Skip to content
This repository has been archived by the owner on Dec 13, 2022. It is now read-only.

Fix(security): Sanitize queries in the list of trap groups #12022

Open
wants to merge 1 commit into
base: develop
Choose a base branch
from
Open

Fix(security): Sanitize queries in the list of trap groups #12022

wants to merge 1 commit into from

Conversation

emabassi-ext
Copy link
Contributor

@emabassi-ext emabassi-ext commented Oct 20, 2022
edited

Description

Fix XSS security vulnerabilities
Fixes # MON-15375

Type of change

  • Patch fixing an issue (non-breaking change)
  • New functionality (non-breaking change)
  • Breaking change (patch or feature) that might cause side effects breaking part of the Software

Target serie

  • 21.04.x
  • 21.10.x
  • 22.04.x
  • 22.10.x (master)

How this pull request can be tested ?

  1. Configure LDAP authentication
  2. Click on “Import users” (Configuration > Users > contact / Users)
  3. Click on “Search”

You must still see results

Checklist

Community contributors & Centreon team

  • I have followed the coding style guidelines provided by Centreon
  • I have commented my code, especially new classes, functions or any legacy code modified. (docblock)
  • I have commented my code, especially hard-to-understand areas of the PR.
  • I have rebased my development branch on the base branch (master, maintenance).

@emabassi-ext emabassi-ext requested a review from a team October 20, 2022 11:07
@emabassi-ext emabassi-ext self-assigned this Oct 20, 2022
@sonarqube-decoration
Copy link

SonarQube Quality Gate

Quality Gate passed

Bug E 1 Bug
Vulnerability A 0 Vulnerabilities
Security Hotspot A 0 Security Hotspots
Code Smell C 1 Code Smell

No Coverage information No Coverage information
0.0% 0.0% Duplication

@emabassi-ext emabassi-ext changed the title Fix: XSS security vulnerabilities in ajaxLdapSearch.js Fix: security Oct 21, 2022
callapa
callapa suggested changes Oct 24, 2022
View reviewed changes
www/include/common/javascript/ContactAjaxLDAP/ajaxLdapSearch.js
@@ -96,7 +96,7 @@ function LdapSearch() {
// defining what we should do when we got a reply
xhrM.onreadystatechange = function () {
// doing nothing until we got everything and a status 200
document.getElementById('ldap_search_result_output').innerHTML = xhrM.responseText;
document.getElementById('ldap_search_result_output').innerHTML = DOMPurify.sanitize(xhrM.responseText);
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You must not include a new library without prior agreement

@emabassi-ext emabassi-ext changed the title Fix: security Fix(security): Sanitize queries in the list of trap groups Oct 27, 2022
@kduret kduret mentioned this pull request Nov 8, 2022
Merged
11 tasks
@kduret
Copy link
Contributor

kduret commented Nov 8, 2022

migrated to centreon/centreon#138

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@callapa callapa callapa requested changes

@dmyios dmyios dmyios approved these changes

@a-launois a-launois Awaiting requested review from a-launois

At least 2 approving reviews are required to merge this pull request.

Assignees

@emabassi-ext emabassi-ext

Labels
area/backend
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
4 participants
@emabassi-ext @kduret @callapa @dmyios