Project

General

Profile

Actions
Copy link

Bug #19456

closed

Lack of HTML escaping in nodes list

Added by Alexis Mousset almost 3 years ago. Updated 9 months ago.

Status:
Released
Priority:
N/A
Assignee:
Nicolas CHARLES
Category:
Security
Target version:
6.1.14
Pull Request:
https://github.com/Normation/rudder/p...
Severity:
UX impact:
User visibility:
Effort required:
Priority:
0
Name check:
To do
Fix check:
Checked
Regression:

Description

it is possible run JS from nodes list fields (for example nodes hostname)

Subtasks 4 (0 open4 closed)

Bug #19505: In branch 6.2, values in configurable columns must also escape JSReleasedNicolas CHARLESActions
Bug #19506: Escape HTML in expected value in testRejectedFrançois ARMANDActions
Bug #19518: Property with inherited values display is broken on page reload on node listReleasedVincent MEMBRÉActions
Bug #19513: Hostname is not escaped in page details title and in inherited propertiesReleasedNicolas CHARLESActions

Related issues 6 (0 open6 closed)

Related to Rudder - Bug #19457: Enforce stricter restriction on authorized node id and hostnameReleasedVincent MEMBRÉActions
Related to Rudder - Bug #19458: Validate the hostname fieldRejectedActions
Related to Rudder - Bug #19514: JS in a node name is evaluated in the rule changesReleasedActions
Related to Rudder - Bug #19488: Sanitize JS content in inventory & node propertiesRejectedVincent MEMBRÉActions
Related to Rudder - Bug #19085: Inherited node properties are displayed with escapeReleasedVincent MEMBRÉActions
Related to Rudder - Bug #21442: Various XSS vulnerabilities in the interfaceResolvedFrançois ARMANDActions
Actions
Copy link
 #1

Updated by Nicolas CHARLES almost 3 years ago

  • Target version changed from 6.2.8 to 6.1.14

exists also in 6.1

Actions
Copy link
 #2

Updated by Nicolas CHARLES almost 3 years ago

and it does break the node details

Actions
Copy link
 #3

Updated by François ARMAND almost 3 years ago

I will keep that ticket for the general case, and in the meantime add a special check for uuid (#19457) and hostname (#19458).

Actions
Copy link
 #4

Updated by François ARMAND almost 3 years ago

  • Related to Bug #19457: Enforce stricter restriction on authorized node id and hostname added
Actions
Copy link
 #5

Updated by François ARMAND almost 3 years ago

  • Related to Bug #19458: Validate the hostname field added
Actions
Copy link
 #6

Updated by François ARMAND almost 3 years ago

Hostname and uuid are sanitize on inventory reception.
Need to see other fields.

Actions
Copy link
 #7

Updated by François ARMAND almost 3 years ago

Strategy:
- we sanitize all inventory fields appart inventory properties when parsing inventories,
- inventory properties: we need to check what to do here. Perhaps it's ok to sanize user values too.

Actions
Copy link
 #8

Updated by François ARMAND almost 3 years ago

  • Status changed from New to In progress
  • Assignee set to François ARMAND
Actions
Copy link
 #9

Updated by François ARMAND almost 3 years ago

  • Status changed from In progress to Pending technical review
  • Assignee changed from François ARMAND to Nicolas CHARLES
  • Pull Request set to https://github.com/Normation/rudder/pull/3704
Actions
Copy link
 #10

Updated by François ARMAND almost 3 years ago

  • Status changed from Pending technical review to Pending release
Actions
Copy link
 #11

Updated by Nicolas CHARLES almost 3 years ago

hostname is not correctly escaped
using 

<script>alert("bob");</script>
as a hostname causes JS error on the node details 
Uncaught SyntaxError: missing ) after argument listb56ca15c-643f-4f55-8ca8-37ed2bce44ae:2055:73

Actions
Copy link
 #12

Updated by Nicolas CHARLES almost 3 years ago

  • Fix check changed from To do to Error - Blocking

and JS is executed in the rule page

Actions
Copy link
 #13

Updated by François ARMAND almost 3 years ago

  • Fix check changed from Error - Blocking to Checked
Actions
Copy link
 #14

Updated by Vincent MEMBRÉ almost 3 years ago

This bug has been fixed in Rudder 6.1.14 and 6.2.8 which were released today.

Actions
Copy link
 #15

Updated by Vincent MEMBRÉ almost 3 years ago

  • Related to Bug #19514: JS in a node name is evaluated in the rule changes added
Actions
Copy link
 #16

Updated by Vincent MEMBRÉ almost 3 years ago

  • Related to Bug #19488: Sanitize JS content in inventory & node properties added
Actions
Copy link
 #17

Updated by Vincent MEMBRÉ almost 3 years ago

  • Status changed from Pending release to Released
Actions
Copy link
 #18

Updated by François ARMAND over 2 years ago

  • Related to Bug #19085: Inherited node properties are displayed with escape added
Actions
Copy link
 #19

Updated by François ARMAND almost 2 years ago

  • Related to Bug #21442: Various XSS vulnerabilities in the interface added
Actions
Copy link
 #20

Updated by Alexis Mousset 9 months ago

  • Private changed from Yes to No
Actions
Copy link

Also available in: Atom PDF