Headline
CVE-2022-29172: Merge pull request from GHSA-7ww6-75fj-jcj7 · auth0/lock@79ae557
Auth0 is an authentication broker that supports both social and enterprise identity providers, including Active Directory, LDAP, Google Apps, and Salesforce. In versions before 11.33.0, when the “additional signup fieldsâ€? feature is configured, a malicious actor can inject invalidated HTML code into these additional fields, which is then stored in the service user_metdata payload (using the name property). Verification emails, when applicable, are generated using this metadata. It is therefor possible for an actor to craft a malicious link by injecting HTML, which is then rendered as the recipient’s name within the delivered email template. You are impacted by this vulnerability if you are using auth0-lock version 11.32.2 or lower and are using the “additional signup fieldsâ€? feature in your application. Upgrade to version 11.33.0.
@@ -137,4 +137,75 @@ describe('database/actions.js’, () => {
expect(signUpMock.calls.length).toBe(1);
expect(signUpMock.calls[0][0]).toBe(id);
});
it('sanitizes additionalSignUp fields using dompurify’, () => {
const id = 1;
const hookRunner = jest.fn((str, m, context, fn) => fn());
require(‘connection/database/index’).databaseConnectionName = () => 'test-connection’;
require(‘connection/database/index’).shouldAutoLogin = () => true;
// Test different fields using some examples from DOMPurify
// https://github.com/cure53/DOMPurify#some-purification-samples-please
const m = Immutable.fromJS({
field: {
email: {
value: ‘[email protected]’
},
password: {
value: ‘testpass’
},
family_name: {
value: ‘Test <a href="https://www.google.co.uk">Fake link</a>’ // HTML but not malicious
},
given_name: {
value: ‘<img src=x onerror=alert(1)//>’
},
name: {
value: ‘<p>abc<iframe//src=jAva script:alert(3)>def</p>’
},
other_name: {
value:
‘<div onclick=alert(0)><form onsubmit=alert(1)><input onfocus=alert(2) name=parentNode>123</form></div>’
}
},
database: {
additionalSignUpFields: [
{ name: 'family_name’, storage: ‘root’ },
{ name: 'given_name’, storage: ‘root’ },
{ name: 'name’, storage: ‘root’ },
{ name: ‘other_name’ }
]
},
core: {
hookRunner
}
});
swap(setEntity, 'lock’, id, m);
signUp(id);
const {
validateAndSubmit: { mock: validateAndSubmitMock }
} = coreActionsMock();
validateAndSubmitMock.calls[0][2](m);
const {
signUp: { mock: signUpMock }
} = webApiMock();
expect(signUpMock.calls[0][1]).toMatchObject({
connection: 'test-connection’,
email: '[email protected]’,
password: 'testpass’,
autoLogin: true,
family_name: 'Test Fake link’,
given_name: '’,
name: 'abc’,
user_metadata: {
other_name: ‘123’
}
});
});
});
Related news
### Overview In versions before and including `11.32.2`, when the “additional signup fields” feature [is configured](https://github.com/auth0/lock#additional-sign-up-fields), a malicious actor can inject invalidated HTML code into these additional fields, which is then stored in the service `user_metdata` payload (using the `name` property). Verification emails, when applicable, are generated using this metadata. It is therefor possible for an actor to craft a malicious link by injecting HTML, which is then rendered as the recipient's name within the delivered email template. ### Am I affected? You are impacted by this vulnerability if you are using `auth0-lock` version `11.32.2` or lower and are using the “additional signup fields” feature in your application. ### How to fix that? Upgrade to version `11.33.0`. ### Will this update impact my users? Additional signup fields that have been added to the signup tab on Lock will have HTML tags stripped from user input from version `11....