yolapi metadata.py render_description cross site scripting

Vulnerability

The vulnerability exists in the render_description function within yolapi/pypi/metadata.py. The function processes user-supplied text without proper sanitization, leading to a cross-site scripting (XSS) flaw. The manipulation of the text argument allows injection of arbitrary HTML and JavaScript. All versions prior to the commit a0fe129055a99f429133a5c40cb13b44611ff796 are affected [1].

Exploitation

An attacker can exploit this vulnerability remotely by providing a crafted text value to the render_description function. No authentication or special privileges are required; the attack can be performed over the network. The attacker simply needs to supply malicious HTML or JavaScript content as the text argument, which is then rendered unsanitized [1].

Impact

Successful exploitation allows the attacker to execute arbitrary JavaScript in the context of the victim's browser. This can lead to session hijacking, defacement, or theft of sensitive information. The impact is limited to the client side, but the attacker gains the ability to perform actions on behalf of the victim within the application [1].

Mitigation

The fix is implemented in commit a0fe129055a99f429133a5c40cb13b44611ff796, which introduces HTML sanitization using the bleach library. The patch restricts allowed HTML tags to a safe subset (e.g., a, cite, pre) and sanitizes attributes and styles. Users should apply this patch immediately. No workaround is provided in the available references [1].