[SECURITY]: Cross-site Scripting (Snyk False Positives) #7866
-
What happened?My team is using https://snyk.io/ to scan the source codes in the LibreChat repo and we got a report below. Issue: Cross-site Scripting (XSS) With the experience on the "Path Traversal" that was perfectly handled, I attached the screenshots of all the issues belonging to this "XSS" group/category. I hope they all share the same response/solution. If there are any exceptions, I’d appreciate your help in drafting specific responses for those cases. Versionv0.7.8 Screenshots
|
Beta Was this translation helpful? Give feedback.
Replies: 2 comments 2 replies
-
|
Database controller methods returning structured query results are not XSS concerns when sent as JSON responses, as they have clearly defined data structures and are not rendered as HTML. For the case of the I would also like to add that I cannot provide detailed analysis for every automated scanner report, for which we also run independently at our own discretion. My response effort will match the effort invested in the security report itself. Screenshots of static analysis findings without proof-of-concept exploits or actual vulnerability reproduction constitute low-effort reports. LibreChat has undergone multiple professional security audits and penetration testing. For legitimate security vulnerabilities with reproduction steps, I recommend reports made to huntr.com: https://huntr.com/repos/danny-avila/librechat In general, automated scanner outputs require human verification and context analysis before being considered actionable security issues. |
Beta Was this translation helpful? Give feedback.
-
|
Hi Danny, Thank you for your response. I completely understand the limitations of the automated scanner results. Regarding your mention that "LibreChat has undergone multiple professional security audits and penetration testing", would you mind sharing the names of the firms involved and the results of those assessments? If there are any available reports or summaries from these audits and tests, having access to them would be immensely helpful. We’re currently deploying LibreChat to several enterprise clients, and having formal security documentation would provide much more clarity than manually combing through scanner outputs like those from Snyk. Appreciate your support! Cheers |
Beta Was this translation helpful? Give feedback.
-
|
Hi Gary, I cannot provide security tests done by independent firms as that is at their discretion and not mine. No one has gone ahead and submitted anything to be made shared public. The best public collection of security vulnerabilities identified and resolved are in the huntr.com link I shared. |
Beta Was this translation helpful? Give feedback.
-
|
I have "ignored" (in SNYK) all the issues in this category. I put the reason with the url of this discussion. |
Beta Was this translation helpful? Give feedback.
Database controller methods returning structured query results are not XSS concerns when sent as JSON responses, as they have clearly defined data structures and are not rendered as HTML.
For the case of the
index.htmlfile, this is a false positive because the user input (language code) is properly sanitized on line 129 by converting single quotes to HTML entities, and the injection occurs only within an HTML attribute context where the sanitization is sufficient to prevent XSS exploitation.I would also like to add that I cannot provide detailed analysis for every automated scanner report, for which we also run independently at our own discretion. My response effort will match the effor…