[BUG] Stored XSS Vulnerability in the Dialog Configuration

[geckosecurity]

Version: 0.17.2

Description

A stored cross-site scripting (XSS) vulnerability exists in the dialog configuration functionality. The application fails to properly sanitize user input in the prompt_config fields, particularly in the "Opening greeting" section under "Assistant Setting". When this unsanitized content is later rendered using a markdown component with the rehype-raw plugin, malicious HTML and JavaScript can execute in victims' browsers.

Source - Sink Analysis

The vulnerability exists in the following function call chain:

1. Source: set_dialog() in /api/apps/dialog_app.py

• Accepts user-provided prompt_config parameter without sanitization:

  prompt_config = req.get("prompt_config", default_prompt)

2. Intermediate: DialogService.save() in /api/db/services/common_service.py

• Stores unsanitized user input directly in the database:

  sample_obj = cls.model(**kwargs).save(force_insert=True)

3. Intermediate: get_json_result() in /api/utils/api_utils.py

• Returns unsanitized data in JSON response:

  response = {"code": code, "message": message, "data": data}

4. Sink: HightLightMarkdown component in /web/src/components/highlight-markdown/index.tsx

• Renders unsanitized content with rehype-raw plugin, allowing JavaScript execution:

  rehypePlugins={[rehypeRaw, rehypeKatex]}

Proof of Concept

1. Log into RAGFlow application
2. Navigate to Chat section and click "Create an Assistant" button
3. Locate the "Opening greeting" field (prompt_config.prologue) and enter the following payload:

<iframe srcdoc="<script>alert('XSS Vulnerability in RAGFlow')</script>"></iframe>

4. Start a new conversation and observe that a JavaScript alert popup appears with the text "XSS Vulnerability in RAGFlow"

Impact

This stored XSS vulnerability allows attackers to:

• Execute arbitrary JavaScript in the context of other users' browsers.
• Steal authentication tokens, session cookies, and other sensitive information.
• Perform unauthorized actions on behalf of the victim.
• Access sensitive data potentially including knowledge base content.

[geckosecurity]

Hi @cike8899, are there any updates on the review of the vulnerability?

[asiroliu]

@KevinHuSh @cike8899
LGTM

@geckosecurity
Thank you for your submission.

• set Opening greeting

• I reproduced the issue using the nightly build:

• Testing with your latest code:

[cike8899]

Because I need to render legal HTML, I use DOMPurify to filter the output string. Thank you for your contribution. Fix: Use DOMPurify to filter out dangerous HTML #7668 @geckosecurity

[KevinHuSh]

Appreciations!