lud

lud

Oaskit 0.14.1 - security release

Hello everyone,

This is a security update for Oaskit. Version 0.14.1 is now on Hex and fixes a reflected cross-site scripting (XSS) vulnerability in the default error handler.

If you are using Oaskit you should upgrade now.

Following the recent effort of scanning libraries with Claude Code and Fable I found a vulnerability in one of my libraries. I will do the same for JSV later.

What was affected

Oaskit’s default error handler (Oaskit.ErrorHandler.Default) can render validation errors as an HTML page when a request’s Accept header contains html. This is enabled by default (html_errors: true) and is genuinely handy in development for reading errors straight from the browser.

The problem: request-controlled values (such as object keys from a request body or query parameter, or a malformed Content-Type) were written into that HTML page without escaping. A crafted link to a validating endpoint could execute JavaScript in the application’s origin, a plain GET navigation is enough, no form or special headers required. Dumb me yeah.

Severity is Medium (CVSS 6.1). The full write-up is in the advisory:

:right_arrow: GHSA-h7xw-x8wr-xpcc

The HTML error page stays on by default, because it’s useful in dev and all interpolated values are now HTML-escaped.

Who should upgrade

All versions before 0.14.1 are affected. If you use Oaskit, please bump:

{:oaskit, "~> 0.14.1"}

Workaround (if you can’t upgrade right away)

Disable HTML error rendering so only JSON errors are returned:

plug Oaskit.Plugs.ValidateRequest, html_errors: false

Apologies for the churn this upgrade causes, and for shipping the issue in the first place.

Thank you for using Oaskit! If you find anything suspicious, please report privately via the repository’s Security tab.

(@AstonJ does that still merge into the main library thread?)

First Post!

AstonJ

AstonJ

Now that any library/project can get one of our new forums we no longer need to merge the threads :icon_biggrin: however if you’d like a reference to updates like this in the main thread then simply link to the main thread like you have - it will then show in the footer of the post:

Btw if you want an easier way to set up one of our new forums (for Oaskit or any other library) you can just give provide the data as Rails create block, we can add it to our seed file and then set you up with the admin thread. Just PM me if you want to do it that way :023:

Where Next?

Popular in News & Updates Top

hugobarauna
This post announces the Livebook desktop app, a way to install Livebook on your machine without the requirement to have Elixir installed ...
New
fhunleth
We’ve released new versions of all of the officially maintained Nerves Systems. The official systems, nerves_system_rpi0, nerves_system_b...
New
mobileoverlord
New versions of the Kiosk systems are out. These systems update official Nerves systems with a local web browser for rendering user inter...
New
bartblast
I’m excited to announce Hologram v0.5.0, a major evolution of the full-stack Elixir web framework! This release brings massive performanc...
New
hugobarauna
Hugging Face is a platform for building, sharing, and collaborating on machine learning applications. This blog post explains how to run...
New
polvalente
Nx, EXLA and Torchx 0.12 have just been published! This update set comes with the new Nx.block abstraction and the EXLA.CustomCall proto...
New
bartblast
Hologram’s journey just took a significant leap forward: Curiosum is coming on board as the Main Sponsor, and I’m joining their team to w...
New
bartblast
Hey Elixir community! :waving_hand: First, I owe you all an apology. There’s a running joke among my friends that Hologram is like nucle...
New
jjcarstens
The Raspberry Pi is a very popular hardware platform for Nerves users and the official systems are getting an upgrade! :tada: :beers: Wh...
New
bartblast
Hey there! :slight_smile: We need help completing Elixir’s browser runtime by porting some Erlang functions to JavaScript. Hologram aut...
New

Other popular topics Top

Darmani72
If I have a post route which an argument: post /my_post_route/:my_param1, MyController.my_post_handler How would get the post params ...
New
senggen
Erlang/OTP 25 [erts-13.2.2] [source] [64-bit] [smp:8:8] [ds:8:8:10] [async-threads:1] 15:22:35.803 [error] gen_event {lager_file_backend...
New
gshaw
What is the idiomatic way of matching for not nil in Elixir? E.g., First way: defp halt_if_not_signed_in(conn, signed_in_account) when...
New
vegabook
I’m brand new to Phoenix and I have stripped one of the demo applications to the bone. I just want to get an svg up on the screen. Here i...
New
freewebwithme
Using vs code and installed ElixirLS: support and debugger. And I got an error popped up on start up says Failed to run ‘elixir’ comma...
New
sergio_101
I am VERY much an elixir newbie. I have taken one elixir course and one phoenix course on Udemy. During that course, I saw the instructor...
New
bsollish-terakeet
Credo is smart enough to check for (something like) this: assert length(the_list) == 0 with this response: Checking if an enum is empt...
New
hariharasudhan94
I would like to know what is the best IDE for elixir development?
New
marick
I had some trouble figuring out how to make many-to-many associations work. Once I got it working, I wrote a blog post. Because I’m a nov...
New
jononomo
For some reason my phoenix channels are working for me in my local dev environment, but as soon as I deploy via Docker, I get a 403 error...
New

We're in Beta

About us Mission Statement