CVE-2024-29376
Sylius has potential Cross Site Scripting vulnerability via the "Province" field in the Checkout and Address Book
Description
### Impact There is a possibility to save XSS code in province field in the Checkout and Address Book and then execute it on these pages. The problem occurs when you open the address step page in the checkout or edit the address in the address book. This only affects the base UI Shop provided by Sylius. ### Patches The issue is fixed in versions: 1.9.12, 1.10.16, 1.11.17, 1.12.16, 1.13.1 and above. ### Workarounds 1. Create new file `assets/shop/sylius-province-field.js`: ```js // assets/shop/sylius-province-field.js function sanitizeInput(input) { const div = document.createElement('div'); div.textContent = input; return div.innerHTML; // Converts text content to plain HTML, stripping any scripts } const getProvinceInputValue = function getProvinceInputValue(valueSelector) { return valueSelector == undefined ? '' : `value="${sanitizeInput(valueSelector)}"`; }; $.fn.extend({ provinceField() { const countrySelect = $('select[name$="[countryCode]"]'); countrySelect.on('change', (event) => { const select = $(event.currentTarget); const provinceContainer = select.parents('.field').next('div.province-container'); const provinceSelectFieldName = select.attr('name').replace('country', 'province'); const provinceInputFieldName = select.attr('name').replace('countryCode', 'provinceName'); const provinceSelectFieldId = select.attr('id').replace('country', 'province'); const provinceInputFieldId = select.attr('id').replace('countryCode', 'provinceName'); const form = select.parents('form'); if (select.val() === '' || select.val() == undefined) { provinceContainer.fadeOut('slow', () => { provinceContainer.html(''); }); return; } provinceContainer.attr('data-loading', true); form.addClass('loading'); $.get(provinceContainer.attr('data-url'), { countryCode: select.val() }, (response) => { if (!response.content) { provinceContainer.fadeOut('slow', () => { provinceContainer.html(''); provinceContainer.removeAttr('data-loading'); form.removeClass('loading'); }); } else if (response.content.indexOf('select') !== -1) { provinceContainer.fadeOut('slow', () => { const provinceSelectValue = getProvinceInputValue(( $(provinceContainer).find('select > option[selected$="selected"]').val() )); provinceContainer.html(( response.content .replace('name="sylius_address_province"', `name="${provinceSelectFieldName}"${provinceSelectValue}`) .replace('id="sylius_address_province"', `id="${provinceSelectFieldId}"`) .replace('option value="" selected="selected"', 'option value=""') .replace(`option ${provinceSelectValue}`, `option ${provinceSelectValue}" selected="selected"`) )); provinceContainer.addClass('required'); provinceContainer.removeAttr('data-loading'); provinceContainer.fadeIn('fast', () => { form.removeClass('loading'); }); }); } else { provinceContainer.fadeOut('slow', () => { const provinceInputValue = getProvinceInputValue($(provinceContainer).find('input').val()); provinceContainer.html(( response.content .replace('name="sylius_address_province"', `name="${provinceInputFieldName}"${provinceInputValue}`) .replace('id="sylius_address_province"', `id="${provinceInputFieldId}"`) )); provinceContainer.removeAttr('data-loading'); provinceContainer.fadeIn('fast', () => { form.removeClass('loading'); }); }); } }); }); if (countrySelect.val() !== '') { countrySelect.trigger('change'); } if ($.trim($('div.province-container').text()) === '') { $('select.country-select').trigger('change'); } const shippingAddressCheckbox = $('input[type="checkbox"][name$="[differentShippingAddress]"]'); const shippingAddressContainer = $('#sylius-shipping-address-container'); const toggleShippingAddress = function toggleShippingAddress() { shippingAddressContainer.toggle(shippingAddressCheckbox.prop('checked')); }; toggleShippingAddress(); shippingAddressCheckbox.on('change', toggleShippingAddress); }, }); ``` 2. Add new import in `assets/shop/entry.js`: ```js // assets/shop/entry.js // ... import './sylius-province-field'; ``` 3. If you're using Gulp, update your `gulpfile.babel.js`: ```diff import chug from 'gulp-chug'; + import concat from 'gulp-concat'; import gulp from 'gulp'; import yargs from 'yargs'; const { argv } = ... + const rootPath = argv.rootPath || 'public/assets'; + const config = [...]; '--rootPath', argv.rootPath || '../../../../../../../public/assets', '--nodeModulesPath', argv.nodeModulesPath || '../../../../../../../node_modules', ]; ... export const buildShop = ... + export const patchShopJs = function patchShopJs() { + return gulp.src([ + `${rootPath}/shop/js/app.js`, + 'assets/shop/sylius-province-field.js', + ]) + .pipe(concat('app.js')) + .pipe(gulp.dest(`${rootPath}/shop/js`)); + }; + patchShopJs.description = 'Append shop security patches to built app.js.'; ... - export const build = gulp.parallel(buildAdmin, buildShop); + export const build = gulp.series( + gulp.parallel(buildAdmin, buildShop), + patchShopJs, + ); ... - gulp.task('shop', buildShop); + gulp.task('shop', gulp.series(buildShop, patchShopJs)); ... ``` 4. Rebuild your assets: ```bash yarn build ``` ### Acknowledgements This security issue has been reported by @r2tunes, thank you! ### References - The original advisory: https://github.com/advisories/GHSA-mw82-6m2g-qh6c ### For more information If you have any questions or comments about this advisory: * Open an issue in [Sylius issues](https://github.com/Sylius/Sylius/issues) * Email us at security@sylius.com