Uploaded image for project: 'XWiki Platform'
  1. XWiki Platform
  2. XWIKI-24228

Wiki macro restricted flag bypass, script macros execute in restricted context

    XMLWordPrintable

Details

    • Bug
    • Resolution: Invalid
    • Critical
    • None
    • None
    • None
    • Unknown

    Description

      Requirements

      • A wiki macro authored by a user with script or programming right that contains script macros (e.g., velocity, groovy)
      • A guest or standard user who can post comments (or any content rendered in restricted mode)

      Explanation
      DefaultWikiMacroRenderer.java line 875 creates a new TransformationContext without propagating the parent restricted flag:

      TransformationContext transformationContext = new TransformationContext(xdom, this.wikimacro.getSourceSyntax());

      The restricted parameter defaults to false. When a wiki macro is called from restricted content (comments, annotations), the macro code executes unrestricted!

      The same bug exists in DefaultWikiComponentMethodExecutor.java line 180.

      For comparison, DefaultMacroContentParser.java lines 175-176 and AbstractExecutedContentMacro.java lines 147-150 correctly propagate the restricted flag.

      POC
      1. As admin, create page Macros.RestrictedBypassTest with:

      • A XWiki.WikiMacroClass object: id=restrictedBypassTest, content availability=No content, supports inline=Yes, visibility=Global, content type=Wiki
      • Macro code: 
        {{velocity}}BYPASS-CONFIRMED{{/velocity}}

      2. As guest or standard user, post a comment on any page:

      {{restrictedBypassTest/}}

      3. View the page comments

      Expected (to my understanding): the velocity inside the wiki macro is blocked (restricted mode)
      Actual: BYPASS-CONFIRMED renders in the comment and the velocity executed

      Verified live on XWiki 18.2.1

      Impact
      Comments and annotations are rendered in restricted mode specifically to prevent script execution. This bypass breaks that security boundary. On wikis with admin-authored wiki macros containing script code (common in in practice I believe), any user who can post comments can invoke them from restricted context.

      fix
      Propagate the restricted flag from the parent context:

      // DefaultWikiMacroRenderer.java line 875 BEFORE:
TransformationContext transformationContext = new TransformationContext(xdom, this.wikimacro.getSourceSyntax());

// AFTER:
TransformationContext transformationContext = new TransformationContext(xdom, this.wikimacro.getSourceSyntax(), this.syncContext.getTransformationContext().isRestricted());

      Same fix needed in DefaultWikiComponentMethodExecutor.java line 180.

      Attachments

        Activity

          People

            MichaelHamann Michael Hamann
            ciaens Clément Christiaens
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: