Headline
GHSA-7899-w6c4-vqc4: @misskey-dev/summaly Redirect Filter Bypass
Summary
A logic error in the main summaly function causes the allowRedirects option to never be passed to any plugins, and as a result, isn’t enforced.
Details
In the main summaly function, a new scrapingOptions object is created and passed to either the matched plugin, if any, or the default summarize function. The issue here is that the new scrapingOptions object is not provided the allowRedirects property of opts.
PoC
- Publish a post containing a link to any URL that redirects on Misskey.
- A preview will be generated for the target of the redirect, despite Misskey passing
allowRedirects: false.
Impact
Misskey will follow redirects, despite explicitly requesting not to.
Summary
A logic error in the main summaly function causes the allowRedirects option to never be passed to any plugins, and as a result, isn’t enforced.
Details
In the main summaly function, a new scrapingOptions object is created and passed to either the matched plugin, if any, or the default summarize function. The issue here is that the new scrapingOptions object is not provided the allowRedirects property of opts.
PoC
- Publish a post containing a link to any URL that redirects on Misskey.
- A preview will be generated for the target of the redirect, despite Misskey passing allowRedirects: false.
Impact
Misskey will follow redirects, despite explicitly requesting not to.
References
- GHSA-7899-w6c4-vqc4
- misskey-dev/summaly@45153b4