JupyterLab: Stored XSS in extension manager through package metadata unsanitized URI protocol
📋 Description
A malicious PyPI package can place a javascript: URL in its [project.urls] metadata. JupyterLab's Extension Manager renders this as the extension's home-page link without validating the protocol, so a user who clicks the extension name executes attacker-controlled JavaScript in the JupyterLab origin.
Details
One of the PyPI package's URL (jupyterlab/extensions/pypi.py) is copied straight into the homepage_url rendered by the frontend in packages/extensionmanager/src/widget.tsx#L77-L88.
best_guess_home_url = (
homepage_url # home_page / [project.urls] Homepage
or data.get("project_url")
or data.get("package_url")
or documentation_url # docs_url / [project.urls] Documentation
or source_url # [project.urls] Source Code
or bug_tracker_url # bugtrack_url / [project.urls] Bug Tracker
)
# homepage_url=best_guess_home_url
{entry.homepage_url ? (
<a href={entry.homepage_url} target="_blank" rel="noopener noreferrer" ...>
{entry.name}
</a>
) : ( <div>{entry.name}</div> )}
Impact
An attacker needs to publish a package to PyPI (no access to the target). When the package appears in a victim's extension manager list and the victim clicks the extension name, the payload runs in the JupyterLab origin.
Preconditions: Extension Manager enabled with the default PyPI source, the malicious package appears in the victim's list/search results.
Patches
🎯 Affected products1
- pip/jupyterlab:<= 4.5.8
🔗 References (5)
- https://github.com/jupyterlab/jupyterlab/security/advisories/GHSA-vmhf-c436-hxj4
- https://github.com/jupyterlab/jupyterlab/commit/4e61e07d0a91145b53fbf96ac74b0387f6bc51f6
- https://github.com/jupyterlab/jupyterlab/commit/d5d961f6e10a6442dddbf94d9a976b3897055a12
- https://github.com/jupyterlab/jupyterlab/releases/tag/v4.5.9
- https://github.com/advisories/GHSA-vmhf-c436-hxj4