Bug 989170 (CVE-2016-1000013) - VUL-0: CVE-2016-1000013: nodejs: Sanitization bypass using HTML Entities
Summary: VUL-0: CVE-2016-1000013: nodejs: Sanitization bypass using HTML Entities
Status: RESOLVED INVALID
Alias: CVE-2016-1000013
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other openSUSE 42.1
: P3 - Medium : Normal
Target Milestone: ---
Assignee: Adam Majer
QA Contact: Security Team bot
URL: https://smash.suse.de/issue/170965/
Whiteboard: CVSSv2:NVD:CVE-2016-1000:10.0:(AV:N/...
Keywords:
Depends on:
Blocks:
 
Reported: 2016-07-15 13:25 UTC by Andreas Stieger
Modified: 2019-05-01 17:19 UTC (History)
4 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Andreas Stieger 2016-07-15 13:25:34 UTC 
https://nodesecurity.io/advisories/101

Overview: marked is an application that is meant to parse and compile markdown.

Due to the way that marked parses input, specifically HTML entities, it's possible to bypass marked's content injection protection (sanitize: true) to inject a javascript: URL.

This flaw exists because &#xNNanything; gets parsed to what it could and leaves the rest behind, resulting in just anything; being left.

For example:

If a malicious user could provide this input to the application javascript&#x58document;alert(1) resulting in a valid link, that when a user clicked it would execute alert(1).
Remediation

To mitigate the flaw you have a couple of options. There's a pull request open that fixes this issue. Another option would be to switch to another markdown library such as remarkable.
References

    https://github.com/chjj/marked/pull/592
    https://github.com/chjj/marked/pull/592/commits/2cff85979be8e7a026a9aca35542c470cf5da523


--------

Does not affect SLE.

In openSUSE:Factory/nodejs:

./node-v6.3.0/tools/doc/node_modules/marked
./node-v6.3.0/tools/doc/node_modules/marked/bin/marked
./node-v6.3.0/tools/doc/node_modules/marked/lib/marked.js
./node-v6.3.0/tools/doc/node_modules/marked/man/marked.1
./node-v6.3.0/tools/doc/node_modules/marked/marked.min.js

openSUSE 13.2:

./node-v4.4.5/tools/doc/node_modules/marked
./node-v4.4.5/tools/doc/node_modules/marked/bin/marked
./node-v4.4.5/tools/doc/node_modules/marked/lib/marked.js
./node-v4.4.5/tools/doc/node_modules/marked/man/marked.1

openSUSE Leap 42.1:

./node-v4.4.5/tools/doc/node_modules/marked
./node-v4.4.5/tools/doc/node_modules/marked/bin/marked
./node-v4.4.5/tools/doc/node_modules/marked/lib/marked.js
./node-v4.4.5/tools/doc/node_modules/marked/man/marked.1

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-1000013
http://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-1000013.html
Comment 1 Swamp Workflow Management 2016-07-15 22:00:50 UTC 
bugbot adjusting priority
Comment 2 Adam Majer 2016-08-10 12:10:33 UTC 
I don't think this really affects any NodeJS versions. While all of them use (vulnerable) marked.js to generate documentation, this is only used internally during build and not distributed.

We are not distributing `marked` node module, as far as I can see.
Comment 3 Marguerite Su 2017-02-21 12:31:58 UTC 
reassigned to Adam since he's the first maintainer replied.

My opinion is the same with Adam, we didn't distribute the marked module at all. 

Feel free to mark resolved Adam.

Marguerite
Comment 4 Karl Cheng 2017-10-08 09:08:51 UTC 
Marking as resolved as per comment 2.