Skip to content
Permalink
Browse files Browse the repository at this point in the history
NMS-13125: Escape userId & groupId
  • Loading branch information
christianpape committed Mar 5, 2021
1 parent 101e3aa commit f3ebfa3
Show file tree
Hide file tree
Showing 10 changed files with 43 additions and 32 deletions.
Expand Up @@ -40,6 +40,7 @@
%>

<%@page import="org.opennms.web.group.WebGroup"%>
<%@ page import="org.opennms.core.utils.WebSecurityUtils" %>

<%
WebGroup group = (WebGroup)request.getAttribute("group");
Expand All @@ -60,13 +61,13 @@
<div class="col-md-6">
<div class="card">
<div class="card-header">
<span>Details for Group: <%=group.getName()%></span>
<span>Details for Group: <%=WebSecurityUtils.sanitizeString(group.getName())%></span>
</div>
<table class="table table-sm">
<tr>
<th>Comments:</th>
<td width="75%">
<%=group.getComments()%>
<%=WebSecurityUtils.sanitizeString(group.getComments())%>
</td>
</tr>
<tr>
Expand All @@ -79,7 +80,7 @@
<% } else { %>
<ul class="list-unstyled">
<% for (String user : users) { %>
<li> <%=user%> </li>
<li> <%=WebSecurityUtils.sanitizeString(user)%> </li>
<% } %>
</ul>
<% } %>
Expand Down
Expand Up @@ -30,6 +30,7 @@
--%>

<%@ taglib uri="http://java.sun.com/jsp/jstl/core" prefix="c" %>
<%@taglib uri="http://java.sun.com/jsp/jstl/functions" prefix="fn" %>

<jsp:include page="/includes/bootstrap.jsp" flush="false" >
<jsp:param name="title" value="Group Configuration" />
Expand Down Expand Up @@ -116,37 +117,37 @@
<th>Comments</th>
</tr>
<c:forEach var="group" varStatus="groupStatus" items="${groups}">
<tr class="divider ${groupStatus.index % 2 == 0 ? 'even' : 'odd'}" id="group-${group.name}">
<tr class="divider ${groupStatus.index % 2 == 0 ? 'even' : 'odd'}" id="group-${fn:escapeXml(group.name)}">
<td width="5%" class="text-center">
<c:choose>
<c:when test='${group.name != "Admin"}'>
<a id="${group.name}.doDelete" href="javascript:deleteGroup('${group.name}')" onclick="return confirm('Are you sure you want to delete the group ${group.name}?')"><i class="fa fa-trash-o fa-2x"></i></a>
<c:when test='${fn:escapeXml(group.name) != "Admin"}'>
<a id="${group.name}.doDelete" href="javascript:deleteGroup('${fn:escapeXml(group.name)}')" onclick="return confirm('Are you sure you want to delete the group ${fn:escapeXml(group.name)}?')"><i class="fa fa-trash-o fa-2x"></i></a>
</c:when>
<c:otherwise>
<i class="fa fa-trash-o fa-2x" onclick="alert('Sorry, the ${group.name} group cannot be deleted.')"></i>
<i class="fa fa-trash-o fa-2x" onclick="alert('Sorry, the ${fn:escapeXml(group.name)} group cannot be deleted.')"></i>
</c:otherwise>
</c:choose>
</td>
<td width="5%" class="text-center">
<a id="${group.name}.doModify" href="javascript:modifyGroup('${group.name}')"><i class="fa fa-edit fa-2x"></i></a>
<a id="${fn:escapeXml(group.name)}.doModify" href="javascript:modifyGroup('${fn:escapeXml(group.name)}')"><i class="fa fa-edit fa-2x"></i></a>
</td>
<td width="5%" class="text-center">
<c:choose>
<c:when test='${group.name != "Admin"}'>
<button id="${group.name}.doRename" type="button" class="btn btn-secondary" name="rename" onclick="renameGroup('${group.name}')">Rename</button>
<button id="${fn:escapeXml(group.name)}.doRename" type="button" class="btn btn-secondary" name="rename" onclick="renameGroup('${fn:escapeXml(group.name)}')">Rename</button>
</c:when>
<c:otherwise>
<button id="${group.name}.doRename" type="button" class="btn btn-secondary" name="rename" onclick="alert('Sorry, the Admin group cannot be renamed.')">Rename</button>
<button id="${fn:escapeXml(group.name)}.doRename" type="button" class="btn btn-secondary" name="rename" onclick="alert('Sorry, the Admin group cannot be renamed.')">Rename</button>
</c:otherwise>
</c:choose>
</td>
<td>
<a href="javascript:detailGroup('${group.name}')">${group.name}</a>
<a href="javascript:detailGroup('${fn:escapeXml(group.name)}')">${fn:escapeXml(group.name)}</a>
</td>
<td>
<c:choose>
<c:when test="${group.comments.isPresent()}">
${group.comments.get()}
${fn:escapeXml(group.comments.get())}
</c:when>

