase in scheme names (e.g., allow "HTTP" as well as "http") for the sake of robustness but should only produce lowercase scheme names for consistency.
References
Impact
Code that uses KaTeX's
trust
option, specifically that provides a function to block-list certain URL protocols, can be fooled by URLs in malicious inputs that use uppercase characters in the protocol. In particular, this can allow for malicious input to generatejavascript:
links in the output, even if thetrust
function tries to forbid this protocol viatrust: (context) => context.protocol !== 'javascript'
.Patches
Upgrade to KaTeX v0.16.10 to remove this vulnerability.
Workarounds
trust
function.context.protocol
viacontext.protocol.toLowerCase()
before attempting to check for certain protocols.trust
option.Details
KaTeX did not normalize the
protocol
entry of thecontext
object provided to a user-specifiedtrust
-function, so it could be a mix of lowercase and/or uppercase letters.It is generally better to allow-list by protocol, in which case this would normally not be an issue. But in some cases, you might want to block-list, and the KaTeX documentation even provides such an example:
Currently KaTeX internally sees
file:
andFile:
URLs as different protocols, socontext.protocol
can befile
orFile
, so the above check does not suffice. A simple workaround would be:Most URL parsers normalize the scheme to lowercase. For example, RFC3986 says:
References