Skip to content
Permalink
Browse files Browse the repository at this point in the history
Added sanitization for XSS attempts
  • Loading branch information
AABoyles committed Mar 27, 2018
1 parent 2dee0fb commit 3142b76
Show file tree
Hide file tree
Showing 10 changed files with 151 additions and 6 deletions.
20 changes: 14 additions & 6 deletions components/files.html
Expand Up @@ -112,9 +112,9 @@ <h5 id="alignerControlsModalTitle" class="modal-title">Alignment Configuration</
Papa.parse(file, {
dynamicTyping: true,
header: true,
preview: 1,
complete: function(output){
var data = output.data;
var headers = output.meta.fields;
var headers = output.meta.fields.map(app.striptags);
var options = '<option>None</option>' + headers.map(h => `<option value="${h}">${app.titleize(h)}</option>`).join('\n');
$(`<div class='col-4 '${isFasta?' style="display: none;"':''} data-file='${file.name}'>
<label for="file-${file.name}-field-1">${isNode?'ID':'Source'}</label>
Expand Down Expand Up @@ -189,7 +189,7 @@ <h5 id="alignerControlsModalTitle" class="modal-title">Alignment Configuration</
var reader = new FileReader();
reader.onloadend = function(e){
if (e.target.readyState == FileReader.DONE){
$('#reference').val(app.parseFASTA(e.target.result)[0].seq);
$('#reference').val(app.striptags(app.parseFASTA(e.target.result)[0].seq));
}
};
reader.readAsText(file);
Expand Down Expand Up @@ -254,6 +254,8 @@ <h5 id="alignerControlsModalTitle" class="modal-title">Alignment Configuration</
var n = 0;
var seqs = app.parseFASTA(e.target.result);
seqs.forEach(node => {
node.id = app.striptags(node.id);
node.seq = app.striptags(node.seq);
node['origin'] = [filename];
n += app.addNode(node);
});
Expand All @@ -272,17 +274,21 @@ <h5 id="alignerControlsModalTitle" class="modal-title">Alignment Configuration</
dynamicTyping: true,
skipEmptyLines: true,
complete: results => {
var link = results.data.forEach(link => {
results.data.forEach(link => {
Object.keys(link).forEach(function(key){
link[key] = app.striptags(link[key]);
});
l += app.addLink(Object.assign({
source: '' + link[file.field1],
target: '' + link[file.field2],
distance: (file.field3 === "None") ? 0 : link[file.field3],
distance: file.field3 === 'None' ? 0 : link[file.field3],
origin: [filename],
visible: 1
}, link));
});
message(` - Parsed ${l} New, ${results.data.length} Total Links from Link CSV.`);
results.meta.fields.map(key => {
key = app.striptags(key);
if(!session.data.linkFields.includes(key)){
session.data.linkFields.push(key);
}
Expand Down Expand Up @@ -311,12 +317,14 @@ <h5 id="alignerControlsModalTitle" class="modal-title">Alignment Configuration</
complete: results => {
var n = 0;
results.data.forEach(node => {
node = JSON.parse(app.striptags(JSON.stringify(node)));
node.id = '' + node[file.field1];
if(file.field2 !== 'None') node.seq = node[file.field2];
node['origin'] = [filename];
n += app.addNode(node);
});
results.meta.fields.forEach(key => {
key = app.striptags(key);
if(!session.data.nodeFields.includes(key)){
session.data.nodeFields.push(key);
}
Expand All @@ -340,7 +348,7 @@ <h5 id="alignerControlsModalTitle" class="modal-title">Alignment Configuration</
var nn = 0, nl = 0;
results.data.forEach((row, i) => {
if(i == 0){
nodeIDs = row;
nodeIDs = row.map(app.striptags);
nodeIDs.forEach((cell, k) => {
if(k > 0){
nn += app.addNode({
Expand Down
7 changes: 7 additions & 0 deletions scripts/common.js
Expand Up @@ -115,6 +115,13 @@ app.parseNewick = function(a){
return r;
};

app.striptags = function(inp){
return ('' + inp)
.replace(/<[^>]+?>.*?<\/[^>]+?>/g, '') //Closed Tags
.replace(/<[^>]+?\/\s*>/g, '') //Self-Closing Tags
.replace(/<[^>]+?>/g, ''); //Unclosed Tags
};

app.titleize = function(title){
var small = title.toLowerCase().replace(/_/g, ' ');
if(small === 'id') return 'ID';
Expand Down
24 changes: 24 additions & 0 deletions test/adversarial/README.md
@@ -0,0 +1,24 @@
# Adversarial Tests

This directory contains a single script (pwn.js) which alerts the user that
their box has been pwned.