<c:otherwise>
Expand Down
Expand Up @@ -39,6 +39,7 @@
"
%>
<%@page import="org.opennms.web.group.WebGroup"%>
<%@ page import="org.opennms.core.utils.WebSecurityUtils" %>

<%
WebGroup group = (WebGroup)session.getAttribute("group.modifyGroup.jsp");
Expand Down Expand Up @@ -463,7 +464,7 @@
private String createSelectList(String name, String[] categories) {
StringBuffer buffer = new StringBuffer("<select class=\"form-control custom-select\" multiple=\"multiple\" name=\""+name+"\" size=\"10\">");
for(String category : categories){
buffer.append("<option>" + category + "</option>");
buffer.append("<option>" + WebSecurityUtils.sanitizeString(category) + "</option>");
}
buffer.append("</select>");
Expand Down
Expand Up @@ -449,7 +449,7 @@
</tr>
<% for (OnmsAcknowledgment ack : acks) {%>
<tr class="severity-<%=alarm.getSeverity().getLabel().toLowerCase()%>">
<td><%=ack.getAckUser()%></td>
<td><%=WebSecurityUtils.sanitizeString(ack.getAckUser())%></td>
<td><%=ack.getAckAction()%></td>
<td><onms:datetime date="<%=ack.getAckTime()%>" /></td>
</tr>
Expand Down
Expand Up @@ -107,7 +107,7 @@
<th class="col-1">Node</th>
<td ${acknowledgeEvent ? '' : 'colspan="3"'} class="${acknowledgeEvent ? 'col-3' : 'col-7'}">
<% if( event.getNodeId() > 0 ) { %>
<a href="element/node.jsp?node=<%=event.getNodeId()%>"><%=event.getNodeLabel()%></a>
<a href="element/node.jsp?node=<%=event.getNodeId()%>"><%=WebSecurityUtils.sanitizeString(event.getNodeLabel())%></a>
<% } else {%>
&nbsp;
<% } %>
Expand Down
Expand Up @@ -72,7 +72,7 @@
<th class="col-2">Node</th>
<td class="col-2">
<% if( outage.getNodeId() > 0 ) { %>
<a href="element/node.jsp?node=<%=outage.getNodeId()%>"><%=outage.getNodeLabel()%></a>
<a href="element/node.jsp?node=<%=outage.getNodeId()%>"><%=WebSecurityUtils.sanitizeString(outage.getNodeLabel())%></a>
<% } else {%>
&nbsp;
<% } %>
Expand Down
27 changes: 16 additions & 11 deletions opennms-webapp/src/main/webapp/admin/userGroupView/users/list.jsp
Expand Up @@ -36,6 +36,10 @@
<%@page import="java.util.*" %>
<%@page import="org.opennms.netmgt.config.*" %>
<%@page import="org.opennms.netmgt.config.users.*" %>
<%@ page import="org.opennms.core.utils.WebSecurityUtils" %>

