Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

NMS-8722: XSS vulnerability in display of SNMP sysName and trap varbind values #1019

Merged
merged 4 commits into from
Sep 14, 2016
Merged

NMS-8722: XSS vulnerability in display of SNMP sysName and trap varbind values #1019

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
0d7fc28
Fix NMS-8722: XSS vulnerability in SNMP trap and sysName display
Sep 9, 2016
29007e7
Follow-on work for NMS-8722
Sep 12, 2016
7caadc7
Change WebSecurityUtils to use OWASP Java Encoder
Sep 13, 2016
4b65e70
Merge branch 'foundation-2016' of github.com:OpenNMS/opennms into jir…
Sep 13, 2016
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 6 additions & 0 deletions core/lib/pom.xml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -32,6 +32,12 @@
<groupId>org.opennms.core</groupId>
<artifactId>org.opennms.core.api</artifactId>
</dependency>
<dependency>
<groupId>org.opennms.dependencies</groupId>
<artifactId>owasp-encoder-dependencies</artifactId>
<scope>compile</scope>
<type>pom</type>
</dependency>
<dependency>
<groupId>org.slf4j</groupId>
<artifactId>slf4j-api</artifactId>
Expand Down
21 changes: 15 additions & 6 deletions core/lib/src/main/java/org/opennms/core/utils/WebSecurityUtils.java
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,8 +1,8 @@
/*******************************************************************************
* This file is part of OpenNMS(R).
*
* Copyright (C) 2008-2014 The OpenNMS Group, Inc.
* OpenNMS(R) is Copyright (C) 1999-2014 The OpenNMS Group, Inc.
* Copyright (C) 2008-2016 The OpenNMS Group, Inc.
* OpenNMS(R) is Copyright (C) 1999-2016 The OpenNMS Group, Inc.
*
* OpenNMS(R) is a registered trademark of The OpenNMS Group, Inc.
*
Expand Down Expand Up @@ -31,6 +31,8 @@
import java.util.regex.Matcher;
import java.util.regex.Pattern;

import org.owasp.encoder.Encode;

/**
* <p>WebSecurityUtils class.</p>
*
Expand All @@ -47,6 +49,8 @@ public abstract class WebSecurityUtils {

private static final Pattern scriptPattern = Pattern.compile("script", Pattern.CASE_INSENSITIVE);

private static final Pattern imgOnErrorPattern = Pattern.compile("(img[^>]+)o(nerror=[^>]+>)", Pattern.CASE_INSENSITIVE);

/**
* <p>sanitizeString</p>
*
Expand Down Expand Up @@ -82,11 +86,16 @@ public static String sanitizeString(String raw, boolean allowHTML)
if (raw==null || raw.length()==0) {
return raw;
}
String next;

if (allowHTML) {
Matcher scriptMatcher = scriptPattern.matcher(raw);
next = scriptMatcher.replaceAll("&#x73;cript");

Matcher scriptMatcher = scriptPattern.matcher(raw);
String next = scriptMatcher.replaceAll("&#x73;cript");
if (!allowHTML) {
next = next.replaceAll("<", "&lt;").replaceAll(">", "&gt;").replaceAll("\"", "&quot;");
Matcher imgOnErrorMatcher = imgOnErrorPattern.matcher(next);
next = imgOnErrorMatcher.replaceAll("$1&#x6f;$2");
} else {
next = Encode.forHtmlContent(raw);
}
return next;
}
Expand Down
18 changes: 11 additions & 7 deletions core/lib/src/test/java/org/opennms/core/utils/WebSecurityUtilsTest.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -28,6 +28,7 @@

package org.opennms.core.utils;

import static org.junit.Assert.assertEquals;
import static org.junit.Assert.assertTrue;

import org.junit.Test;
Expand All @@ -46,24 +47,27 @@ public class WebSecurityUtilsTest {
@Test
public void testBasicSanitizeString() {
String script = "<script>foo</script>";
String imgXss = "<img src=/ onerror=\"alert('XSS');\"></img>";
String html = "<table>";
script = WebSecurityUtils.sanitizeString(script);
imgXss = WebSecurityUtils.sanitizeString(imgXss);
html = WebSecurityUtils.sanitizeString(html);
assertTrue("Script is sanitized",
script.equals("&lt;&#x73;cript&gt;foo&lt;/&#x73;cript&gt;"));
assertTrue("Html is sanitized", html.equals("&lt;table&gt;"));
assertEquals("Script is sanitized", "&lt;script&gt;foo&lt;/script&gt;", script);
assertEquals("IMG XSS is sanitized", "&lt;img src=/ onerror=\"alert('XSS');\"&gt;&lt;/img&gt;", imgXss);
assertEquals("Html is sanitized", "&lt;table&gt;", html);
}

@Test
public void testHTMLallowedSanitizeString() {
String script = "<script>foo</script>";
String imgXss = "<img src=/ onerror=\"alert('XSS');\"></img>";
String html = "<table>";
script = WebSecurityUtils.sanitizeString(script, true);
imgXss = WebSecurityUtils.sanitizeString(imgXss, true);
html = WebSecurityUtils.sanitizeString(html, true);
assertTrue("Script is sanitized with HTML allowed",
script.equals("<&#x73;cript>foo</&#x73;cript>"));
assertTrue("HtmlTable is sanitized with HTML allowed, so unchanged",
html.equals("<table>"));
assertEquals("Script is sanitized with HTML allowed", "<&#x73;cript>foo</&#x73;cript>", script);
assertEquals("IMG XSS is sanitized with HTML allowed", "<img src=/ &#x6f;nerror=\"alert('XSS');\"></img>", imgXss);
assertEquals("HtmlTable is sanitized with HTML allowed, so unchanged", "<table>", html);
}