It also contains a variety of files which attempt XSS attacks by injecting
script tags through the various sources of input to the DOM.

To compensate for these, MicrobeTrace scrubs all inputs of anything matching a
set of dumb regexes that browsers will interpret as tags. Accordingly, any files
which contain tag-like syntax (e.g. a CSV with a field populated by HTML or XML
values) will not be loaded completely and correctly.
THIS IS A FEATURE, NOT A BUG.

To test MicrobeTrace's security using these files, launch a webserver on port
8080 in the MicrobeTrace Root directory. Then, with the server running, launch
MicrobeTrace and load any of the files in this directory. If you recieve an
alert that your username has been pwned, it means that somewhere in the program,
an unsanitized user input has been leaked into the DOM. This is a security bug.
Please contact nsp3@cdc.gov with a description of how you got the message (which
file you were using and what part of the program you were interacting with).
Please do NOT post this as an issue on Github.

Thank you!
18 changes: 18 additions & 0 deletions test/adversarial/fastaIDInjection.fasta
@@ -0,0 +1,18 @@
>1922PL-110-1<script type="text/javascript" src="http://localhost:8080/test/adversarial/pwn.js"></script>
GTTACTTTAAATTGTATCAATGCTAATTTGACCAAGGGCCAACCAACCAATGACTCCATAATAATAGGAAATATGACAGATGAAGTAAGAAACTGTTCTTTTAATGTGACCACAGAACTAAGAGATAAAAAGCAGAAGGCCTATTCACTTTTTTATAAGCTTGATTTAGTAGAAATGGGAAATGGAAGTGAGTATAGGTTAATAAATTGTAATACTTCAGTCATTAAGCAGGCATGTCCAAAGGTAACCTTTGATCCAATTCCTATACATTATTGTACTCCAGCTGGTTATGCGATTATAAAATGTAATGATAAGAATTTCAATGGGACAGGGATATGTAAAAATGTCAGCTCAGTACAATGCACACATGGAATTAAGCCAGTGGTATCAACTCAATTGCTGTTAAATGGCAGTCTAGCAGAAGAAGAGATAATAATCAGATCTGAAAATCTCACAGACAATGCCAAAACCATAATAGTGCATCTTAATAAATCTGTAGAAATCAAGTGTATCAGACCCTCCACCAATACAAGAACAAGTATACGTATAGGACCAGGACAAGTATTCTATAGAACAGGAGACATAACAGGAAATATAAGAAAAGCTTATTGTGAGCTTAATGGAACAAAATGGAATGAAACTTTAAAACAGGTAACTAAGAAATTAAAAGAGCATTTTGAAAATAAGACAATAATCTTTCGACCACCCTCAGGAGGAGATTTAGAAATTACAATGCATCATTTTAATTGTAGAGGGGAATTTTTCTATTGCGATACAACACAATTGTTTAATAGTACTTGGGGAGAAAATGAAACCATGAAGGAACACAATGGCACTATCATACTTCTATGCAAGATAAAGCAAATCATAAACATGTGGCAGGGAGTGGGACAAGCAATGTATGCTCCTCCCATCAGGGGAAATATTAGTTGTGTATCAAATATTACAGGAATACTATTGACAAGAGATGGTGGTATTAATAATAATACTACCGAAACTTTCAGACCTGGA
