XSS Vulnerable - create archive of locally available CSS themes. #85
Description
As you willingly inject a remote script into your slack app, you are vulnerable to XSS.
const cssPath = 'https://cdn.rawgit.com/widget-/slack-black-theme/master/custom.css';
let cssPromise = fetch(cssPath).then(response => response.text());
Realistically, I have no idea what is in that CSS file when my slack app starts. Since it loads every time I open slack (usually daily) if someone were to update that css file to something malicious, all of us would be screwed and theoretically they could be reading all of our messages that are sent.
Additionally, as slack versions change and CSS needs to update per version, it would be helpful to have an archive of readily available themes for that version of slack rather than hunt through the issues for people who have fixed it, but have no where to add their contributions within the repo.
Solutions:
-
Tear down the CSS locally and do a good ole fashioned hardcoded
const css = '<css string>';. -
Clone the archive directly in the
resources\app.asar.unpacked\src\staticdirectory and do something to the extent of:const css = require('./themes/my-theme.css');
-
IMO this would be the correct solution (if possible) and adds on from step 2. Create an npm package that you can add to the main
package.jsonof slack and by adding as single function call (ex:addTheme('my-theme.css', cssOverwrites);) with a function that will take two parameters: one to declare the css theme you want to use, and and the second to declare any:root {}overwrites you want to prepend.
- This would resolve the XSS vulnerability of having no control of what is fetched in the remote script every time you log into your slack app.
- It would allow for multiple people to create their own themes for slack.
- And this also would be a seamless way to incorporate this for slack if they ever decide to provide the public with a dark theme. (It's been 4 years, pigs might fly before they give us what we want).