Project

General

Profile

Actions
Copy link

Bug #17641

closed

Markdown descriptions in directives and groups are evaluated, resulting in Javascript execution

Added by Nicolas CHARLES almost 4 years ago. Updated 8 months ago.

Status:
Released
Priority:
N/A
Assignee:
Vincent MEMBRÉ
Category:
Security
Target version:
6.0.7
Pull Request:
https://github.com/Normation/rudder/p...
Severity:
UX impact:
User visibility:
Effort required:
Priority:
0
Name check:
To do
Fix check:
To do
Regression:

Description

We can use markdown for Directives and Groups description, to have more friendly description
However, it's possible to put script with this markdown, that gets executed when displaying the group or directive details (and also in change request list)

This ticket fixes the issue by using the showdown xss filter to prevent evaluation of javascript in markdown

Subtasks 1 (0 open1 closed)

Bug #17698: Tooltips in interface tree evaluate scripts ReleasedFrançois ARMANDActions
Actions
Copy link
 #1

Updated by Nicolas CHARLES almost 4 years ago

  • Description updated (diff)
Actions
Copy link
 #2

Updated by Nicolas CHARLES almost 4 years ago

  • Subject changed from description in directives are evaluated, and we can inject whatever we want to description in directives and groups are evaluated, and we can inject whatever we want
Actions
Copy link
 #3

Updated by Nicolas CHARLES almost 4 years ago

https://github.com/showdownjs/showdown/issues/454

filtering has to be done server side

Actions
Copy link
 #4

Updated by Nicolas CHARLES almost 4 years ago

  • Status changed from New to In progress
  • Assignee set to Nicolas CHARLES
Actions
Copy link
 #5

Updated by Nicolas CHARLES almost 4 years ago

  • Status changed from In progress to Pending technical review
  • Assignee changed from Nicolas CHARLES to Vincent MEMBRÉ
  • Pull Request set to https://github.com/Normation/rudder/pull/3060
Actions
Copy link
 #6

Updated by Nicolas CHARLES almost 4 years ago

  • Status changed from Pending technical review to Pending release
Actions
Copy link
 #7

Updated by Nicolas CHARLES almost 4 years ago

  • Subject changed from description in directives and groups are evaluated, and we can inject whatever we want to Markdown descriptions in directives and groups are evaluated, resulting in Javascript execution
  • Description updated (diff)
Actions
Copy link
 #8

Updated by Vincent MEMBRÉ almost 4 years ago

This bug has been fixed in Rudder 6.0.7 and 6.1.1 which were released today.

Actions
Copy link
 #9

Updated by Vincent MEMBRÉ almost 4 years ago

  • Status changed from Pending release to Released
  • Private changed from Yes to No
Actions
Copy link

Also available in: Atom PDF