Project

General

Profile

Actions

Bug #19456

closed

Lack of HTML escaping in nodes list

Added by Alexis Mousset over 3 years ago. Updated over 1 year ago.

Status:
Released
Priority:
N/A
Category:
Security
Target version:
Severity:
UX impact:
User visibility:
Effort required:
Priority:
0
Name check:
To do
Fix check:
Checked
Regression:

Description

it is possible run JS from nodes list fields (for example nodes hostname)


Subtasks 4 (0 open4 closed)

Bug #19505: In branch 6.2, values in configurable columns must also escape JSReleasedNicolas CHARLESActions
Bug #19506: Escape HTML in expected value in testRejectedFrançois ARMANDActions
Bug #19518: Property with inherited values display is broken on page reload on node listReleasedVincent MEMBRÉActions
Bug #19513: Hostname is not escaped in page details title and in inherited propertiesReleasedNicolas CHARLESActions

Related issues 6 (0 open6 closed)

Related to Rudder - Bug #19457: Enforce stricter restriction on authorized node id and hostnameReleasedVincent MEMBRÉActions
Related to Rudder - Bug #19458: Validate the hostname fieldRejectedActions
Related to Rudder - Bug #19514: JS in a node name is evaluated in the rule changesReleasedActions
Related to Rudder - Bug #19488: Sanitize JS content in inventory & node propertiesRejectedVincent MEMBRÉActions
Related to Rudder - Bug #19085: Inherited node properties are displayed with escapeReleasedVincent MEMBRÉActions
Related to Rudder - Bug #21442: Various XSS vulnerabilities in the interfaceResolvedFrançois ARMANDActions
Actions #1

Updated by Nicolas CHARLES over 3 years ago

  • Target version changed from 6.2.8 to 6.1.14

exists also in 6.1

Actions #2

Updated by Nicolas CHARLES over 3 years ago

and it does break the node details

Actions #3

Updated by François ARMAND over 3 years ago

I will keep that ticket for the general case, and in the meantime add a special check for uuid (#19457) and hostname (#19458).

Actions #4

Updated by François ARMAND over 3 years ago

  • Related to Bug #19457: Enforce stricter restriction on authorized node id and hostname added
Actions #5

Updated by François ARMAND over 3 years ago

  • Related to Bug #19458: Validate the hostname field added
Actions #6

Updated by François ARMAND over 3 years ago

Hostname and uuid are sanitize on inventory reception.
Need to see other fields.

Actions #7

Updated by François ARMAND over 3 years ago

Strategy:
- we sanitize all inventory fields appart inventory properties when parsing inventories,
- inventory properties: we need to check what to do here. Perhaps it's ok to sanize user values too.

Actions #8

Updated by François ARMAND over 3 years ago

  • Status changed from New to In progress
  • Assignee set to François ARMAND
Actions #9

Updated by François ARMAND over 3 years ago

  • Status changed from In progress to Pending technical review
  • Assignee changed from François ARMAND to Nicolas CHARLES
  • Pull Request set to https://github.com/Normation/rudder/pull/3704
Actions #10

Updated by François ARMAND over 3 years ago

  • Status changed from Pending technical review to Pending release
Actions #11

Updated by Nicolas CHARLES over 3 years ago

hostname is not correctly escaped
using

<script>alert("bob");</script>
as a hostname causes JS error on the node details
Uncaught SyntaxError: missing ) after argument listb56ca15c-643f-4f55-8ca8-37ed2bce44ae:2055:73

Actions #12

Updated by Nicolas CHARLES over 3 years ago

  • Fix check changed from To do to Error - Blocking

and JS is executed in the rule page

Actions #13

Updated by François ARMAND over 3 years ago

  • Fix check changed from Error - Blocking to Checked
Actions #14

Updated by Vincent MEMBRÉ over 3 years ago

This bug has been fixed in Rudder 6.1.14 and 6.2.8 which were released today.

Actions #15

Updated by Vincent MEMBRÉ over 3 years ago

  • Related to Bug #19514: JS in a node name is evaluated in the rule changes added
Actions #16

Updated by Vincent MEMBRÉ over 3 years ago

  • Related to Bug #19488: Sanitize JS content in inventory & node properties added
Actions #17

Updated by Vincent MEMBRÉ over 3 years ago

  • Status changed from Pending release to Released
Actions #18

Updated by François ARMAND over 3 years ago

  • Related to Bug #19085: Inherited node properties are displayed with escape added
Actions #19

Updated by François ARMAND over 2 years ago

  • Related to Bug #21442: Various XSS vulnerabilities in the interface added
Actions #20

Updated by Alexis Mousset over 1 year ago

  • Private changed from Yes to No
Actions

Also available in: Atom PDF