Skip to content
This repository was archived by the owner on Jan 7, 2018. It is now read-only.

Commit bcc0e92

Browse files
committed
Fix additional XSS issues in the flash messages in the admin.
A follow-up to XSS issues first identified in f53a9fb. I've gone through the rest of the admin, and I believe this covers everything. This commit is a bit bigger, since it fixes some issues with how our test elasticsearch database was being setup for this web app (the database didn't have our actual mappings loaded, so some fields weren't being indexes as the proper types). These test fixes allow us to now properly test the analytics by users list, where some additional XSS tests have been added.
1 parent 044cdb3 commit bcc0e92

File tree

17 files changed

+351
-23
lines changed

17 files changed

+351
-23
lines changed

Diff for: Gemfile

+4
Original file line numberDiff line numberDiff line change
@@ -245,6 +245,10 @@ group :development, :test do
245245

246246
# For parsing URLs in tests.
247247
gem "addressable", "~> 2.3.6"
248+
249+
# For caching external web requests
250+
gem "vcr", "~> 2.9.3", :require => false
251+
gem "webmock", "~> 1.21.0", :require => false
248252
end
249253

250254
group :development do

Diff for: Gemfile.lock

+8
Original file line numberDiff line numberDiff line change
@@ -122,6 +122,8 @@ GEM
122122
simplecov (>= 0.7)
123123
term-ansicolor (= 1.2.2)
124124
thor (= 0.18.1)
125+
crack (0.4.2)
126+
safe_yaml (~> 1.0.0)
125127
css_parser (1.3.5)
126128
addressable
127129
csv_builder (2.1.1)
@@ -475,13 +477,17 @@ GEM
475477
execjs (>= 0.3.0)
476478
json (>= 1.8.0)
477479
uuidtools (2.1.5)
480+
vcr (2.9.3)
478481
virtus (1.0.4)
479482
axiom-types (~> 0.1)
480483
coercible (~> 1.0)
481484
descendants_tracker (~> 0.0, >= 0.0.3)
482485
equalizer (~> 0.0, >= 0.0.9)
483486
warden (1.2.3)
484487
rack (>= 1.0)
488+
webmock (1.21.0)
489+
addressable (>= 2.3.6)
490+
crack (>= 0.3.2)
485491
websocket-driver (0.4.0)
486492
websocket-driver (0.4.0-java)
487493
xpath (2.0.0)
@@ -588,3 +594,5 @@ DEPENDENCIES
588594
turbo-sprockets-rails3 (= 0.3.13)
589595
uglifier (~> 2.5.0)
590596
uuidtools (~> 2.1.4)
597+
vcr (~> 2.9.3)
598+
webmock (~> 1.21.0)

Diff for: app/assets/javascripts/admin/controllers/admin_groups/form_controller.js

+1-1
Original file line numberDiff line numberDiff line change
@@ -11,7 +11,7 @@ Admin.AdminGroupsFormController = Ember.ObjectController.extend(Admin.Save, {
1111
submit: function() {
1212
this.save({
1313
transitionToRoute: 'admin_groups',
14-
message: 'Successfully saved the admin group "' + this.get('model.name') + '"',
14+
message: 'Successfully saved the admin group "' + _.escape(this.get('model.name')) + '"',
1515
});
1616
},
1717
},

Diff for: app/assets/javascripts/admin/controllers/admins/form_controller.js

+1-1
Original file line numberDiff line numberDiff line change
@@ -11,7 +11,7 @@ Admin.AdminsFormController = Ember.ObjectController.extend(Admin.Save, {
1111
submit: function() {
1212
this.save({
1313
transitionToRoute: 'admins',
14-
message: 'Successfully saved the admin "' + this.get('model.username') + '"',
14+
message: 'Successfully saved the admin "' + _.escape(this.get('model.username')) + '"',
1515
});
1616
},
1717
},

Diff for: app/assets/javascripts/admin/controllers/api_scopes/form_controller.js

+1-1
Original file line numberDiff line numberDiff line change
@@ -3,7 +3,7 @@ Admin.ApiScopesFormController = Ember.ObjectController.extend(Admin.Save, {
33
submit: function() {
44
this.save({
55
transitionToRoute: 'api_scopes',
6-
message: 'Successfully saved the API scope "' + this.get('model.name') + '"',
6+
message: 'Successfully saved the API scope "' + _.escape(this.get('model.name')) + '"',
77
});
88
},
99
},

Diff for: app/assets/javascripts/admin/controllers/api_users/form_controller.js

+2-2
Original file line numberDiff line numberDiff line change
@@ -20,9 +20,9 @@ Admin.ApiUsersFormController = Ember.ObjectController.extend(Admin.Save, {
2020
this.save({
2121
transitionToRoute: 'api_users',
2222
message: function(model) {
23-
var message = 'Successfully saved the user "' + model.get('email') + '"';
23+
var message = 'Successfully saved the user "' + _.escape(model.get('email')) + '"';
2424
if(model.get('apiKey')) {
25-
message += '<br>API Key: <code>' + model.get('apiKey') + '</code>';
25+
message += '<br>API Key: <code>' + _.escape(model.get('apiKey')) + '</code>';
2626
}
2727

2828
return message;

Diff for: app/assets/javascripts/admin/controllers/apis_form_controller.js

+1-1
Original file line numberDiff line numberDiff line change
@@ -21,7 +21,7 @@ Admin.ApisFormController = Ember.ObjectController.extend(Admin.Save, {
2121
submit: function() {
2222
this.save({
2323
transitionToRoute: 'apis',
24-
message: 'Successfully saved the "' + this.get('model.name') + '" API backend<br><strong>Note:</strong> Your changes are not yet live. <a href="/admin/#/config/publish">Publish Changes</a> to send your updates live.',
24+
message: 'Successfully saved the "' + _.escape(this.get('model.name')) + '" API backend<br><strong>Note:</strong> Your changes are not yet live. <a href="/admin/#/config/publish">Publish Changes</a> to send your updates live.',
2525
});
2626
},
2727

Diff for: app/assets/javascripts/admin/controllers/website_backends/form_controller.js

+1-1
Original file line numberDiff line numberDiff line change
@@ -22,7 +22,7 @@ Admin.WebsiteBackendsFormController = Ember.ObjectController.extend(Admin.Save,
2222
submit: function() {
2323
this.save({
2424
transitionToRoute: 'website_backends',
25-
message: 'Successfully saved the "' + this.get('model.frontendHost') + '" website backend<br><strong>Note:</strong> Your changes are not yet live. <a href="/admin/#/config/publish">Publish Changes</a> to send your updates live.',
25+
message: 'Successfully saved the "' + _.escape(this.get('model.frontendHost')) + '" website backend<br><strong>Note:</strong> Your changes are not yet live. <a href="/admin/#/config/publish">Publish Changes</a> to send your updates live.',
2626
});
2727
},
2828

Diff for: spec/cassettes/elasticsearch_templates.yml

+221
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

Diff for: spec/controllers/admin/stats_controller_spec.rb

+5-4
Original file line numberDiff line numberDiff line change
@@ -4,10 +4,11 @@
44
login_admin
55

66
before(:each) do
7-
begin
8-
LogItem.gateway.client.indices.delete :index => LogItem.index_name
9-
rescue Elasticsearch::Transport::Transport::Errors::NotFound # rubocop:disable Lint/HandleExceptions
10-
end
7+
LogItem.gateway.client.delete_by_query :index => LogItem.index_name, :body => {
8+
:query => {
9+
:match_all => {},
10+
},
11+
}
1112
end
1213

1314
describe "GET logs" do

Diff for: spec/factories/api_users.rb

+1
Original file line numberDiff line numberDiff line change
@@ -13,6 +13,7 @@
1313
end
1414

1515
factory :xss_api_user do
16+
email 'a@"><script class="xss-test">alert("Hello first_name");</script>.com'
1617
first_name '"><script class="xss-test">alert("Hello first_name");</script>'
1718
last_name '"><script class="xss-test">alert("Hello last_name");</script>'
1819
use_description '"><script class="xss-test">alert("Hello use_description");</script>'

Diff for: spec/factories/log_items.rb

+5-4
Original file line numberDiff line numberDiff line change
@@ -3,13 +3,14 @@
33
class LogItem
44
include Elasticsearch::Persistence::Model
55

6-
index_name "api-umbrella-logs-2015-01"
6+
index_name "api-umbrella-logs-write-2015-01"
7+
document_type "log"
78

89
attribute :api_key, String
9-
attribute :backend_response_time, Float
10+
attribute :backend_response_time, Integer
1011
attribute :internal_gatekeeper_time, Float
1112
attribute :internal_response_time, Float
12-
attribute :proxy_overhead, Float
13+
attribute :proxy_overhead, Integer
1314
attribute :request_accept_encoding, String
1415
attribute :request_at, Time
1516
attribute :request_hierarchy, Array
@@ -33,7 +34,7 @@ class LogItem
3334
attribute :response_server, String
3435
attribute :response_size, Integer
3536
attribute :response_status, Integer
36-
attribute :response_time, Float
37+
attribute :response_time, Integer
3738
attribute :user_email, String
3839
attribute :user_id, String
3940
attribute :user_registration_source, String

0 commit comments

Comments
 (0)