spacedrive icon indicating copy to clipboard operation
spacedrive copied to clipboard
verified publisher icon spacedriveapp

Crash when selecting file

Open SamuelAlev opened this issue 2 years ago • 2 comments

Describe the bug

Crashes when selecting a file with the name Don't copy"><script>console.log('test');).png. It might be something bigger like XSS.

Reproduction

  1. Click file with name Don't copy"><script>console.log('test');).png

Expected behavior

No response

Platform and versions

pnpm: 8.9.0
cargo: not installed
rustc: not installed

Stack trace

APP CRASHED
We're past the event horizon…
SyntaxError: '[data-selectable-id="/Users/samuel.alev/Documents/Don't copy"><script>console.loq('test');).png"]' is not a valid selector.

Additional context

No response

SamuelAlev avatar Oct 13 '23 18:10 SamuelAlev

Can reproduce on ephemeral locations by:

  1. selecting the problematic file
  2. clicking on another file

Then this error is thrown: SyntaxError: The string did not match the expected pattern. — GridList.tsx:60

When attempting to navigate to the file using arrow keys, the file does not select at all (like select a file to the right of it, then press left arrow). Instead the above error is thrown.

Can't reproduce on an indexed location.

PineappleRind avatar Oct 13 '23 21:10 PineappleRind

I don't think this is an XSS vulnerability as we don't use dangerouslySetInnerHtml anywhere, it's just because using that raw string as a query selector isn't valid. We should be escaping it like React does automatically. image

Brendonovich avatar Oct 14 '23 06:10 Brendonovich