Actions
Bug #19456
closedLack of HTML escaping in nodes list
Pull Request:
Severity:
UX impact:
User visibility:
Effort required:
Priority:
0
Name check:
To do
Fix check:
Checked
Regression:
Description
it is possible run JS from nodes list fields (for example nodes hostname)
Updated by Nicolas CHARLES over 3 years ago
- Target version changed from 6.2.8 to 6.1.14
exists also in 6.1
Updated by François ARMAND over 3 years ago
Updated by François ARMAND over 3 years ago
- Related to Bug #19457: Enforce stricter restriction on authorized node id and hostname added
Updated by François ARMAND over 3 years ago
- Related to Bug #19458: Validate the hostname field added
Updated by François ARMAND over 3 years ago
Hostname and uuid are sanitize on inventory reception.
Need to see other fields.
Updated by François ARMAND over 3 years ago
Strategy:
- we sanitize all inventory fields appart inventory properties when parsing inventories,
- inventory properties: we need to check what to do here. Perhaps it's ok to sanize user values too.
Updated by François ARMAND over 3 years ago
- Status changed from New to In progress
- Assignee set to François ARMAND
Updated by François ARMAND over 3 years ago
- Status changed from In progress to Pending technical review
- Assignee changed from François ARMAND to Nicolas CHARLES
- Pull Request set to https://github.com/Normation/rudder/pull/3704
Updated by François ARMAND over 3 years ago
- Status changed from Pending technical review to Pending release
Applied in changeset rudder|03f2225d31e374066df17005559575cc3e03814a.
Updated by Nicolas CHARLES over 3 years ago
hostname is not correctly escaped
using
<script>alert("bob");</script>as a hostname causes JS error on the node details
Uncaught SyntaxError: missing ) after argument listb56ca15c-643f-4f55-8ca8-37ed2bce44ae:2055:73
Updated by Nicolas CHARLES over 3 years ago
- Fix check changed from To do to Error - Blocking
and JS is executed in the rule page
Updated by François ARMAND over 3 years ago
- Fix check changed from Error - Blocking to Checked
Updated by Vincent MEMBRÉ over 3 years ago
This bug has been fixed in Rudder 6.1.14 and 6.2.8 which were released today.
Updated by Vincent MEMBRÉ over 3 years ago
- Related to Bug #19514: JS in a node name is evaluated in the rule changes added
Updated by Vincent MEMBRÉ over 3 years ago
- Related to Bug #19488: Sanitize JS content in inventory & node properties added
Updated by Vincent MEMBRÉ over 3 years ago
- Status changed from Pending release to Released
Updated by François ARMAND over 3 years ago
- Related to Bug #19085: Inherited node properties are displayed with escape added
Updated by François ARMAND over 2 years ago
- Related to Bug #21442: Various XSS vulnerabilities in the interface added
Actions