Mitra doesn't save files with .js extension to the media directory, so it shouldn't be vulnerable to the same XSS attack as Pleroma. Neither does it store .html and .svg files (which also can execute scripts in the same origin). There's a list of supported media types and if media type is not whitelisted, the file is saved without extension.
Conversation
Notices
-
Embed this notice
silverpill (silverpill@mitra.social)'s status on Friday, 26-May-2023 21:50:59 JST 
silverpill
-
Embed this notice
silverpill (silverpill@mitra.social)'s status on Friday, 26-May-2023 22:30:12 JST
silverpill
@DarkMahesvara Without extension, script won't be executed in the browser, where it can steal your cookies or auth tokens.
Browsers will download the file instead of executing it (at least modern ones). -
Embed this notice
DarkMahesvara (darkmahesvara@varishangout.net)'s status on Friday, 26-May-2023 22:30:13 JST 
DarkMahesvara
@silverpill what exactly do you mean by "saved without extension"? afaik removing the extensions does not prevent a file from being executed (at least on unix) or do you mean revoking executing permission like with chmod? and even that would not prevent the file from being somehow process by pleroma in a vulnerable way (i could be totally wrong tho). -
Embed this notice
silverpill (silverpill@mitra.social)'s status on Friday, 26-May-2023 22:51:06 JST
silverpill
@DarkMahesvara This article demonstrates XSS attack with a SVG file: https://rietta.com/blog/svg-xss-injection-attacks/. If user opens attached SVG file with a malicious script, the script gets executed and it will have access to local storage under the same domain.
That being said, I don't know how one can perform this attack with plain JS file. Probably there was some additional step.
-
Embed this notice
All GNU social JP content and data are available under the