Skip to content
This repository has been archived by the owner on Jan 7, 2018. It is now read-only.
Permalink
Browse files Browse the repository at this point in the history
Fix additional XSS issues in the flash messages in the admin.
A follow-up to XSS issues first identified in
f53a9fb.

I've gone through the rest of the admin, and I believe this covers
everything.

This commit is a bit bigger, since it fixes some issues with how our
test elasticsearch database was being setup for this web app (the
database didn't have our actual mappings loaded, so some fields weren't
being indexes as the proper types). These test fixes allow us to now
properly test the analytics by users list, where some additional XSS
tests have been added.
  • Loading branch information
GUI committed Apr 10, 2015
1 parent 044cdb3 commit bcc0e92
Show file tree
Hide file tree
Showing 17 changed files with 351 additions and 23 deletions.
4 changes: 4 additions & 0 deletions Gemfile
Expand Up @@ -245,6 +245,10 @@ group :development, :test do

# For parsing URLs in tests.
gem "addressable", "~> 2.3.6"

# For caching external web requests
gem "vcr", "~> 2.9.3", :require => false
gem "webmock", "~> 1.21.0", :require => false
end

group :development do
Expand Down
8 changes: 8 additions & 0 deletions Gemfile.lock
Expand Up @@ -122,6 +122,8 @@ GEM
simplecov (>= 0.7)
term-ansicolor (= 1.2.2)
thor (= 0.18.1)
crack (0.4.2)
safe_yaml (~> 1.0.0)
css_parser (1.3.5)
addressable
csv_builder (2.1.1)
Expand Down Expand Up @@ -475,13 +477,17 @@ GEM
execjs (>= 0.3.0)
json (>= 1.8.0)
uuidtools (2.1.5)
vcr (2.9.3)
virtus (1.0.4)
axiom-types (~> 0.1)
coercible (~> 1.0)
descendants_tracker (~> 0.0, >= 0.0.3)
equalizer (~> 0.0, >= 0.0.9)
warden (1.2.3)
rack (>= 1.0)
webmock (1.21.0)
addressable (>= 2.3.6)
crack (>= 0.3.2)
websocket-driver (0.4.0)
websocket-driver (0.4.0-java)
xpath (2.0.0)
Expand Down Expand Up @@ -588,3 +594,5 @@ DEPENDENCIES
turbo-sprockets-rails3 (= 0.3.13)
uglifier (~> 2.5.0)
uuidtools (~> 2.1.4)
vcr (~> 2.9.3)
webmock (~> 1.21.0)
Expand Up @@ -11,7 +11,7 @@ Admin.AdminGroupsFormController = Ember.ObjectController.extend(Admin.Save, {
submit: function() {
this.save({
transitionToRoute: 'admin_groups',
message: 'Successfully saved the admin group "' + this.get('model.name') + '"',
message: 'Successfully saved the admin group "' + _.escape(this.get('model.name')) + '"',
});
},
},
Expand Down
Expand Up @@ -11,7 +11,7 @@ Admin.AdminsFormController = Ember.ObjectController.extend(Admin.Save, {
submit: function() {
this.save({
transitionToRoute: 'admins',
message: 'Successfully saved the admin "' + this.get('model.username') + '"',
message: 'Successfully saved the admin "' + _.escape(this.get('model.username')) + '"',
});
},
},
Expand Down
Expand Up @@ -3,7 +3,7 @@ Admin.ApiScopesFormController = Ember.ObjectController.extend(Admin.Save, {
submit: function() {
this.save({
transitionToRoute: 'api_scopes',
message: 'Successfully saved the API scope "' + this.get('model.name') + '"',
message: 'Successfully saved the API scope "' + _.escape(this.get('model.name')) + '"',
});
},
},
Expand Down
Expand Up @@ -20,9 +20,9 @@ Admin.ApiUsersFormController = Ember.ObjectController.extend(Admin.Save, {
this.save({
transitionToRoute: 'api_users',
message: function(model) {
var message = 'Successfully saved the user "' + model.get('email') + '"';
var message = 'Successfully saved the user "' + _.escape(model.get('email')) + '"';
if(model.get('apiKey')) {
message += '<br>API Key: <code>' + model.get('apiKey') + '</code>';
message += '<br>API Key: <code>' + _.escape(model.get('apiKey')) + '</code>';
}

