Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.
And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.
XSS vulnerability
See original GitHub issueTell us about your environment Any web browser
-
Browser and Browser Version: Any
-
After Effects Version: Any
What did you do? Please explain the steps you took before you encountered the problem. I created a lottie file with an expression inside of it. I edited the expression to contain the following code, to expose an XSS vulnerability within lottie-web:
}]; alert(\"Arbitrary evil XSS code.\");[function _expression_function(){
Here’s a proof of concept (warning this contains an XSS attack, but the attack only displays an alert): https://codesandbox.io/s/empty-snowflake-lq6yhq?file=/src/evil-animation.json:1694-1767
What did you expect to happen? I hope that arbitrary code execution would not be possible.
What actually happened? Please include as much relevant detail as possible. This shows an alert when the animation is played. In a more malicious situation an attacker could:
- create a malicious lottie file
- send that lottie file to others
- when the others play the lottie file,
lottie-webexecutes code that could do anything, like sending private information (authentication cookies, etc) to the attacker - and thus, the attacker gains access to other people’s private information!
Please provide a download link to the After Effects file that demonstrates the problem. Any file
Issue Analytics
- State:
- Created a year ago
- Comments:9 (2 by maintainers)
Top Results From Across the Web
Top Related Medium Post
Top Related StackOverflow Question
Troubleshoot Live Code
Top Related Reddit Thread
Top Related Hackernoon Post
Top Related Tweet
Top Related Dev.to Post
Top Related Hashnode Post
Hi, lottie uses eval for expressions, and it attempts to prevent the most obvious exploit cases. There’s a lottie light version that doesn’t use expressions that is usually suggested if the files that are being loaded are not safe. There is also a lottie worker version that should execute on its own js instance that should prevent these type of scenarios as well. Unfortunately, in order to support expressions, eval needs to be used, so there is not a workaround besides the ones previously mentioned. At this point, I don’t think trying to continue patching the lottie-web context makes sense since it will never be completely safe. But any suggestions are welcome.
Recently this PR was merged, which adds an option to disable expressions (keeping them enabled by default): https://github.com/airbnb/lottie-web/pull/2833