Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix: xss漏洞修复:Saas层增加Xss转义中间件 #844

Closed
wants to merge 1 commit into from
Closed

fix: xss漏洞修复:Saas层增加Xss转义中间件 #844

wants to merge 1 commit into from

Conversation

neronkl
Copy link
Contributor

@neronkl neronkl commented Dec 14, 2022

No description provided.

@neronkl neronkl closed this Dec 14, 2022
@neronkl neronkl reopened this Dec 14, 2022
@Canway-shiisa Canway-shiisa requested a review from wklken December 14, 2022 07:08
wklken
wklken reviewed Dec 15, 2022
View reviewed changes
src/saas/bkuser_shell/common/middlewares.py
self.__escape_param_list = []
super(CheckXssMiddleware, self).__init__(*args, **kwargs)

def process_view(self, request, view, args, kwargs):
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more. 

# 支持豁免
if getattr(view, 'escape_exempt', False):
    return None

# if method not match, return
if request.method not in ["....]
    return

# check if is json
is_json = False
try:
    json.loads(....)
    is_json = True
except:
    is_json = False

if not is_json:
    return

try:
    ......
except Exception:
    logger.exception() # 不要用log.error

src/saas/bkuser_shell/common/middlewares.py

def _transfer(self, _get_value):
if isinstance(_get_value, list):
return [escape_name(_value) for _value in _get_value if isinstance(_value, str)]
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

如果不是字符串就被丢弃了? ["a", 1, "b"]

src/saas/bkuser_shell/common/utils.py
an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
specific language governing permissions and limitations under the License.
"""

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

理论上, 输入端不处理, 输出端处理.

src/saas/bkuser_shell/common/utils.py
input_str = input_str.replace(">", "")
input_str = input_str.replace('"', "")
input_str = input_str.replace("'", "")
return input_str
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

没法证明这个中间件是正确的, 因为没有单侧, 并且即使有, 也无法覆盖到所有输入场景

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

虽然现在都是json, 但是不保证未来不会有其他提交方式; 这个实现过于定制

@wklken wklken closed this Dec 15, 2022
@wklken
Copy link
Collaborator

wklken commented Dec 15, 2022

无法证明中间件正确, 无法覆盖所有场景, 引入风险太高
目前也不推荐输入端这种处理方式

#796 的处理

  1. 在前端的新建用户/修改用户的slz, display_name单独做下处理(只需要处理这个字段, 其他字段不处理)
  2. 同时推权限中心前端去处理弹出的xss

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@wklken wklken wklken left review comments

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@neronkl @wklken