Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Sanitize inputs to toast function #2644

Merged
merged 1 commit into from
Aug 19, 2022
Merged

Sanitize inputs to toast function #2644

merged 1 commit into from
Aug 19, 2022

Conversation

argaudreau
Copy link
Contributor

Description

String messages to the toast() function were not sanitized, allowing for malicious HTML to be passed to it. In particular, the operation name input in the operations page allowed a user to enter a XSS string such as <img src="http://url.to.file.which/not.exist" onerror=alert(document.cookie);>, which would fire the onerror handler once created.

A sanitize() method has been added so it can be used anywhere in Caldera's UI. It will completely remove any HTML content and return the remaining text, if any. The toast method now uses this, along with a couple of other sections in the operations page.

Type of change

  • Bug fix (non-breaking change which fixes an issue)

How Has This Been Tested?

After inputing malicious strings to the operation name input, the scripts never fire like they did before.

Checklist:

  • My code follows the style guidelines of this project
  • I have performed a self-review of my own code
  • I have made corresponding changes to the documentation
  • I have added tests that prove my fix is effective or that my feature works

@sonarcloud
Copy link

sonarcloud bot commented Aug 17, 2022

Kudos, SonarCloud Quality Gate passed!    Quality Gate passed

Bug A 0 Bugs
Vulnerability A 0 Vulnerabilities
Security Hotspot A 0 Security Hotspots
Code Smell A 0 Code Smells

No Coverage information No Coverage information
No Duplication information No Duplication information

@yee-jonathan
Copy link
Contributor

Changes correctly sanitize output and prevent execution when using html tags. Even when HTML encoded, malicious scripts will not execute and are displayed as plain text.

@JamieScottC JamieScottC self-requested a review August 19, 2022 19:02
JamieScottC
JamieScottC approved these changes Aug 19, 2022
View reviewed changes
Copy link
Contributor

@JamieScottC JamieScottC left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Confirmed that entering an XSS input doesn't execute any of its malicious behavior.

@elegantmoose elegantmoose merged commit 31589b7 into master Aug 19, 2022
@elegantmoose elegantmoose deleted the xss-op-fix branch August 19, 2022 19:16
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@yee-jonathan yee-jonathan yee-jonathan approved these changes

@elegantmoose elegantmoose elegantmoose approved these changes

@JamieScottC JamieScottC JamieScottC approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@argaudreau @yee-jonathan @JamieScottC @elegantmoose