CVE-2022-1575 Stored XSS attack in versions < 18.0.0

[davidjgraph]

v5 - 2022-06-10 02:39 UTC

Summary

Versions of the draw.io editor prior to 18.0.0 are vulnerable to a stored XSS attack, CVE-2022-1575, when served without a CSP that prevents unsafe-inline script. See https://huntr.dev/bounties/033d3423-eb05-4b53-a747-1bfcba873127/

Timeline

03.05.2022

• Received email to address specified in security.md file linking to private report at https://huntr.dev/bounties/033d3423-eb05-4b53-a747-1bfcba873127/
• Assigned to tester who confirmed desktop app was vulnerable.
• Security team met, assigned responsiblity and started researching issue.

04.05.2022

• Found well maintained replacement for Caja HTML sanitizer and replaced code (DOMPurify).
• Tested and released fix to Github.
• app.diagrams.net was updated, but is not vulnerable as the CSP blocks such script from executing.
• Users deploying project without such a CSP directly using this project or the docker project are likely vulnerable and should update as soon as possible.

05.05.2022

• Released desktop app with fix.
• Posted issues to well known downstream projects to suggest they review for vulnerability and update as necessary.
• Security team checked fixes and had incident retrospective to indentify process weaknesses needing addressing.

Underlying cause

The Google Caja project has an HTML sanitizer that we used in draw.io to strip possible attacks that can be inserted in HTML output. The project is deprecated and an attack, https://twitter.com/terjanq/status/1359232986382798851, went unfixed.

What went wrong and how will we strengthen the process

• We used a deprecated dependency. - Our security process did not contain an annual review of the maintenance state of dependencies used. FIXED - added to annual review process
• Our automated scanning tools, synk and github, could not detect our use of this dependency due to the way we integrated the caja code. FIXED - Add all dependencies and versions to dummy package.json file to trigger scans from both tools.
• The desktop tool CSP did not block such attacks. We do use a CSP in the desktop tool, but it is not as strict as app.diagrams.net in order to allow for the use of user plugins. FIXED - Dynamically change the CSP to restrict unsafe-inline script prior to any diagram being loaded.

What went well

• The CSP at app.diagrams.net, our reference implementation of draw.io worked, as intended.
• The CSP in the desktop tool does block third-party domain XHR calls.
• Our incident response worked smoothly from our defined plan. Everyone knew their roles and what each step of the response would be. A fix was available on all platforms within 48 hours.
• huntr.dev exists as a platform to address such issues. This is not of our doing, but still a positive.
• The issue was likely only found because the source code was public, we are assuming it was scanned for a pattern.

Downstream Projects

CVE-2022-1575 FAQ for draw.io for Confluence and Jira

We welcome any feedback or questions regarding this issue. We will update this post frequently and edit the version and timestamp at the start of the post after each edit.