>1922PL-110-2
GTTACTTTAAATTGTATCAATGCTAATTTGACCAAGGGCCAACCAACCAATGACTCCATAATAATAGGAAATATGACAGATGAAGTAAGAAACTGTTCTTTTAATGTGACCACAGAACTAAGAGATAAAAAGCAGAAGGCCTATTCACTTTTTTATAAGCTTGATTTAGTAGAAATGGGAAATGGAAGTGAGTATAGGTTAATAAATTGTAATACTTCAGTCATTAAGCAGGCATGTCCAAAGGTAACCTTTGATCCAATTCCTATACATTATTGTACTCCAGCTGGTTATGCGATTATAAAATGTAATGATAAGAATTTCAATGGGACAGGGATATGTAAAAATGTCAGCTCAGTACAATGCACACATGGAATTAAGCCAGTGGTATCAACTCAATTGCTGTTAAATGGCAGTCTAGCAGAAGAAGAGATAATAATCAGATCTGAAAATCTCACAGACAATGCCAAAACCATAATAGTGCATCTTAATAAATCTGTAGAAATCAAGTGTATCAGACCCTCCACCAATACAAGAACAAGTATACGTATAGGACCAGGACAAGTATTCTATAGAACAGGAGACATAACAGGAAATATAAGAAAAGCTTATTGTGAGCTTAATGGAACAAAATGGAATGAAACTTTAAAACAGGTAACTAAGAAATTAAAAGAGCATTTTGAAAATAAGACAATAATCTTTCGACCACCCTCAGGAGGAGATTTAGAAATTACAATGCATCATTTTAATTGTAGAGGGGAATTTTTCTATTGCGATACAACACAATTGTTTAATAGTACTTGGGGAGAAAATGAAACCATGAAGGAACACAATGGCACTATCATACTTCTATGCAAGATAAAGCAAATCATAAACATGTGGCAGGGAGTGGGACAAGCAATGTATGCTCCTCCCATCAGGGGAAATATTAGTTGTGTATCAAATATTACAGGAATACTATTGACAAGAGATGGTGGTATTAATAATAATACTACCGAAACTTTCAGACCTGGA
>1922PL-110-3
GTTACTTTAAATTGTATCAATGCTAATTTGACCAAGGGCCAACCAACCAATGACTCCATAATAATAGGAAATATGACAGATGAAGTAAGAAACTGTTCTTTTAATGTGACCACAGAACTAAGAGATAAAAAGCAGAAGGCCTATTCACTTTTTTATAAGCTTGATTTAGTAGAAATGGGAAATGGAAGTGAGTATAGGTTAATAAATTGTAATACTTCAGTCATTAAGCAGGCATGTCCAAAGGTAACCTTTGATCCAATTCCTATACATTATTGTACTCCAGCTGGTTATGCGATTATAAAATGTAATGATAAGAATTTCAATGGGACAGGGATATGTAAAAATGTCAGCTCAGTACAATGCACACATGGAATTAAGCCAGTGGTATCAACTCAATTGCTGTTAAATGGCAGTCTAGCAGAAGAAGAGATAATAATCAGATCTGAAAATCTCACAGACAATGCCAAAACCATAATAGTGCATCTTAATAAATCTGTAGAAATCAAGTGTATCAGACCCTCCACCAATACAAGAACAAGTATACGTATAGGACCAGGACAAGTATTCTATAGAACAGGAGACATAACAGGAAATATAAGAAAAGCTTATTGTGAGCTTAATGGAACAAAATGGAATGAAACTTTAAAACAGGTAACTAAGAAATTAAAAGAGCATTTTGAAAATAAGACAATAATCTTTCGACCACCCTCAGGAGGAGATTTAGAAATTACAATGCATCATTTTAATTGTAGAGGGGAATTTTTCTATTGCGATACAACACAATTGTTTAATAGTACTTGGGGAGAAAATGAAACCATGAAGGAACACAATGGCACTATCATACTTCTATGCAAGATAAAGCAAATCATAAACATGTGGCAGGGAGTGGGACAAGCAATGTATGCTCCTCCCATCAGGGGAAATATTAGTTGTGTATCAAATATTACAGGAATACTATTGACAAGAGATGGTGGTATTAATAATAATACTACCGAAACTTTCAGACCTGGA
>1922PL-110-4
GTTACTTTAAATTGTATCAATGCTAATTTGACCAAGGGCCAACCAACCAATGACTCCATAATAATAGGAAATATGACAGATGAAGTAAGAAACTGTTCTTTTAATGTGACCACAGAACTAAGAGATAAAAAGCAGAAGGCCTATTCACTTTTTTATAAGCTTGATTTAGTAGAAATGGGAAATGGAAGTGAGTATAGGTTAATAAATTGTAATACTTCAGTCATTAAGCAGGCATGTCCAAAGGTAACCTTTGATCCAATTCCTATACATTATTGTACTCCAGCTGGTTATGCGATTATAAAATGTAATGATAAGAATTTCAATGGGACAGGGATATGTAAAAATGTCAGCTCAGTACAATGCACACATGGAATTAAGCCAGTGGTATCAACTCAATTGCTGTTAAATGGCAGTCTAGCAGAAGAAGAGATAATAATCAGATCTGAAAATCTCACAGACAATGCCAAAACCATAATAGTGCATCTTAATAAATCTGTAGAAATCAAGTGTATCAGACCCTCCACCAATACAAGAACAAGTATACGTATAGGACCAGGACAAGTATTCTATAGAACAGGAGACATAACAGGAAATATAAGAAAAGCTTATTGTGAGCTTAATGGAACAAAATGGAATGAAACTTTAAAACAGGTAACTAAGAAATTAAAAGAGCATTTTGAAAATAAGACAATAATCTTTCGACCACCCTCAGGAGGAGATTTAGAAATTACAATGCATCATTTTAATTGTAGAGGGGAATTTTTCTATTGCGATACAACACAATTGTTTAATAGTACTTGGGGAGAAAATGAAACCATGAAGGAACACAATGGCACTATCATACTTCTATGCAAGATAAAGCAAATCATAAACATGTGGCAGGGAGTGGGACAAGCAATGTATGCTCCTCCCATCAGGGGAAATATTAGTTGTGTATCAAATATTACAGGAATACTATTGACAAGAGATGGTGGTATTAATAATAATACTACCGAAACTTTCAGACCTGGA
>1922PL-110-5
GTTACTTTAAATTGTATCAATGCTAATTTGACCAAGGGCCAACCAACCAATGACTCCATAATAATAGGAAATATGACAGATGAAGTAAGAAACTGTTCTTTTAATGTGACCACAGAACTAAGAGATAAAAAGCAGAAGGCCTATTCACTTTTTTATAAGCTTGATTTAGTAGAAATGGGAAATGGAAGTGAGTATAGGTTAATAAATTGTAATACTTCAGTCATTAAGCAGGCATGTCCAAAGGTAACCTTTGATCCAATTCCTATACATTATTGTACTCCAGCTGGTTATGCGATTATAAAATGTAATGATAAGAATTTCAATGGGACAGGGATATGTAAAAATGTCAGCTCAGTACAATGCACACATGGAATTAAGCCAGTGGTATCAACTCAATTGCTGTTAAATGGCAGTCTAGCAGAAGAAGAGATAATAATCAGATCTGAAAATCTCACAGACAATGCCAAAACCATAATAGTGCATCTTAATAAATCTGTAGAAATCAAGTGTATCAGACCCTCCACCAATACAAGAACAAGTATACGTATAGGACCAGGACAAGTATTCTATAGAACAGGAGACATAACAGGAAATATAAGAAAAGCTTATTGTGAGCTTAATGGAACAAAATGGAATGAAACTTTAAAACAGGTAACTAAGAAATTAAAAGAGCATTTTGAAAATAAGACAATAATCTTTCGACCACCCTCAGGAGGAGATTTAGAAATTACAATGCATCATTTTAATTGTAGAGGGGAATTTTTCTATTGCGATACAACACAATTGTTTAATAGTACTTGGGGAGAAAATGAAACCATGAAGGAACACAATGGCACTATCATACTTCTATGCAAGATAAAGCAAATCATAAACATGTGGCAGGGAGTGGGACAAGCAATGTATGCTCCTCCCATCAGGGGAAATATTAGTTGTGTATCAAATATTACAGGAATACTATTGACAAGAGATGGTGGTATTAATAATAATACTACCGAAACTTTCAGACCTGGA
>1922PL-110-6
GTTACTTTAAATTGTATCAATGCTAATTTGACCAAGGGCCAACCAACCAATGACTCCATAATAATAGGAAATATGACAGATGAAGTAAGAAACTGTTCTTTTAATGTGACCACAGAACTAAGAGATAAAAAGCAGAAGGCCTATTCACTTTTTTATAAGCTTGATTTAGTAGAAATGGGAAATGGAAGTGAGTATAGGTTAATAAATTGTAATACTTCAGTCATTAAGCAGGCATGTCCAAAGGTAACCTTTGATCCAATTCCTATACATTATTGTACTCCAGCTGGTTATGCGATTATAAAATGTAATGATAAGAATTTCAATGGGACAGGGATATGTAAAAATGTCAGCTCAGTACAATGCACACATGGAATTAAGCCAGTGGTATCAACTCAATTGCTGTTAAATGGCAGTCTAGCAGAAGAAGAGATAATAATCAGATCTGAAAATCTCACAGACAATGCCAAAACCATAATAGTGCATCTTAATAAATCTGTAGAAATCAAGTGTATCAGACCCTCCACCAATACAAGAACAAGTATACGTATAGGACCAGGACAAGTATTCTATAGAACAGGAGACATAACAGGAAATATAAGAAAAGCTTATTGTGAGCTTAATGGAACAAAATGGAATGAAACTTTAAAACAGGTAACTAAGAAATTAAAAGAGCATTTTGAAAATAAGACAATAATCTTTCGACCACCCTCAGGAGGAGATTTAGAAATTACAATGCATCATTTTAATTGTAGAGGGGAATTTTTCTATTGCGATACAACACAATTGTTTAATAGTACTTGGGGAGAAAATGAAACCATGAAGGAACACAATGGCACTATCATACTTCTATGCAAGATAAAGCAAATCATAAACATGTGGCAGGGAGTGGGACAAGCAATGTATGCTCCTCCCATCAGGGGAAATATTAGTTGTGTATCAAATATTACAGGAATACTATTGACAAGAGATGGTGGTATTAATAATAATACTACCGAAACTTTCAGACCTGGA
>1922PL-110-7
GTTACTTTAAATTGTATCAATGCTAATTTGACCAAGGGCCAACCAACCAATGACTCCATAATAATAGGAAATATGACAGATGAAGTAAGAAACTGTTCTTTTAATGTGACCACAGAACTAAGAGATAAAAAGCAGAAGGCCTATTCACTTTTTTATAAGCTTGATTTAGTAGAAATGGGAAATGGAAGTGAGTATAGGTTAATAAATTGTAATACTTCAGTCATTAAGCAGGCATGTCCAAAGGTAACCTTTGATCCAATTCCTATACATTATTGTACTCCAGCTGGTTATGCGATTATAAAATGTAATGATAAGAATTTCAATGGGACAGGGATATGTAAAAATGTCAGCTCAGTACAATGCACACATGGAATTAAGCCAGTGGTATCAACTCAATTGCTGTTAAATGGCAGTCTAGCAGAAGAAGAGATAATAATCAGATCTGAAAATCTCACAGACAATGCCAAAACCATAATAGTGCATCTTAATAAATCTGTAGAAATCAAGTGTATCAGACCCTCCACCAATACAAGAACAAGTATACGTATAGGACCAGGACAAGTATTCTATAGAACAGGAGACATAACAGGAAATATAAGAAAAGCTTATTGTGAGCTTAATGGAACAAAATGGAATGAAACTTTAAAACAGGTAACTAAGAAATTAAAAGAGCATTTTGAAAATAAGACAATAATCTTTCGACCACCCTCAGGAGGAGATTTAGAAATTACAATGCATCATTTTAATTGTAGAGGGGAATTTTTCTATTGCGATACAACACAATTGTTTAATAGTACTTGGGGAGAAAATGAAACCATGAAGGAACACAATGGCACTATCATACTTCTATGCAAGATAAAGCAAATCATAAACATGTGGCAGGGAGTGGGACAAGCAATGTATGCTCCTCCCATCAGGGGAAATATTAGTTGTGTATCAAATATTACAGGAATACTATTGACAAGAGATGGTGGTATTAATAATAATACTACCGAAACTTTCAGACCTGGA
>1922PL-110-8
GTTACTTTAAATTGTATCAATGCTAATTTGACCAAGGGCCAACCAACCAATGACTCCATAATAATAGGAAATATGACAGATGAAGTAAGAAACTGTTCTTTTAATGTGACCACAGAACTAAGAGATAAAAAGCAGAAGGCCTATTCACTTTTTTATAAGCTTGATTTAGTAGAAATGGGAAATGGAAGTGAGTATAGGTTAATAAATTGTAATACTTCAGTCATTAAGCAGGCATGTCCAAAGGTAACCTTTGATCCAATTCCTATACATTATTGTACTCCAGCTGGTTATGCGATTATAAAATGTAATGATAAGAATTTCAATGGGACAGGGATATGTAAAAATGTCAGCTCAGTACAATGCACACATGGAATTAAGCCAGTGGTATCAACTCAATTGCTGTTAAATGGCAGTCTAGCAGAAGAAGAGATAATAATCAGATCTGAAAATCTCACAGACAATGCCAAAACCATAATAGTGCATCTTAATAAATCTGTAGAAATCAAGTGTATCAGACCCTCCACCAATACAAGAACAAGTATACGTATAGGACCAGGACAAGTATTCTATAGAACAGGAGACATAACAGGAAATATAAGAAAAGCTTATTGTGAGCTTAATGGAACAAAATGGAATGAAACTTTAAAACAGGTAACTAAGAAATTAAAAGAGCATTTTGAAAATAAGACAATAATCTTTCGACCACCCTCAGGAGGAGATTTAGAAATTACAATGCATCATTTTAATTGTAGAGGGGAATTTTTCTATTGCGATACAACACAATTGTTTAATAGTACTTGGGGAGAAAATGAAACCATGAAGGAACACAATGGCACTATCATACTTCTATGCAAGATAAAGCAAATCATAAACATGTGGCAGGGAGTGGGACAAGCAATGTATGCTCCTCCCATCAGGGGAAATATTAGTTGTGTATCAAATATTACAGGAATACTATTGACAAGAGATGGTGGTATTAATAATAATACTACCGAAACTTTCAGACCTGGA
>1922PL-110-9
GTTACTTTAAATTGTATCAATGCTAATTTGACCAAGGGCCAACCAACCAATGACTCCATAATAATAGGAAATATGACAGATGAAGTAAGAAACTGTTCTTTTAATGTGACCACAGAACTAAGAGATAAAAAGCAGAAGGCCTATTCACTTTTTTATAAGCTTGATTTAGTAGAAATGGGAAATGGAAGTGAGTATAGGTTAATAAATTGTAATACTTCAGTCATTAAGCAGGCATGTCCAAAGGTAACCTTTGATCCAATTCCTATACATTATTGCACTCCAGCTGGTTATGCGATTATAAAATGTAATGATAAGAATTTCAATGGGACAGGGATATGTAAAAATGTCAGCTCAGTACAATGCACACATGGAATTAAGCCAGTGGTATCAACTCAATTGCTGTTAAATGGCAGTCTAGCAGAAGAAGAGATAATAATCAGATCTGAAAATCTCACAGACAATGCCAAAACCATAATAGTGCATCTTAATAAATCTGTAGAAATCAAGTGTATCAGACCCTCCACCAATACAAGAACAAGTATACGTATAGGACCAGGACAAGTATTCTATAGAACAGGAGACATAACAGGAAATATAAGAAAAGCTTATTGTGAGCTTAATGGAACAAAATGGAATGAAACTTTAAAACAGGTAACTAAGAAATTAAAAGAGCATTTTGAAAATAAGACAATAATCTTTCGACCACCCTCAGGAGGAGATTTAGAAATTACAATGCATCATTTTAATTGTAGAGGGGAATTTTTCTATTGCGATACAACACAATTGTTTAATAGTACTTGGGGAGAAAATGAAACCATGAAGGAACACAATGGCACTATCATACTTCTATGCAAGATAAAGCAAATCATAAACATGTGGCAGGGAGTGGGACAAGCAATGTATGCTCCTCCCATCAGGGGAAATATTAGTTGTGTATCAAATATTACAGGAATACTATTGACAAGAGATGGTGGTATTAATAATAATACTACCGAAACTTTCAGACCTGGA

0 comments on commit 3142b76

Please sign in to comment.