XSS via event filter

[kprevas]

Bug Description

The filter property of a select parameter exposes the browser's Window object via event.view, allowing arbitrary code to be executed via scale(event.view.setTimeout, '[code payload here]').

This is related to vega/vega#3027. It is distinct from GHSA-4vq7-882g-wcg4 and is not fixed by vega/vega@ab371a0 as scale$2 only checks if a scale is registered when the scale is specified as a string; if a function is passed to scale() then it is invoked unconditionally.

The following example reproduces the issue:

https://vega.github.io/editor/#/url/vega-lite/N4IgJAzgxgFgpgWwIYgFwhgF0wBwqgegIDc4BzJAOjIEtMYBXAI0poHsDp5kTykBaADZ04JAKyUAVhDYA7EABoQAEzjQATjRyZ289AEEABBBoIcguIaZJ1h2DcyGA7nRiHETOMtXLDypJhUiioBKKigxEiCDGpoANqgYSD6wUxoAEwAHAC+ColoIABCqWhiYrn56ADCJagALADMFSBJACK1AJwAjM1JAKK1mT15LQUAYrViTSNJAOK1XR29BQASgwDsy+gAkpPp2QC6uSA4NkgIEPGgsudwBdqXShBwFlCYaKCYAJ44d+g4bBosneSjkHxA31+BQQbAYz2UbCc8iUyHUAGtIX8QKYkGQ7koAGY0QSYODqeIgaBROAACjgpGBlGINDgTkoz0wABVTHBYZgFAByanqTA0gA6LQsIolAEoBTKQEdsocUTY0QVrOSlHBZFA2MogWRwQAPcFEl7KAooJSYgqyNgIIFRYJIY00S7hECCJCeQT6WRkCxoAAMyqUXzNLMElvQaRtPyxAEcGEhgXQAjRSCBldkgA

Checklist

• I checked for duplicate issues.

[domoritz]

Thanks for the report. All XSS issues are probably Vega only. Can you create a repro there?

[kprevas]

Sorry, I'm not sure I understand your request. Are you asking if I'm able to repro this with a Vega config?

[domoritz]

Vega-Lite compiles to Vega and Vega is the only library needed at runtime after the Vega spec has been compiled. I am saying that this is probably an issue with Vega, no Vega-Lite. I am asking whether you can reproduce it there. I'm fairly certain it's a Vega bug, not Vega-Lite.

[kprevas]

Thank you. Filed vega/vega#3984