Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

refs #1503 fix reflected xss #1699

Merged
merged 3 commits into from Dec 20, 2018

Conversation

@lbhsot
Copy link
Contributor

commented Sep 4, 2018

refs #1503 "%20javascrip%0at:alert(/xss/)" will also cause xss attack.

thanks Omar Eissa from Deloitte Germany who found this issue

@lbhsot

This comment has been minimized.

Copy link
Contributor Author

commented Sep 4, 2018

@@ -132,7 +132,8 @@ def prettify_class_name(name):

def is_safe_url(target):
# prevent urls starting with "javascript:"
target = target.strip()
_substitute_whitespace = compile(r'[\s\x00-\x08\x0B\x0C\x0E-\x19]+').sub

This comment has been minimized.

Copy link
@fantix

fantix Sep 4, 2018

Contributor

_substitute_whitespace is better to be a const.

This comment has been minimized.

Copy link
@mrjoes

mrjoes Sep 4, 2018

Member

Agree here - please change it to const and I'll merge ASAP.

@fantix

This comment has been minimized.

Copy link
Contributor

commented Sep 5, 2018

@lbhsot

This comment has been minimized.

Copy link
Contributor Author

commented Sep 5, 2018

done. thanks for reviewing the pr. @fantix @mrjoes

@lbhsot lbhsot force-pushed the lbhsot:master branch from a2af2d2 to 75e51eb Sep 5, 2018

fantix and others added some commits Sep 5, 2018

Merge pull request #1 from fantix/slash_fix
Fix multiple slashes
@xqliu

This comment has been minimized.

Copy link
Contributor

commented Sep 17, 2018

Dear @fantix @mrjoes,

Is it possible that this could be merged and a new version released for this xss fix?

Thanks :)

# prevent urls like "\\www.google.com"
# some browser will change \\ to // (eg: Chrome)
# refs https://stackoverflow.com/questions/10438008
target = target.replace('\\', '/')

This comment has been minimized.

Copy link
@petrus-jvrensburg

petrus-jvrensburg Sep 26, 2018

Contributor

is there a reason why you're only matching agains double slashes, and not doing target.replace('\', '/')?

This comment has been minimized.

Copy link
@jhatch28

jhatch28 Oct 2, 2018

This matches one slash. Your comment is a syntax error because the first slash escapes the second one. You can't put a \ before a quote at the end of a string literal in python. Try this:
print '\\'

This comment has been minimized.

Copy link
@petrus-jvrensburg

petrus-jvrensburg Oct 5, 2018

Contributor

Aah, yes, of course. Thanks @jhatch28

@@ -9,6 +9,8 @@


VALID_SCHEMES = ['http', 'https']
_substitute_whitespace = compile(r'[\s\x00-\x08\x0B\x0C\x0E-\x19]+').sub
_fix_multiple_slashes = compile(r'(^([^/]+:)?//)/*').sub

This comment has been minimized.

Copy link
@petrus-jvrensburg

petrus-jvrensburg Sep 26, 2018

Contributor

please add a comment to make it easier to follow the logic of the regex here

@@ -9,6 +9,8 @@


VALID_SCHEMES = ['http', 'https']
_substitute_whitespace = compile(r'[\s\x00-\x08\x0B\x0C\x0E-\x19]+').sub

This comment has been minimized.

Copy link
@petrus-jvrensburg

petrus-jvrensburg Sep 26, 2018

Contributor

Are there tests for all these specific ASCII characters that we are matching against? The only whitespace that I see in the tests are in assert not helpers.is_safe_url(' javascript:alert(document.domain)') and for that use-case a simple replace(' ', '') would do the job.

Please either expand the tests, or simplify the logic.

This comment has been minimized.

Copy link
@petrus-jvrensburg

petrus-jvrensburg Sep 26, 2018

Contributor

P.S. when checking for control characters, wouldn't it be simpler to do it in the same way as it's done in Django by checking unicodedata.category (see https://github.com/django/django/blob/550cb3a365dee4edfdd1563224d5304de2a57fda/django/utils/http.py#L364)?

@fantix

This comment has been minimized.

Copy link
Contributor

commented Oct 23, 2018

@lbhsot please update, thanks!

diegodelemos added a commit to diegodelemos/cookiecutter-invenio-instance that referenced this pull request Nov 7, 2018

tests: skip Flask-Admin check until issue solved
* Disables Flask-Admin vulnerability 36437 check, to be removed when
  flask-admin/flask-admin#1699 is merged and
  released (Flask-Admin 1.5.3).

diegodelemos added a commit to inveniosoftware/cookiecutter-invenio-instance that referenced this pull request Nov 7, 2018

tests: skip Flask-Admin check until issue solved
* Disables Flask-Admin vulnerability 36437 check, to be removed when
  flask-admin/flask-admin#1699 is merged and
  released (Flask-Admin 1.5.3).
@m-butterfield

This comment has been minimized.

Copy link

commented Nov 13, 2018

@lbhsot Will this be updated and merged anytime soon?

@slint

This comment has been minimized.

Copy link

commented Nov 22, 2018

FYI, when having the latest version of flask-admin installed and you run pipenv check (which uses pyup), you get something like:

$ pipenv check
Checking PEP 508 requirements…
Passed!
Checking installed package safety…
36437: flask-admin <=1.5.2 resolved (1.5.2 installed)!
helpers.py in Flask-Admin 1.5.2 has Reflected XSS via a crafted URL.
see https://github.com/flask-admin/flask-admin/pull/1699

In which case if this is part of your tests/CI, you'll have to do pipenv check --ignore 36437

@ye

This comment has been minimized.

Copy link

commented Dec 3, 2018

The last commit in this PR was in September. It's now December. Any updates on this PR? If for whatever reason the original author of the PR cannot update the PR to addressnew code review comments, can someone else step in to finish the job?

FYI a day left Flask-Admin un-patched is a day hundreds of thousands of Flask-Admin sites vulnerable to this XSS attack!

@mrjoes mrjoes merged commit 8af10e0 into flask-admin:master Dec 20, 2018

1 check passed

continuous-integration/travis-ci/pr The Travis CI build passed
Details
@Lewiscowles1986

This comment has been minimized.

Copy link

commented Jan 7, 2019

Can this be tagged for release please?

@amahlaka

This comment has been minimized.

Copy link

commented Jan 16, 2019

Well, github is now giving a big warning banner due to this vulnerability, it would be really good to get this fix released

@olorton

This comment has been minimized.

Copy link

commented Jan 21, 2019

@Lewiscowles1986 @amahlaka The tagged release for this is v1.5.3 - see pypi.org/project/Flask-Admin/

@mrjoes

This comment has been minimized.

Copy link
Member

commented Jan 22, 2019

I'm a little lost here. The fix went live Dec 19, 2018. I don't see the GitHub banner either.

@amahlaka

This comment has been minimized.

Copy link

commented Jan 22, 2019

nvm, it turns out that the github banner things was panicking because of a old requirements file that was just in a deprecated folder

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
You can’t perform that action at this time.