XSS vulnerability in Chef WebUI

Today I happened to use the webui and noticed that some of the syntax
highlighting didn't quite look right, and it was pretty trivial to turn
into an XSS vulnerability. It's not really much of a vulnerability in
the on-premise solution given there are no ACLs there, but on platform
it's possible for a malicious user to upload a cookbook and get someone
with higher privileges to view it and Do Nasty Things.

It looks like the syntax highlighter (CodeRay) is trying to be smart
about file formats; the problem is probably in a third-party dependency
rather than Chef itself. I wasn't able to exploit a foo.html.erb
template, but I didn't spend more than ~10 mins trying. There are
probably issues in other content types, as well.

templates/default/foo.conf.erb:

</pre><script>alert("Oops");</script>

I'm not sure I agree this is a platform-specific bug. I haven't taken the time to reproduce this with the open-source chef-server-webui, but my impression it's just as vulnerable. A cursory inspection of the code shows that Application#show_plain_file makes no attempt to HTML escape, nor does app/views/cookbooks/show.html.haml since it doesn't look like HAML is configured to do HTML escaping.

The exploitation cases on the open-source edition are less interesting; there's no ACLs so it's not possible to do an escalation of privilege, and you need api credentials to upload a malicious cookbook to begin with. Effectively you're XSS attacking yourself. Still, it's a legitimate XSS vulnerability, and the fix belongs in the open-source version too.

Original source: http://help.opscode.com/discussions/questions/319-xss-vulnerability-in-chef-webui (private bug)