XSS filter problem with Github

Bug reports and enhancement requests
Post Reply
yes_noscript

XSS filter problem with Github

Post by yes_noscript »

Now with latest NoScript dev version (5.0.6rc4) i get a XSS message on https://github.com/JustOff/pale-moon-lo ... n/releases and even if i allow it, i cant install the language file.
If i disable XSS filter or enter that url to XSS whitelist, it works.

Never see that in older NoScript versions.
Image

Log:
[NoScript HTTPS] Secure cookie set by github.com: user_session=LuUGasZWnbN8uX8xUK8_fv2SEEZiwLeDBdMTp0b-CexVLpTA; domain=github.com; path=/; HttpOnly; Secure
[NoScript HTTPS] Secure cookie set by github.com: __Host-user_session_same_site=LuUGasZWnbN8uX8xUK8_fv2SEEZiwLeDBdMTp0b-CexVLpTA; domain=github.com; path=/; HttpOnly; Secure
[NoScript HTTPS] Secure cookie set by github.com: _gh_sess=eyJzZXNzaW9uX2lkIjoiZWY5ZjljYmU3MTk3NzlmMjVkNDdiZmFkZmI5Yzc5MzYiLCJzcHlfcmVwbyI6Ikp1c3RPZmYvcGFsZS1tb29uLWxvY2FsaXphdGlvbiIsInNweV9yZXBvX2F0IjoxNDk2MzQ4NzU5fQ%3D%3D--b818993aef782cf9cd34f84d8b6407b60a902c3f; domain=github.com; path=/; HttpOnly; Secure
Content Security Policy: Unbekannte Direktive 'block-all-mixed-content' kann nicht verarbeitet werden <unbekannt>
Content Security Policy: Unbekannte Direktive 'child-src' kann nicht verarbeitet werden <unbekannt>
Content Security Policy: Die Seiteneinstellung blockte das Laden einer Quelle bei: about:blank ("base-uri https://github.com"). <unbekannt>
mutating the [[Prototype]] of an object will cause your code to run very slowly; instead create the object with the correct initial [[Prototype]] value using Object.create frameworks-611e7266c1a789a57e7c94581a4d1c142acf2a3c8894bfec8e0ef7a0f7727887.js:1:29972
Leerer String an getElementById() übergeben. github-48522d22246ed7a304c3601f2385ec9054631f3f26ed5aff6dca97cb192ef0bf.js:17:0
Leerer String an getElementById() übergeben. github-48522d22246ed7a304c3601f2385ec9054631f3f26ed5aff6dca97cb192ef0bf.js:6:0
Quellübergreifende (Cross-Origin) Anfrage blockiert: Die Gleiche-Herkunft-Richtlinie (SOP) verbietet das Lesen der externen Ressource auf https://www.google-analytics.com/collect. (Grund: CORS-Anfrage fehlgeschlagen). <unbekannt>
Quellübergreifende (Cross-Origin) Anfrage blockiert: Die Gleiche-Herkunft-Richtlinie (SOP) verbietet das Lesen der externen Ressource auf https://api.github.com/_private/browser/stats. (Grund: CORS-Anfrage fehlgeschlagen). <unbekannt>
[NoScript HTTPS] Secure cookie set by github.com: user_session=LuUGasZWnbN8uX8xUK8_fv2SEEZiwLeDBdMTp0b-CexVLpTA; domain=github.com; path=/; HttpOnly; Secure
[NoScript HTTPS] Secure cookie set by github.com: __Host-user_session_same_site=LuUGasZWnbN8uX8xUK8_fv2SEEZiwLeDBdMTp0b-CexVLpTA; domain=github.com; path=/; HttpOnly; Secure
[NoScript HTTPS] Secure cookie set by github.com: _gh_sess=eyJzZXNzaW9uX2lkIjoiZWY5ZjljYmU3MTk3NzlmMjVkNDdiZmFkZmI5Yzc5MzYiLCJzcHlfcmVwbyI6Ikp1c3RPZmYvcGFsZS1tb29uLWxvY2FsaXphdGlvbiIsInNweV9yZXBvX2F0IjoxNDk2MzQ4NzYyfQ%3D%3D--0fe57a9afef305e8fe4939b39e361e4b9af4ffd5; domain=github.com; path=/; HttpOnly; Secure
[NoScript InjectionChecker] JavaScript Injection in inline; filename=de.xpi&response-content-type=application/x-xpinstall
(function anonymous() {
inline; filename==de.xpi&response-content-type==application
})
[NoScript XSS] Eine verdächtige Anfrage wurde bereinigt. Original-URL [https://github-production-release-asset ... -xpinstall] angefordert von [https://github.com/JustOff/pale-moon-lo ... n/releases]. Bereinigte URL: [https://github-production-release-asset ... 9653664388].
TypeError: Network request failed frameworks-611e7266c1a789a57e7c94581a4d1c142acf2a3c8894bfec8e0ef7a0f7727887.js:1:18366
Die Webkonsolen-Logging-API (console.log, console.info, console.warn, console.error) wurde von einem Skript auf dieser Seite deaktiviert
Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:45.9) Gecko/20100101 Goanna/3.2 Firefox/45.9 PaleMoon/27.3.0
barbaz
Senior Member
Posts: 10834
Joined: Sat Aug 03, 2013 5:45 pm

