Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Sanitise the search term before rendering #480

Merged
merged 1 commit into from
Apr 24, 2018
Merged

Sanitise the search term before rendering #480

merged 1 commit into from
Apr 24, 2018

Conversation

boffbowsh
Copy link
Contributor

Using the unsanitised search term in the “Search results for” text
could result in an XSS vulnerability.

@boffbowsh
Sanitise the search term before rendering
7ea0b26 
Using the unsanitised search term in the “Search results for” text
could result in an XSS vulnerability.
@boffbowsh boffbowsh requested a review from pmanrubia April 24, 2018 13:21
@boffbowsh boffbowsh merged commit 4012a62 into master Apr 24, 2018
@boffbowsh boffbowsh deleted the sanitize-search-results-term branch April 24, 2018 13:22
tijmenb added a commit to alphagov/govuk_publishing_components that referenced this pull request Apr 24, 2018
@tijmenb
Remove use of html_safe in search
9fb1e74 
The use of `html_safe` here caused a XSS vulnerability. It is currently
fixed in finder-frontend
(alphagov/finder-frontend#480).

It's also possible to insert HTML without doing html_safe by using a
capture block, so to avoid recurrence of the bug we'll remove
`html_safe` here entirely.
@tijmenb tijmenb mentioned this pull request Apr 24, 2018
Merged
tijmenb added a commit that referenced this pull request Apr 24, 2018
@tijmenb
Add test for XSS vulnerabilities
6773bf0 
This adds a test for the vulnerability fixed in
#480.

I've confirmed that the test works by removing the `sanitize` call from
the offending string
(https://github.com/alphagov/finder-frontend/blob/4012a62f70b84ce70b55fc
f4b312b0f87e2478cb/app/views/search/_search_field.html.erb#L3).
@tijmenb tijmenb mentioned this pull request Apr 24, 2018
Merged
@tijmenb tijmenb mentioned this pull request May 11, 2018
Merged
kevindew added a commit that referenced this pull request Jun 29, 2022
@kevindew
Test we don't have JS vulnerabilities in headless browser
aa48aef 
This imports a test from Smokey that confirmed Finder Frontend doesn't
have execute JavaScript that is inputted by a user [1]. This has been
ported because this testing can and should be localised to this
application and doesn't need to be done in a wider, distinct suite.

It does seem unusual to have a test of this sort of low-level concern at
a feature level, because it is not a feature. However given we've had
at-least 2 incidents related to XSS in Finder Frontend [2], [3] it seems
like something we should check. As a feature test operates in a real
browser environment this is the only place we can have high confidence
that input doesn't cause unexpected JavaScript execution.

This test doesn't check the server side handling of XSS a separate
change is being added for that.

In order to make these tests work and not had a whole bunch of new steps
I had to do some wrestling with the step definitions. They don't seem to
be in a good state, so I just tried to do minimal damage and keep it all
running.

[1]: https://github.com/alphagov/smokey/blob/7553a432259d785fb6d4fb81cfd4fe3572185ad3/features/apps/finder_frontend.feature#L11-L31
[2]: #480
[3]: #1060
kevindew added a commit that referenced this pull request Jun 30, 2022
@kevindew
Test we don't have JS vulnerabilities in headless browser
e6c3e24 
This imports a test from Smokey that confirmed Finder Frontend doesn't
have execute JavaScript that is inputted by a user [1]. This has been
ported because this testing can and should be localised to this
application and doesn't need to be done in a wider, distinct suite.

It does seem unusual to have a test of this sort of low-level concern at
a feature level, because it is not a feature. However given we've had
at-least 2 incidents related to XSS in Finder Frontend [2], [3] it seems
like something we should check. As a feature test operates in a real
browser environment this is the only place we can have high confidence
that input doesn't cause unexpected JavaScript execution.

This test doesn't check the server side handling of XSS a separate
change is being added for that.

In order to make these tests work and not had a whole bunch of new steps
I had to do some wrestling with the step definitions. They don't seem to
be in a good state, so I just tried to do minimal damage and keep it all
running.

[1]: https://github.com/alphagov/smokey/blob/7553a432259d785fb6d4fb81cfd4fe3572185ad3/features/apps/finder_frontend.feature#L11-L31
[2]: #480
[3]: #1060
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@pmanrubia pmanrubia pmanrubia approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@boffbowsh @pmanrubia