React v16.4.2: Server-side vulnerability fix

August 01, 2018 by Dan Abramov

We discovered a minor vulnerability that might affect some apps using ReactDOMServer. We are releasing a patch version for every affected React minor release so that you can upgrade with no friction. Read on for more details.

概述

Today, we are releasing a fix for a vulnerability we discovered in the react-dom/server implementation. It was introduced with the version 16.0.0 and has existed in all subsequent releases until today.

This vulnerability can only affect some server-rendered React apps. Purely client-rendered apps are not affected. Additionally, we expect that most server-rendered apps don’t contain the vulnerable pattern described below. Nevertheless, we recommend to follow the mitigation instructions at the earliest opportunity.

While we were investigating this vulnerability, we found similar vulnerabilities in a few other popular front-end libraries. We have coordinated this release together with Vue and Preact releases fixing the same issue. The tracking number for this vulnerability is CVE-2018-6341.

Mitigation

We have prepared a patch release with a fix for every affected minor version.

16.0.x

如果你在这个版本中使用 react-dom/server

  • react-dom@16.0.0

升级到下面的版本来替换之前的版本。

  • react-dom@16.0.1 (contains the mitigation)

16.1.x

如果你在下面的任何一个版本中使用 react-dom/server

  • react-dom@16.1.0
  • react-dom@16.1.1

升级到下面的版本来替换之前的版本。

  • react-dom@16.1.2 (contains the mitigation)

16.2.x

如果你在下面的版本中使用 react-dom/server

  • react-dom@16.2.0

升级到下面的版本来替换之前的版本。

  • react-dom@16.2.1 (contains the mitigation)

16.3.x

如果你在下面的任何一个版本中使用 react-dom/server

  • react-dom@16.3.0
  • react-dom@16.3.1
  • react-dom@16.3.2

升级到下面的版本来替换之前的版本。

  • react-dom@16.3.3 (contains the mitigation)

16.4.x

如果你在下面的任何一个版本中使用 react-dom/server

  • react-dom@16.4.0
  • react-dom@16.4.1

升级到下面的版本来替换之前的版本。

  • react-dom@16.4.2 (contains the mitigation)

If you’re using a newer version of react-dom, no action is required.

Note that only the react-dom package needs to be updated.

细节描述

只有当这两个条件都为真时,您的应用程序才会受到这个漏洞的影响:

  • 您的应用程序正在使用HTML呈现 ReactDOMServer API, 并且
  • 您的应用程序在HTML标记中包含用户提供的属性名

具体说,脆弱模式就像下面的代码:

let props = {};
props[userProvidedData] = "hello";
let element = <div {...props} />;
let html = ReactDOMServer.renderToString(element);

为了利用这个脆弱模式,攻击者需要创建一个触发 XSS 漏洞的特殊属性名。例如:

let userProvidedData = '></div><script>alert("hi")</script>';

In the vulnerable versions of react-dom/server, the output would let the attacker inject arbitrary markup:

<div ></div><script>alert("hi")</script>

In the versions after the vulnerability was fixed (and before it was introduced), attributes with invalid names are skipped:

<div></div>

You would also see a warning about an invalid attribute name.

Note that we expect attribute names based on user input to be very rare in practice. It doesn’t serve any common practical use case, and has other potential security implications that React can’t guard against.

安装

React 16.4.2 版本可以在 npm 上获取。

使用 Yarn 安装 React 16 版本,运行下面的命令:

yarn add react@^16.4.2 react-dom@^16.4.2

使用 npm 安装 React 16 版本,运行下面的命令:

npm install --save react@^16.4.2 react-dom@^16.4.2

我们也提供了通过 CDN 的方式 UMD 建立React的方法:

<script crossorigin src="https://unpkg.com/react@16/umd/react.production.min.js"></script>
<script crossorigin src="https://unpkg.com/react-dom@16/umd/react-dom.production.min.js"></script>

点击链接获取 更详细的安装教程.

更新日志

React DOM 服务器

  • Fix a potential XSS vulnerability when the attacker controls an attribute name (CVE-2018-6341). This fix is available in the latest react-dom@16.4.2, as well as in previous affected minor versions: react-dom@16.0.1, react-dom@16.1.2, react-dom@16.2.1, and react-dom@16.3.3. (@gaearon in #13302)

  • Fix a crash in the server renderer when an attribute is called hasOwnProperty. This fix is only available in react-dom@16.4.2. (@gaearon in #13303)