Skip to content

Commit

Permalink
NMS-15782: prevent multiple XSS mishaps
Browse files Browse the repository at this point in the history
  • Loading branch information
@fooker
fooker committed Jul 13, 2023
1 parent fd9fd71 commit 0222ab1
Show file tree
Hide file tree
Showing 11 changed files with 25 additions and 16 deletions.
5 changes: 3 additions & 2 deletions opennms-webapp/src/main/webapp/WEB-INF/jsp/element/nodeList.jsp
View file
Original file line number Diff line number Diff line change
Expand Up @@ -35,6 +35,7 @@
org.opennms.netmgt.model.monitoringLocations.OnmsMonitoringLocation"%>

<%@ page import="com.google.common.base.Strings" %>
<%@ page import="org.opennms.core.utils.WebSecurityUtils" %>

<%@ taglib prefix="c" uri="http://java.sun.com/jsp/jstl/core" %>
<%@ taglib prefix="element" tagdir="/WEB-INF/tags/element" %>
Expand Down Expand Up @@ -106,11 +107,11 @@
for (OnmsMonitoringLocation monitoringLocation : monitoringLocations) {
if (selectedMonitoringLocation.equals(monitoringLocation.getLocationName())) {
%>
<option value="<%=monitoringLocation.getLocationName()%>" selected><%=monitoringLocation.getLocationName()%></option>
<option value="<%=WebSecurityUtils.sanitizeString(monitoringLocation.getLocationName())%>" selected><%=WebSecurityUtils.sanitizeString(monitoringLocation.getLocationName())%></option>
<%
} else {
%>
<option value="<%=monitoringLocation.getLocationName()%>"><%=monitoringLocation.getLocationName()%></option>
<option value="<%=WebSecurityUtils.sanitizeString(monitoringLocation.getLocationName())%>"><%=WebSecurityUtils.sanitizeString(monitoringLocation.getLocationName())%></option>
<%
}
}
Expand Down
3 changes: 2 additions & 1 deletion opennms-webapp/src/main/webapp/admin/discovery/add-er.jsp
View file
Original file line number Diff line number Diff line change
Expand Up @@ -41,6 +41,7 @@
org.opennms.web.admin.discovery.ActionDiscoveryServlet,
org.opennms.web.admin.discovery.DiscoveryScanServlet
"%>
<%@ page import="org.opennms.core.utils.WebSecurityUtils" %>
<%
response.setDateHeader("Expires", 0);
response.setHeader("Pragma", "no-cache");
Expand Down Expand Up @@ -134,7 +135,7 @@ function doAddExcludeRange(){
<div class="col-sm-10">
<select id="location" class="form-control custom-select" name="location">
<% for (String key : locations.keySet()) { %>
<option value="<%=key%>" <%if(key.equals(currConfig.getLocation().orElse(MonitoringLocationDao.DEFAULT_MONITORING_LOCATION_ID))) out.print("selected");%>><%=locations.get(key)%></option>
<option value="<%=WebSecurityUtils.sanitizeString(key)%>" <%if(key.equals(currConfig.getLocation().orElse(MonitoringLocationDao.DEFAULT_MONITORING_LOCATION_ID))) out.print("selected");%>><%=WebSecurityUtils.sanitizeString(locations.get(key))%></option>
<% } %>
</select>
</div>
Expand Down
3 changes: 2 additions & 1 deletion opennms-webapp/src/main/webapp/admin/discovery/add-ex-url.jsp
View file
Original file line number Diff line number Diff line change
Expand Up @@ -44,6 +44,7 @@
org.opennms.web.admin.discovery.ActionDiscoveryServlet,
org.opennms.web.admin.discovery.DiscoveryScanServlet
"%>
<%@ page import="org.opennms.core.utils.WebSecurityUtils" %>
<%
response.setDateHeader("Expires", 0);
response.setHeader("Pragma", "no-cache");
Expand Down Expand Up @@ -131,7 +132,7 @@ function doAddExcludeUrl() {
<div class="col-sm-10">
<select id="location" class="form-control custom-select" name="location">
<% for (String key : locations.keySet()) { %>
<option value="<%=key%>" <%if(key.equals(currConfig.getLocation().orElse(MonitoringLocationDao.DEFAULT_MONITORING_LOCATION_ID))) out.print("selected");%>><%=locations.get(key)%></option>
<option value="<%=WebSecurityUtils.sanitizeString(key)%>" <%if(key.equals(currConfig.getLocation().orElse(MonitoringLocationDao.DEFAULT_MONITORING_LOCATION_ID))) out.print("selected");%>><%=WebSecurityUtils.sanitizeString(locations.get(key))%></option>
<% } %>
</select>
</div>
Expand Down
5 changes: 3 additions & 2 deletions opennms-webapp/src/main/webapp/admin/discovery/add-ir.jsp
View file
Original file line number Diff line number Diff line change
Expand Up @@ -43,6 +43,7 @@
org.opennms.web.admin.discovery.ActionDiscoveryServlet,
org.opennms.web.admin.discovery.DiscoveryScanServlet
"%>
<%@ page import="org.opennms.core.utils.WebSecurityUtils" %>
<%
response.setDateHeader("Expires", 0);
response.setHeader("Pragma", "no-cache");
Expand Down Expand Up @@ -180,7 +181,7 @@ function doAddIncludeRange(){
<select id="foreignsource" class="form-control custom-select" name="foreignsource">
<option value="" <%if (!currConfig.getForeignSource().isPresent()) out.print("selected");%>>None selected</option>
<% for (String key : foreignsources.keySet()) { %>
<option value="<%=key%>" <%if(key.equals(currConfig.getForeignSource().orElse(null))) out.print("selected");%>><%=foreignsources.get(key)%></option>
<option value="<%=WebSecurityUtils.sanitizeString(key)%>" <%if(key.equals(currConfig.getForeignSource().orElse(null))) out.print("selected");%>><%=WebSecurityUtils.sanitizeString(foreignsources.get(key))%></option>
<% } %>
</select>
</div>
Expand All @@ -190,7 +191,7 @@ function doAddIncludeRange(){
<div class="col-sm-10">
<select id="location" class="form-control custom-select" name="location">
<% for (String key : locations.keySet()) { %>
<option value="<%=key%>" <%if(key.equals(currConfig.getLocation().orElse(MonitoringLocationDao.DEFAULT_MONITORING_LOCATION_ID))) out.print("selected");%>><%=locations.get(key)%></option>
<option value="<%=WebSecurityUtils.sanitizeString(key)%>" <%if(key.equals(currConfig.getLocation().orElse(MonitoringLocationDao.DEFAULT_MONITORING_LOCATION_ID))) out.print("selected");%>><%=WebSecurityUtils.sanitizeString(locations.get(key))%></option>
<% } %>
</select>
</div>
Expand Down
3 changes: 2 additions & 1 deletion opennms-webapp/src/main/webapp/admin/discovery/add-specific.jsp
View file
Original file line number Diff line number Diff line change
Expand Up @@ -44,6 +44,7 @@
org.opennms.web.admin.discovery.DiscoveryServletConstants,
org.opennms.web.admin.discovery.ActionDiscoveryServlet
"%>
<%@ page import="org.opennms.core.utils.WebSecurityUtils" %>
<%
response.setDateHeader("Expires", 0);
response.setHeader("Pragma", "no-cache");
Expand Down Expand Up @@ -162,7 +163,7 @@ function doAddSpecific(){
<div class="col-sm-10">
<select id="location" class="form-control custom-select" name="location">
<% for (String key : locations.keySet()) { %>
<option value="<%=key%>" <%if(key.equals(currConfig.getLocation().orElse(MonitoringLocationDao.DEFAULT_MONITORING_LOCATION_ID))) out.print("selected");%>><%=locations.get(key)%></option>
<option value="<%=WebSecurityUtils.sanitizeString(key)%>" <%if(key.equals(currConfig.getLocation().orElse(MonitoringLocationDao.DEFAULT_MONITORING_LOCATION_ID))) out.print("selected");%>><%=WebSecurityUtils.sanitizeString(locations.get(key))%></option>
<% } %>
</select>
</div>
Expand Down
5 changes: 3 additions & 2 deletions opennms-webapp/src/main/webapp/admin/discovery/add-url.jsp
View file
Original file line number Diff line number Diff line change
Expand Up @@ -44,6 +44,7 @@
org.opennms.web.admin.discovery.ActionDiscoveryServlet,
org.opennms.web.admin.discovery.DiscoveryScanServlet
"%>
<%@ page import="org.opennms.core.utils.WebSecurityUtils" %>
<%
response.setDateHeader("Expires", 0);
response.setHeader("Pragma", "no-cache");
Expand Down Expand Up @@ -146,7 +147,7 @@ function doAddIncludeUrl() {
<select id="foreignsource" class="form-control custom-select" name="foreignsource">
<option value="" <%if (!currConfig.getForeignSource().isPresent()) out.print("selected");%>>None selected</option>
<% for (String key : foreignsources.keySet()) { %>
<option value="<%=key%>" <%if(key.equals(currConfig.getForeignSource().orElse(null))) out.print("selected");%>><%=foreignsources.get(key)%></option>
<option value="<%=WebSecurityUtils.sanitizeString(key)%>" <%if(key.equals(currConfig.getForeignSource().orElse(null))) out.print("selected");%>><%=WebSecurityUtils.sanitizeString(foreignsources.get(key))%></option>
<% } %>
</select>
</div>
Expand All @@ -156,7 +157,7 @@ function doAddIncludeUrl() {
<div class="col-sm-10">
<select id="location" class="form-control custom-select" name="location">
<% for (String key : locations.keySet()) { %>
<option value="<%=key%>" <%if(key.equals(currConfig.getLocation().orElse(MonitoringLocationDao.DEFAULT_MONITORING_LOCATION_ID))) out.print("selected");%>><%=locations.get(key)%></option>
<option value="<%=WebSecurityUtils.sanitizeString(key)%>" <%if(key.equals(currConfig.getLocation().orElse(MonitoringLocationDao.DEFAULT_MONITORING_LOCATION_ID))) out.print("selected");%>><%=WebSecurityUtils.sanitizeString(locations.get(key))%></option>
<% } %>
</select>
</div>
Expand Down
2 changes: 1 addition & 1 deletion opennms-webapp/src/main/webapp/admin/discovery/edit-config.jsp
View file
Original file line number Diff line number Diff line change
Expand Up @@ -255,7 +255,7 @@ for (Requisition requisition : reqAccessService.getRequisitions()) {
<label for="location" class="col-form-label col-md-4">Location</label>
<select id="location" class="form-control custom-select col-md-8" name="location">
<% for (String key : locations.keySet()) { %>
<option value="<%=key%>" <%if(key.equals(currConfig.getLocation().orElse(MonitoringLocationDao.DEFAULT_MONITORING_LOCATION_ID))) out.print("selected");%>><%=locations.get(key)%></option>
<option value="<%=WebSecurityUtils.sanitizeString(key)%>" <%if(key.equals(currConfig.getLocation().orElse(MonitoringLocationDao.DEFAULT_MONITORING_LOCATION_ID))) out.print("selected");%>><%=WebSecurityUtils.sanitizeString(locations.get(key))%></option>
<% } %>
</select>
</div> <!-- form-group -->
Expand Down
5 changes: 3 additions & 2 deletions opennms-webapp/src/main/webapp/admin/discovery/edit-scan.jsp
View file
Original file line number Diff line number Diff line change
Expand Up @@ -44,6 +44,7 @@
org.opennms.web.admin.discovery.DiscoveryServletConstants,
org.opennms.web.admin.discovery.DiscoveryScanServlet"
%>
<%@ page import="org.opennms.core.utils.WebSecurityUtils" %>
<%
response.setDateHeader("Expires", 0);
response.setHeader("Pragma", "no-cache");
Expand Down Expand Up @@ -222,15 +223,15 @@ for (Requisition requisition : reqAccessService.getRequisitions()) {
<select id="foreignsource" class="form-control custom-select col-md-8" name="foreignsource">
<option value="" <%if (!currConfig.getForeignSource().isPresent()) out.print("selected");%>>None selected</option>
<% for (String key : foreignsources.keySet()) { %>
<option value="<%=key%>" <%if(key.equals(currConfig.getForeignSource().orElse(null))) out.print("selected");%>><%=foreignsources.get(key)%></option>
<option value="<%=WebSecurityUtils.sanitizeString(key)%>" <%if(key.equals(currConfig.getForeignSource().orElse(null))) out.print("selected");%>><%=WebSecurityUtils.sanitizeString(foreignsources.get(key))%></option>
<% } %>
</select>
</div> <!-- form-group -->
<div class="form-group form-row">
<label for="location" class="col-form-label col-md-4">Location</label>
<select id="location" class="form-control custom-select col-md-8" name="location">
<% for (String key : locations.keySet()) { %>
<option value="<%=key%>" <%if(key.equals(currConfig.getLocation().orElse(MonitoringLocationDao.DEFAULT_MONITORING_LOCATION_ID))) out.print("selected");%>><%=locations.get(key)%></option>
<option value="<%=WebSecurityUtils.sanitizeString(key)%>" <%if(key.equals(currConfig.getLocation().orElse(MonitoringLocationDao.DEFAULT_MONITORING_LOCATION_ID))) out.print("selected");%>><%=WebSecurityUtils.sanitizeString(locations.get(key))%></option>
<% } %>
</select>
</div> <!-- form-group -->
Expand Down
5 changes: 3 additions & 2 deletions opennms-webapp/src/main/webapp/asset/index.jsp
View file
Original file line number Diff line number Diff line change
Expand Up @@ -37,6 +37,7 @@
org.opennms.web.element.NetworkElementFactory
"
%>
<%@ page import="org.opennms.core.utils.WebSecurityUtils" %>

<%!
protected AssetModel model;
Expand Down Expand Up @@ -115,13 +116,13 @@
<ul class="list-unstyled mb-0" style="width:48%; margin-right:2%; float:left;">
<% for( int i=0; i < middle; i++ ) {%>
<% Asset asset = (Asset)assetsList.get(i); %>
<li> <%=asset.getAssetNumber()%>: <a href="asset/modify.jsp?node=<%=asset.getNodeId()%>"><%=NetworkElementFactory.getInstance(getServletContext()).getNodeLabel(asset.getNodeId())%></a></li>
<li> <%=WebSecurityUtils.sanitizeString(asset.getAssetNumber())%>: <a href="asset/modify.jsp?node=<%=asset.getNodeId()%>"><%=WebSecurityUtils.sanitizeString(NetworkElementFactory.getInstance(getServletContext()).getNodeLabel(asset.getNodeId()))%></a></li>
<% } %>
</ul>
<ul class="list-unstyled mb-0" style="width:50%; float:left;">
<% for( int i=middle; i < assetCount; i++ ) {%>
<% Asset asset = (Asset)assetsList.get(i); %>
<li><%=asset.getAssetNumber()%>: <a href="asset/modify.jsp?node=<%=asset.getNodeId()%>"><%=NetworkElementFactory.getInstance(getServletContext()).getNodeLabel(asset.getNodeId())%></a></li>
<li><%=WebSecurityUtils.sanitizeString(asset.getAssetNumber())%>: <a href="asset/modify.jsp?node=<%=asset.getNodeId()%>"><%=WebSecurityUtils.sanitizeString(NetworkElementFactory.getInstance(getServletContext()).getNodeLabel(asset.getNodeId()))%></a></li>
<% } %>
</ul>
</div> <!-- card-body -->
Expand Down
2 changes: 1 addition & 1 deletion opennms-webapp/src/main/webapp/asset/modify.jsp
View file
Original file line number Diff line number Diff line change
Expand Up @@ -110,7 +110,7 @@
<%-- Standard fields with typeahead suggestions --%>
<input type="text" class="form-control" id="{{ field.model }}" name="{{ field.model }}" ng-model="asset[field.model]" ng-if="field.type=='text'"
typeahead-editable="true" typeahead-min-length="0" ng-pattern="field.pattern"
uib-typeahead="suggestion for suggestion in getSuggestions(field.model) | filter:$viewValue"
uib-typeahead="_.escape(suggestion) for suggestion in getSuggestions(field.model) | filter:$viewValue"
ng-class="{ 'is-invalid': assetForm[field.model].$invalid && !assetForm[field.model].$pristine }">
<%-- Password fields --%>
<%-- Set `autocomplete="new-password"` to prevent autocomplete.
Expand Down
3 changes: 2 additions & 1 deletion opennms-webapp/src/main/webapp/element/index.jsp
View file
Original file line number Diff line number Diff line change
Expand Up @@ -36,6 +36,7 @@
org.opennms.web.element.*,
org.opennms.web.asset.*,
org.opennms.netmgt.model.monitoringLocations.OnmsMonitoringLocation"%>
<%@ page import="org.opennms.core.utils.WebSecurityUtils" %>

<%!
protected AssetModel model;
Expand Down Expand Up @@ -155,7 +156,7 @@
<div class="input-group">
<select class="custom-select" id="bymonitoringLocation_monitoringLocation" name="monitoringLocation">
<% for (OnmsMonitoringLocation monitoringLocation : monitoringLocations) { %>
<option value="<%=monitoringLocation.getLocationName()%>"><%=monitoringLocation.getLocationName()%>
<option value="<%=WebSecurityUtils.sanitizeString(monitoringLocation.getLocationName())%>"><%=WebSecurityUtils.sanitizeString(monitoringLocation.getLocationName())%>
</option>
<% } %>
</select>
Expand Down

0 comments on commit 0222ab1

Please sign in to comment.