<%@taglib uri="http://java.sun.com/jsp/jstl/functions" prefix="fn" %>

<%
UserManager userFactory;
Map<String,User> users = null;
Expand Down Expand Up @@ -97,7 +101,7 @@
var newID = prompt("Enter new name for user.", userID);
if (newID != null && newID != "") {
if (/.*[&<>"`']+.*/.test(newId)) {
if (/.*[&<>"`']+.*/.test(newID)) {
alert("The user ID must not contain any HTML markup.");
return;
}
Expand Down Expand Up @@ -154,54 +158,55 @@
String textService = userFactory.getTextPage(userid);
String numericPin = userFactory.getNumericPin(userid);
String textPin = userFactory.getTextPin(userid);
String sanitizedUserId = WebSecurityUtils.sanitizeString(curUser.getUserId());
%>
<tr id="user-<%= userid %>">
<% if (!curUser.getUserId().equals("admin") && !curUser.getUserId().equals("rtc")) { %>
<td rowspan="2" class="text-center">
<a id="<%= "users("+curUser.getUserId()+").doDelete" %>" href="javascript:deleteUser('<%=curUser.getUserId()%>')" onclick="return confirm('Are you sure you want to delete the user <%=curUser.getUserId()%>?')"><i class="fa fa-trash-o fa-2x"></i></a>
<a id="<%= "users("+sanitizedUserId+").doDelete" %>" href="javascript:deleteUser('<%=sanitizedUserId%>')" onclick="return confirm('Are you sure you want to delete the user <%=sanitizedUserId%>?')"><i class="fa fa-trash-o fa-2x"></i></a>
</td>
<% } else { %>
<td rowspan="2" class="text-center">
<i class="fa fa-trash-o fa-2x" onclick="alert('Sorry, the admin user cannot be deleted.')"></i>
</td>
<% } %>
<td rowspan="2" class="text-center">
<a id="<%= "users("+curUser.getUserId()+").doModify" %>" href="javascript:modifyUser('<%=curUser.getUserId()%>')"><i class="fa fa-edit fa-2x"></i></a>
<a id="<%= "users("+sanitizedUserId+").doModify" %>" href="javascript:modifyUser('<%=sanitizedUserId%>')"><i class="fa fa-edit fa-2x"></i></a>
</td>
<td rowspan="2" class="text-center">
<% if ( !curUser.getUserId().equals("admin")) { %>
<button id="<%= "users("+curUser.getUserId()+").doRename" %>" class="btn btn-secondary" name="rename" onclick="renameUser('<%=curUser.getUserId()%>')">Rename</button>
<button id="<%= "users("+sanitizedUserId+").doRename" %>" class="btn btn-secondary" name="rename" onclick="renameUser('<%=sanitizedUserId%>')">Rename</button>
<% } else { %>
<button id="<%= "users("+curUser.getUserId()+").doRename" %>" class="btn btn-secondary" name="rename" onclick="alert('Sorry, the admin user cannot be renamed.')">Rename</button>
<button id="<%= "users("+sanitizedUserId+").doRename" %>" class="btn btn-secondary" name="rename" onclick="alert('Sorry, the admin user cannot be renamed.')">Rename</button>
<% } %>
</td>
<td>
<a id="<%= "users("+curUser.getUserId()+").doDetails" %>" href="javascript:detailUser('<%=curUser.getUserId()%>')"><%=curUser.getUserId()%></a>
<a id="<%= "users("+sanitizedUserId+").doDetails" %>" href="javascript:detailUser('<%=sanitizedUserId%>')"><%=sanitizedUserId%></a>
</td>
<td>
<div id="<%= "users("+curUser.getUserId()+").fullName" %>">
<div id="<%= "users("+sanitizedUserId+").fullName" %>">
<%= (curUser.getFullName().orElse("")) %>
</div>
</td>
<td>
<div id="<%= "users("+curUser.getUserId()+").email" %>">
<div id="<%= "users("+sanitizedUserId+").email" %>">
<%= ((email == null || email.equals("")) ? "&nbsp;" : email) %>
</div>
</td>
<td>
<div id="<%= "users("+curUser.getUserId()+").pagerEmail" %>">
<div id="<%= "users("+sanitizedUserId+").pagerEmail" %>">
<%= ((pagerEmail == null || pagerEmail.equals("")) ? "&nbsp;" : pagerEmail) %>
</div>
</td>
<td>
<div id="<%= "users("+curUser.getUserId()+").xmppAddress" %>">
<div id="<%= "users("+sanitizedUserId+").xmppAddress" %>">
<%= ((xmppAddress == null || xmppAddress.equals("")) ? "&nbsp;" : xmppAddress) %>
</div>
</td>
</tr>
<tr>
<td colspan="5">
<div id="<%= "users("+curUser.getUserId()+").userComments" %>">
<div id="<%= "users("+sanitizedUserId+").userComments" %>">
<%= (curUser.getUserComments().orElse("No Comments")) %>
</div>
</td>
Expand Down
Expand Up @@ -40,6 +40,7 @@
<%@page import="org.opennms.netmgt.config.users.*"%>
<%@page import="org.opennms.web.api.Util"%>
<%@page import="org.opennms.web.api.Authentication"%>
<%@ page import="org.opennms.core.utils.WebSecurityUtils" %>
<%@ taglib uri="http://java.sun.com/jsp/jstl/core" prefix="c"%>

<%!
Expand Down Expand Up @@ -253,15 +254,15 @@
</script>

<form role="form" class="form-horizontal" id="modifyUser" method="post" name="modifyUser">
<input id="userID" type="hidden" name="userID" value="<%=user.getUserId()%>"/>
<input id="userID" type="hidden" name="userID" value="<%=WebSecurityUtils.sanitizeString(user.getUserId())%>"/>
<input id="password" type="hidden" name="password"/>
<input id="redirect" type="hidden" name="redirect"/>

<div class="row">
<div class="col-md-6">
<div class="card">
<div class="card-header">
<span>Modify User: <%=userid%></span>
<span>Modify User: <%=WebSecurityUtils.sanitizeString(userid)%></span>
</div>
<div class="card-body">
<h3>User Password</h3>
Expand Down
Expand Up @@ -39,6 +39,8 @@
org.opennms.web.servlet.MissingParameterException
"
%>
<%@ page import="org.opennms.core.utils.WebSecurityUtils" %>
<%@ page import="java.util.stream.Collectors" %>

<%
User user = null;
Expand Down Expand Up @@ -72,7 +74,7 @@
<div class="col-md-6">
<div class="card">
<div class="card-header">
<span>Details for User: <%=user.getUserId()%></span>
<span>Details for User: <%=WebSecurityUtils.sanitizeString(user.getUserId())%></span>
</div>
<table class="table table-sm">
<tr>
Expand Down
4 changes: 2 additions & 2 deletions opennms-webapp/src/main/webapp/notification/detail.jsp
Expand Up @@ -114,7 +114,7 @@
</c:choose>
</td>
<th class="col-md-1">Responder</th>
<td class="col-md-2"><%=notice.getResponder()!=null ? notice.getResponder() : "&nbsp;"%></td>
<td class="col-md-2"><%=notice.getResponder()!=null ? WebSecurityUtils.sanitizeString(notice.getResponder()) : "&nbsp;"%></td>
<th class="col-md-1">Location</th>
<td class="col-md-2">
<c:choose>
Expand Down Expand Up @@ -237,7 +237,7 @@
<% for (NoticeSentTo sentTo : notice.getSentTo()) { %>

<tr class="severity-<%=eventSeverity.toLowerCase()%>">
<td><%=sentTo.getUserId()%></td>
<td><%=WebSecurityUtils.sanitizeString(sentTo.getUserId())%></td>

<td>
<c:choose>
Expand Down

0 comments on commit f3ebfa3

Please sign in to comment.