}
41 changes: 41 additions & 0 deletions dependencies/owasp-encoder/pom.xml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,41 @@
<?xml version="1.0" encoding="UTF-8"?>
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
<parent>
<groupId>org.opennms</groupId>
<artifactId>dependencies</artifactId>
<version>17.0.1-SNAPSHOT</version>
</parent>
<modelVersion>4.0.0</modelVersion>
<groupId>org.opennms.dependencies</groupId>
<artifactId>owasp-encoder-dependencies</artifactId>
<packaging>pom</packaging>
<name>OpenNMS Dependencies OWASP Java Encoder</name>
<description>
This module is used to provide a single artifact that the opennms project
can depend on to use the OWASP Java Encoder
</description>
<dependencies>
<dependency>
<groupId>org.owasp.encoder</groupId>
<artifactId>encoder</artifactId>
<version>${owaspEncoderVersion}</version>
<exclusions>
<exclusion>
<groupId>junit</groupId>
<artifactId>junit</artifactId>
</exclusion>
</exclusions>
</dependency>
<dependency>
<groupId>org.owasp.encoder</groupId>
<artifactId>encoder-jsp</artifactId>
<version>${owaspEncoderVersion}</version>
<exclusions>
<exclusion>
<groupId>junit</groupId>
<artifactId>junit</artifactId>
</exclusion>
</exclusions>
</dependency>
</dependencies>
</project>
1 change: 1 addition & 0 deletions dependencies/pom.xml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -42,6 +42,7 @@
<module>mina</module>
<module>netty</module>
<module>newts</module>
<module>owasp-encoder</module>
<module>pax-exam</module>
<module>quartz</module>
<module>rancid</module>
Expand Down
6 changes: 3 additions & 3 deletions opennms-webapp/src/main/webapp/WEB-INF/jsp/notification/list.jsp
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,8 +2,8 @@
/*******************************************************************************
* This file is part of OpenNMS(R).
*
* Copyright (C) 2002-2014 The OpenNMS Group, Inc.
* OpenNMS(R) is Copyright (C) 1999-2014 The OpenNMS Group, Inc.
* Copyright (C) 2002-2016 The OpenNMS Group, Inc.
* OpenNMS(R) is Copyright (C) 1999-2016 The OpenNMS Group, Inc.
*
* OpenNMS(R) is a registered trademark of The OpenNMS Group, Inc.
*
Expand Down Expand Up @@ -296,7 +296,7 @@
</td>
</tr>
<tr class="severity-<%=eventSeverity%>">
<td colspan="6"><%=notification.getTextMessage()%></td>
<td colspan="6"><%=WebSecurityUtils.sanitizeString(notification.getTextMessage())%></td>
</tr>
<% } /*end for*/%>
</table>
Expand Down
6 changes: 3 additions & 3 deletions opennms-webapp/src/main/webapp/includes/eventlist.jsp
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,8 +2,8 @@
/*******************************************************************************
* This file is part of OpenNMS(R).
*
* Copyright (C) 2002-2014 The OpenNMS Group, Inc.
* OpenNMS(R) is Copyright (C) 1999-2014 The OpenNMS Group, Inc.
* Copyright (C) 2002-2016 The OpenNMS Group, Inc.
* OpenNMS(R) is Copyright (C) 1999-2016 The OpenNMS Group, Inc.
*
* OpenNMS(R) is a registered trademark of The OpenNMS Group, Inc.
*
Expand Down Expand Up @@ -191,7 +191,7 @@
<% } %>
<td class="divider"><fmt:formatDate value="${event.time}" type="date" dateStyle="short"/>&nbsp;<fmt:formatDate value="${event.time}" type="time" pattern="HH:mm:ss"/></td>
<td class="divider bright"><%= event.getSeverity().getLabel() %></td>
<td class="divider"><%=event.getLogMessage()%></td>
<td class="divider"><%=WebSecurityUtils.sanitizeString(event.getLogMessage())%></td>
</tr>
<% } %>

Expand Down
7 changes: 7 additions & 0 deletions pom.xml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1299,6 +1299,7 @@
<oroVersion>2.0.8</oroVersion>
<osgiVersion>5.0.0</osgiVersion>
<osgiEnterpriseVersion>5.0.0</osgiEnterpriseVersion>
<owaspEncoderVersion>1.2</owaspEncoderVersion>
<quartzVersion>1.6.5</quartzVersion>
<slf4jVersion>1.7.21</slf4jVersion>
<snmp4jVersion>2.4.3</snmp4jVersion>
Expand Down Expand Up @@ -2683,6 +2684,12 @@
<version>${project.version}</version>
<type>pom</type>
</dependency>
<dependency>
<groupId>org.opennms.dependencies</groupId>
<artifactId>owasp-encoder-dependencies</artifactId>
<version>${project.version}</version>
<type>pom</type>
</dependency>

<!-- external dependencies -->
<!-- PLEASE KEEP THESE IN ALPHABETICAL ORDER -->
Expand Down