Skip to content

Awesome: several XSS vulnerabilities #227

Closed
Bug
Closed
Awesome: several XSS vulnerabilities#227
Bug
Assignees
Viperwow
@delatrie

Description

@delatrie
delatrie
opened on Jun 24, 2025

Describe the bug
Unsanitized input is assigned to innerHTML in the following contexts:

  1. When a trace is rendered in a test's or step's error in Awesome (this happens when a user expands the message):

    allure3/packages/web-awesome/src/components/TestResult/TrError/index.tsx

    Line 22 in 376bfe2

    <pre dangerouslySetInnerHTML={{ __html: ansiTrace }}>{ansiTrace}</pre>
  2. When an HTML attachment (content type text/html) is opened for preview. This is relevant both for Awesome:

    allure3/packages/web-components/src/components/Attachment/HtmlPreview.tsx

    Line 11 in 376bfe2

    return <div className={styles["html-attachment-preview"]} dangerouslySetInnerHTML={{ __html: attachment?.text }} />;

    ... and for Classic:

    allure3/packages/web-classic/src/components/TestResult/TestResultSteps/HtmlAttachmentPreview.tsx

    Line 11 in 376bfe2

    return <div className={styles["html-attachment-preview"]} dangerouslySetInnerHTML={{ __html: attachment?.text }} />;
  3. When a code attachment with ANSI codes is expanded in Awesome (both in the inline view and in the modal window):

    allure3/packages/web-components/src/components/Attachment/AttachmentCode.tsx

    Line 35 in bd3932d

    dangerouslySetInnerHTML={{ __html: ansiTrace(rawText) }}

    It's possible this behavior will be extended to Classic.
    The following attachment types are affected:

    allure3/packages/web-components/src/components/Attachment/Attachment.tsx

    Lines 16 to 22 in 376bfe2

    json: AttachmentCode,
    code: AttachmentCode,
    uri: AttachmentCode,
    css: AttachmentCode,
    table: AttachmentCode,
    html: AttachmentCode,
    text: AttachmentCode,

    The full list of content types corresponding to the above types can be found here:

    allure3/packages/web-commons/src/attachments.ts

    Line 25 in 376bfe2

    switch (fileType.type) {

While innerHTML doesn't run the code in a <script> tag, there are plenty of other ways to execute JS code. An example would be putting the code in onerror of an image with src set to a non-existing location:

<img src="-" onerror="alert('This input is not sanitized well enough :(')">

To Reproduce
Steps to reproduce the behavior:

  1. Download and extract the directory with test result files:
    allure-results.zip
  2. Generate the Allure Awesome report from the extracted directory.
  3. Navigate to the test details page.
  4. Expand the test message. The alert 1 will be shown.
  5. Expand the Foo step and click on the message. The alert 2 will be shown.
  6. Expand the index.html attachment. The alert 3 will be shown. The same alert is shown when the attachment preview is opened in the modal window.
  7. Expand the text attachment. The alert 4 will be shown. Unlike with the previous attachment, this time, no alert will be shown when the preview is opened in the modal window.

Expected behavior
No JavaScript is executed. In the context of the above example, that means no alerts should be shown.

Recording

Screen.Recording.2025-06-24.at.21.12.05.mov

Metadata

Metadata

Assignees

Labels

No labels
No labels

Type

Bug

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions