Skip to content

Commit

Permalink
Corrected missing output encoding - GHSA-jp9v-w6vw-9m5v
Browse files Browse the repository at this point in the history
  • Loading branch information
@stevespringett
stevespringett committed Jul 17, 2019
1 parent c2ca580 commit c74a90e
Show file tree
Hide file tree
Showing 4 changed files with 30 additions and 22 deletions.
12 changes: 6 additions & 6 deletions src/main/webapp/assets/common.js
View file
Expand Up @@ -264,15 +264,15 @@ $common.displayErrorModal = function displayErrorModal(xhr, fallbackMessage) {
message = xhr.responseText.trim();
}
$("#modal-genericError").modal("show");
$("#modal-genericErrorContent").html(message);
$("#modal-genericErrorContent").text(message);
};

/**
* Displays an informational modal with the specified message.
*/
$common.displayInfoModal = function displayInfoModal(message) {
$("#modal-informational").modal("show");
$("#modal-infoMessage").html(message);
$("#modal-infoMessage").text(message);
};

/**
Expand Down Expand Up @@ -565,7 +565,7 @@ $(document).ready(function () {
* @returns {string}
*/
suggestion: function (data) {
return '<a class="tt-suggestion-item" href="' + contextPath + 'project/?uuid=' + data.uuid + '">' + data.name + '</a>';
return '<a class="tt-suggestion-item" href="' + contextPath + 'project/?uuid=' + filterXSS(data.uuid) + '">' + filterXSS(data.name) + '</a>';
}
}
},
Expand All @@ -582,7 +582,7 @@ $(document).ready(function () {
* @returns {string}
*/
suggestion: function (data) {
return '<a class="tt-suggestion-item" href="' + contextPath + 'component/?uuid=' + data.uuid + '">' + data.name + '</a>';
return '<a class="tt-suggestion-item" href="' + contextPath + 'component/?uuid=' + filterXSS(data.uuid) + '">' + filterXSS(data.name) + '</a>';
}
}
},
Expand All @@ -599,7 +599,7 @@ $(document).ready(function () {
* @returns {string}
*/
suggestion: function (data) {
return '<a class="tt-suggestion-item" href="' + contextPath + 'vulnerability/?source=' + data.source + '&vulnId=' + data.vulnId + '">' + data.vulnId + '</a>';
return '<a class="tt-suggestion-item" href="' + contextPath + 'vulnerability/?source=' + filterXSS(data.source) + '&vulnId=' + filterXSS(data.vulnId) + '">' + filterXSS(data.vulnId) + '</a>';
}
}
},
Expand All @@ -616,7 +616,7 @@ $(document).ready(function () {
* @returns {string}
*/
suggestion: function (data) {
return '<a class="tt-suggestion-item" href="' + contextPath + 'license/?licenseId=' + data.licenseId + '">' + data.name + '</a>';
return '<a class="tt-suggestion-item" href="' + contextPath + 'license/?licenseId=' + filterXSS(data.licenseId) + '">' + filterXSS(data.name) + '</a>';
}
}
}
Expand Down
37 changes: 22 additions & 15 deletions src/main/webapp/project/functions.js
View file
Expand Up @@ -24,14 +24,16 @@
*/
function formatDependenciesTable(res) {
for (let i=0; i<res.length; i++) {
if (res[i].component.hasOwnProperty("version") && res[i].component.hasOwnProperty("repositoryMeta")) {
if (res[i].component.repositoryMeta.hasOwnProperty("latestVersion")) {
if (res[i].component.hasOwnProperty("version")) {
if (res[i].component.hasOwnProperty("repositoryMeta") && res[i].component.repositoryMeta.hasOwnProperty("latestVersion")) {
if (res[i].component.repositoryMeta.latestVersion !== res[i].component.version) {
res[i].component.version = '<span style="float:right" data-toggle="tooltip" data-placement="bottom" title="Risk: Outdated component. Current version is: '+ filterXSS(res[i].component.repositoryMeta.latestVersion) + '"><i class="fa fa-exclamation-triangle status-warning" aria-hidden="true"></i></span> ' + filterXSS(res[i].component.version);
} else {
res[i].component.version = '<span style="float:right" data-toggle="tooltip" data-placement="bottom" title="Component version is the latest available from the configured repositories"><i class="fa fa-exclamation-triangle status-passed" aria-hidden="true"></i></span> ' + filterXSS(res[i].component.version);
}
res[i].latestVersion = filterXSS(res[i].component.repositoryMeta.latestVersion);
} else {
res[i].component.version = filterXSS(res[i].component.version);
}
}
let componenturl = "../component/?uuid=" + res[i].component.uuid;
Expand All @@ -48,6 +50,17 @@ function formatDependenciesTable(res) {
return res;
}

function formatProjectPropertiesTable(res) {
for (let i=0; i<res.length; i++) {
res[i].groupName = filterXSS(res[i].groupName);
res[i].propertyName = filterXSS(res[i].propertyName);
res[i].propertyValue = filterXSS(res[i].propertyValue);
res[i].propertyType = filterXSS(res[i].propertyType);
res[i].description = filterXSS(res[i].description);
}
return res;
}

/**
* Called by bootstrap table to format the data in the components table (when adding a new dependency from an existing component).
*/
Expand All @@ -65,17 +78,17 @@ function formatComponentsTable(res) {
*/
function formatFindingsTable(res) {
for (let i=0; i<res.length; i++) {
let vulnurl = "../vulnerability/?source=" + res[i].vulnerability.source + "&vulnId=" + res[i].vulnerability.vulnId;
let vulnurl = "../vulnerability/?source=" + filterXSS(res[i].vulnerability.source) + "&vulnId=" + filterXSS(res[i].vulnerability.vulnId);
res[i].vulnerability.href = $common.formatSourceLabel(res[i].vulnerability.source) + " <a href=\"" + vulnurl + "\">" + filterXSS(res[i].vulnerability.vulnId) + "</a>";

if (res[i].vulnerability.hasOwnProperty("cweId") && res[i].vulnerability.hasOwnProperty("cweName")) {
res[i].vulnerability.cwefield = "<div class='truncate-ellipsis'><span>CWE-" + res[i].vulnerability.cweId + " " + res[i].vulnerability.cweName + "</span></div>";
res[i].vulnerability.cwefield = "<div class='truncate-ellipsis'><span>CWE-" + filterXSS(res[i].vulnerability.cweId) + " " + filterXSS(res[i].vulnerability.cweName) + "</span></div>";
} else {
res[i].vulnerability.cwefield = "";
}

if (res[i].vulnerability.hasOwnProperty("severity")) {
res[i].vulnerability.severityLabel = $common.formatSeverityLabel(res[i].vulnerability.severity);
res[i].vulnerability.severityLabel = $common.formatSeverityLabel(filterXSS(res[i].vulnerability.severity));
}

if (res[i].analysis.hasOwnProperty("isSuppressed") && res[i].analysis.isSuppressed === true) {
Expand All @@ -84,16 +97,10 @@ function formatFindingsTable(res) {
res[i].analysis.isSuppressedLabel = '';
}

if (!res[i].component.hasOwnProperty("group")) {
res[i].component.group = "";
}
if (!res[i].component.hasOwnProperty("version")) {
res[i].component.version = "";
}
if (!res[i].analysis.hasOwnProperty("state")) {
res[i].analysis.state = "";
}

res[i].component.name = filterXSS(res[i].component.name);
res[i].component.group = res[i].component.hasOwnProperty("group") ? filterXSS(res[i].component.group) : "";
res[i].component.version = res[i].component.hasOwnProperty("version") ? filterXSS(res[i].component.version) : "";
res[i].analysis.state = res[i].analysis.hasOwnProperty("state") ? filterXSS(res[i].analysis.state) : "";
}
return res;
}
Expand Down
1 change: 1 addition & 0 deletions src/main/webapp/project/index.jsp
View file
Expand Up @@ -385,6 +385,7 @@
</div>
<div class="modal-body">
<table id="projectPropertiesTable" class="table table-hover detail-table" data-toggle="table"
data-response-handler="formatProjectPropertiesTable"
data-show-refresh="true" data-show-columns="true" data-search="true" data-detail-view="true"
data-query-params-type="pageSize" data-side-pagination="client" data-pagination="true"
data-silent-sort="false" data-page-size="5" data-height="100%">
Expand Down
2 changes: 1 addition & 1 deletion src/main/webapp/vulnerabilities/functions.js
View file
Expand Up @@ -24,7 +24,7 @@
*/
function formatVulnerabilityTable(res) {
for (let i=0; i<res.length; i++) {
let vulnurl = "../vulnerability/?source=" + res[i].source + "&vulnId=" + res[i].vulnId;
let vulnurl = "../vulnerability/?source=" + filterXSS(res[i].source) + "&vulnId=" + filterXSS(res[i].vulnId);
res[i].vulnerabilityhref = $common.formatSourceLabel(res[i].source) + " <a href=\"" + vulnurl + "\">" + filterXSS(res[i].vulnId) + "</a>";

if (res[i].hasOwnProperty("cwe")) {
Expand Down

0 comments on commit c74a90e

Please sign in to comment.