Security, CSP, and Stimulus

I am interested in Stimulus, but the documentation doesn’t seem to say anything about security. In particular, is stimulus compatible with a CSP setting that disables all embedded JavaScript? Can I be confident that in case my cross site scripting countermeasures fail, there is no way for an attacker to run arbitrary JavaScript? If an attacker manages to insert code into the HTML, how can I ensure that what they can do is limited if I use Stimulus? Will stimulus only call classes marked as controllers? Does it eval anything in the HTML? I wouldn’t be surprised if there is a very good story about this, but I simply don’t see any documentation about it. So this may be just a request to document this. Or maybe there is more to it. The lack of any information about security and stimulus is a big deal to me.

Thanks!

1 Like

Can I be confident that in case my cross site scripting countermeasures fail, there is no way for an attacker to run arbitrary JavaScript?

The short answer is that while there is no way for an attacker to run arbitrary JavaScript using Stimulus, if an attacker can insert or modify DOM elements on your page, they can use the data-action attribute to register an action that invokes an arbitrary method on one of your controllers in response to an event.

If an attacker manages to insert code into the HTML, how can I ensure that what they can do is limited if I use Stimulus?

Ensure that none of the methods on any of your controllers perform sensitive operations without appropriate safeguards.

Will stimulus only call classes marked as controllers?

Yes. All controller classes must be registered with corresponding identifiers in your Stimulus Application.

Does it eval anything in the HTML?

No. There is no use of eval in Stimulus. The action system does use dynamic dispatch to invoke controller methods, but that’s simply a property lookup on the controller instance. See the EventListener class for details.

I wouldn’t be surprised if there is a very good story about this, but I simply don’t see any documentation about it. So this may be just a request to document this. Or maybe there is more to it. The lack of any information about security and stimulus is a big deal to me.

I agree it’d be nice to have this spelled out in the documentation. Is that something you’d like to work on?

I agree it’d be nice to have this spelled out in the documentation. Is that something you’d like to work on?

Well, I’m not looking for work, but I’d be happy to create a pull request summarizing this email.

— David A. Wheeler

Okay, I’ve created a pull request. Hope it’s useful!

— David A. Wheeler

Wow—above and beyond. Lovely work. Thank you, @david-a-wheeler!

For people like me finding this via Google.

A pull request was made to update SECURITY.md on the main Stimulus Repo but this is not linked to the docs (at time of writing).

See stimulus/SECURITY.md at main · hotwired/stimulus · GitHub

Also