OpenCode Cross-Site Scripting Vulnerability Leading to Local Command Execution

A cross-site scripting vulnerability has been identified in OpenCode, an open-source AI coding agent, in versions prior to 1.1.10. The issue arises because the markdown renderer for large language model (LLM) responses can inject arbitrary HTML into the DOM. There is no proper sanitization with DOMPurify or a Content Security Policy (CSP) on the web interface to block JavaScript execution through HTML injection. This flaw allows manipulation of the LLM response in a chat session, resulting in JavaScript execution on the 'http://localhost:4096' origin. Exploitation of this vulnerability can lead to unauthorized execution of commands on the local system via the OpenCode API's '/pty/' endpoints, which are accessible after the JavaScript injection.

Impact

Successful exploitation allows for cross-site scripting on the localhost web UI, which can be leveraged to execute arbitrary commands on the local machine through the OpenCode API.

Reproduction

To reproduce this vulnerability, first run an OpenCode instance in a Docker container, exposing port 4096. Then, create a 'plugin.py' file with a script that injects a malicious chat session into the OpenCode web UI. This script should encode a command execution payload in base64 and insert it into the DOM as an image error handler. After loading this malicious session through the web interface, the injected JavaScript will execute the command on the local system.

Remediation

Users are advised to upgrade to OpenCode version 1.1.10 or later, which addresses the vulnerability by disabling the web UI/OpenCode API interaction that allows for such exploits.