Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add validation to search facets to improve UX and eliminate XSS vulnerability #1271

Merged
merged 3 commits into from
Jul 25, 2016
Merged

Add validation to search facets to improve UX and eliminate XSS vulnerability #1271

merged 3 commits into from
Jul 25, 2016

Conversation

teosibileau
Copy link

@teosibileau teosibileau commented Jul 25, 2016
edited
Loading

Issue #CIVIC-3513

  • Sets facets to be rewritable via hook_facet_items_alter in order to run filter_xss on them
  • Validates content type parameter from the value provided in the url: 'search/type/<content_type>`
  • Validates term ids from the value provided in the url for search/<taxonomy_field>/<format>-<tid> when taxonomy_field is either:
    • field_tags
    • field_topics
    • field_resources%253Afield_format
  • Validates authors
  • Validates licenses

Acceptance Criteria

  • search/type/notvalid should return a 404 for everything for everything but but valid content types
  • search/field_tags/notvalid should return a 404 for everything for everything but but valid term values for tags
  • search/field_topic/notvalid should return a 404 for everything but for everything but valid term values for topics
  • search/field_resources%253Afield_format/notvalid should return a 404 for everything but valid term values for formats
  • If one of Multiple ocurrances of a facet based on taxonomies is not valid, It should return a 404
  • search/field_license/notvalid should return a 404 for everything but valid license occurances
  • any invalid combo of the above options should return a 404

@teosibileau
Updates features so hook_facet_items_alter runs for every facet
e3830c3
@teosibileau
+ Adds facet_api_bonus as a dependency for dkan_sitewide_search_db
2afdc2e 
+ Adds hook_facet_items_alter implementation to run filter_xss on every
facet
+ Adds hook_menu_alter implementation to run validations for
$items['search']
+ Validates all occurences for facets based on taxonomies.
+ Validates field_license occurances in the url
+ Validates author occurances in the url
@acouch
Copy link
Contributor

acouch commented Jul 25, 2016
edited
Loading

This looks great. I was not able to inject text into the facets.

Should we add a test to verify that a 404 is produced?

When I visit "/search/type/notvalid"
Then I should see "Page not found"
And I should not see "Content Types"

@topicus topicus merged commit 9bf3422 into release-1-12 Jul 25, 2016
@ghost ghost deleted the xss_fix branch July 25, 2016 21:08
@dafeder dafeder changed the title Xss fix Add validation to search facets to improve UX and eliminate XSS vulnerability Jul 26, 2016
@dkinzer dkinzer added the devops label Aug 3, 2016
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
devops
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@teosibileau @acouch @topicus @dkinzer