Type
security
Severity
high
Area
nmapui/handlers/settings.py — google_drive_callback_route
Description
The Google Drive OAuth callback route reflects user-controllable values directly into HTML responses without escaping, creating reflected XSS vulnerabilities in two places:
- The
error query parameter from the OAuth redirect is injected unescaped:
error = request.args.get("error", "")
if error:
return f"<html><body><h3>Google Drive connection failed</h3><p>{error}</p></body></html>", 400
- The exception message in the catch-all handler:
except Exception as exc:
return f"<html><body>...<p>Unexpected callback error: {exc}</p></body></html>", 500An attacker could craft a callback URL with ?error=<script>alert(document.cookie)</script> which would execute in the user's browser session.
Proposed Fix
HTML-escape all reflected values:
from html import escape
error = escape(request.args.get("error", ""))
# ...
return f"...<p>Unexpected callback error: {escape(str(exc))}</p>..."Or better, return JSON responses and handle display in the frontend.
Related Issues
#164 (Security hardening initiative)
Type
security
Severity
high
Area
nmapui/handlers/settings.py—google_drive_callback_routeDescription
The Google Drive OAuth callback route reflects user-controllable values directly into HTML responses without escaping, creating reflected XSS vulnerabilities in two places:
errorquery parameter from the OAuth redirect is injected unescaped:An attacker could craft a callback URL with
?error=<script>alert(document.cookie)</script>which would execute in the user's browser session.Proposed Fix
HTML-escape all reflected values:
Or better, return JSON responses and handle display in the frontend.
Related Issues
#164 (Security hardening initiative)