Re: XSS filter problem with Github

Post by barbaz »

Confirmed in NoScript 5.0.6rc4, SeaMonkey '2.49.1pre' (based on Firefox 52 ESR).

My console messages look a bit different than yours -

Code: Select all

[NoScript InjectionChecker] JavaScript Injection in inline; filename=de.xpi&response-content-type=application/x-xpinstall
(function anonymous() {
inline; filename==de.xpi&response-content-type==application
})
[NoScript XSS] Sanitized suspicious request. Original URL [https://github-production-release-asset-2e65be.s3.amazonaws.com/73383804/5cd5f674-4647-11e7-84bc-65bf37459c44?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIAIWNJYAX4CSVEH53A%2F20170601%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20170601T204630Z&X-Amz-Expires=300&X-Amz-Signature=2866e46b7d6d8b7e411cd37557dd05eba97f1b36ddf476376f43f20690d61790&X-Amz-SignedHeaders=host&actor_id=0&response-content-disposition=inline%3B%20filename%3Dde.xpi&response-content-type=application%2Fx-xpinstall] requested from [https://github.com/JustOff/pale-moon-localization/releases/download/27.4.0_RC4/de.xpi]. Sanitized URL: [https://github-production-release-asset-2e65be.s3.amazonaws.com/73383804/5cd5f674-4647-11e7-84bc-65bf37459c44?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIAIWNJYAX4CSVEH53A%2F20170601%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20170601T204630Z&X-Amz-Expires=300&X-Amz-Signature=2866e46b7d6d8b7e411cd37557dd05eba97f1b36ddf476376f43f20690d61790&X-Amz-SignedHeaders=host&actor_id=0&response-content-disposition=inline%3B%20filename%20de.xpi&response-content-type=application%2Fx-xpinstall#7761861113232865446].
[NoScript InjectionChecker] JavaScript Injection in inline; filename=de.xpi&response-content-type=application/x-xpinstall
(function anonymous() {
inline; filename==de.xpi&response-content-type==application
})
[NoScript XSS] Sanitized suspicious request. Original URL [https://github-production-release-asset-2e65be.s3.amazonaws.com/73383804/5cd5f674-4647-11e7-84bc-65bf37459c44?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIAIWNJYAX4CSVEH53A%2F20170601%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20170601T204630Z&X-Amz-Expires=300&X-Amz-Signature=2866e46b7d6d8b7e411cd37557dd05eba97f1b36ddf476376f43f20690d61790&X-Amz-SignedHeaders=host&actor_id=0&response-content-disposition=inline%3B%20filename%3Dde.xpi&response-content-type=application%2Fx-xpinstall] requested from [https://github.com/JustOff/pale-moon-localization/releases/download/27.4.0_RC4/de.xpi]. Sanitized URL: [https://github-production-release-asset-2e65be.s3.amazonaws.com/73383804/5cd5f674-4647-11e7-84bc-65bf37459c44?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIAIWNJYAX4CSVEH53A%2F20170601%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20170601T204630Z&X-Amz-Expires=300&X-Amz-Signature=2866e46b7d6d8b7e411cd37557dd05eba97f1b36ddf476376f43f20690d61790&X-Amz-SignedHeaders=host&actor_id=0&response-content-disposition=inline%3B%20filename%20de.xpi&response-content-type=application%2Fx-xpinstall#6871332225555615236].
The supposed JavaScript injection in the original URL is not what NoScript reports. It actually decodes to this -

Code: Select all

inline; filename=de.xpi&response-content-type=application
I think this is a false positive. Moving to NoScript Development as a bug report.
*Always* check the changelogs BEFORE updating that important software!
-
Post Reply