return message;
Expand Down
Expand Up @@ -21,7 +21,7 @@ Admin.ApisFormController = Ember.ObjectController.extend(Admin.Save, {
submit: function() {
this.save({
transitionToRoute: 'apis',
message: 'Successfully saved the "' + this.get('model.name') + '" API backend<br><strong>Note:</strong> Your changes are not yet live. <a href="/admin/#/config/publish">Publish Changes</a> to send your updates live.',
message: 'Successfully saved the "' + _.escape(this.get('model.name')) + '" API backend<br><strong>Note:</strong> Your changes are not yet live. <a href="/admin/#/config/publish">Publish Changes</a> to send your updates live.',
});
},

Expand Down
Expand Up @@ -22,7 +22,7 @@ Admin.WebsiteBackendsFormController = Ember.ObjectController.extend(Admin.Save,
submit: function() {
this.save({
transitionToRoute: 'website_backends',
message: 'Successfully saved the "' + this.get('model.frontendHost') + '" website backend<br><strong>Note:</strong> Your changes are not yet live. <a href="/admin/#/config/publish">Publish Changes</a> to send your updates live.',
message: 'Successfully saved the "' + _.escape(this.get('model.frontendHost')) + '" website backend<br><strong>Note:</strong> Your changes are not yet live. <a href="/admin/#/config/publish">Publish Changes</a> to send your updates live.',
});
},

Expand Down
221 changes: 221 additions & 0 deletions spec/cassettes/elasticsearch_templates.yml

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

9 changes: 5 additions & 4 deletions spec/controllers/admin/stats_controller_spec.rb
Expand Up @@ -4,10 +4,11 @@
login_admin

before(:each) do
begin
LogItem.gateway.client.indices.delete :index => LogItem.index_name
rescue Elasticsearch::Transport::Transport::Errors::NotFound # rubocop:disable Lint/HandleExceptions
end
LogItem.gateway.client.delete_by_query :index => LogItem.index_name, :body => {
:query => {
:match_all => {},
},
}
end

describe "GET logs" do
Expand Down
1 change: 1 addition & 0 deletions spec/factories/api_users.rb
Expand Up @@ -13,6 +13,7 @@
end

factory :xss_api_user do
email 'a@"><script class="xss-test">alert("Hello first_name");</script>.com'
first_name '"><script class="xss-test">alert("Hello first_name");</script>'
last_name '"><script class="xss-test">alert("Hello last_name");</script>'
use_description '"><script class="xss-test">alert("Hello use_description");</script>'
Expand Down
9 changes: 5 additions & 4 deletions spec/factories/log_items.rb
Expand Up @@ -3,13 +3,14 @@
class LogItem
include Elasticsearch::Persistence::Model

index_name "api-umbrella-logs-2015-01"
index_name "api-umbrella-logs-write-2015-01"
document_type "log"

attribute :api_key, String
attribute :backend_response_time, Float
attribute :backend_response_time, Integer
attribute :internal_gatekeeper_time, Float
attribute :internal_response_time, Float
attribute :proxy_overhead, Float
attribute :proxy_overhead, Integer
attribute :request_accept_encoding, String
attribute :request_at, Time
attribute :request_hierarchy, Array
Expand All @@ -33,7 +34,7 @@ class LogItem
attribute :response_server, String
attribute :response_size, Integer
attribute :response_status, Integer
attribute :response_time, Float
attribute :response_time, Integer
attribute :user_email, String
attribute :user_id, String
attribute :user_registration_source, String
Expand Down

0 comments on commit bcc0e92

Please sign in to comment.