Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

XSS/Input and request params validation #792

Closed
gitblit opened this issue Aug 12, 2015 · 3 comments
Closed

XSS/Input and request params validation #792

gitblit opened this issue Aug 12, 2015 · 3 comments

Comments

@gitblit
Copy link
Collaborator

gitblit commented Aug 12, 2015

Originally reported on Google Code with ID 496

Description:
    GitBlit is not validating or cleaning the input via request parameters.
Steps to reproduce the problem:
1.  Open Firefox (Chrome and IE block most XSS)
2.  Login to GitBlit
3.  Paste the following url into gitblit (filling in the server and repository info):
    https://<server>/history/?r=<repository>&h=refs/heads/master<script>alert(“hi”)</script>
    https://<server>/log/?r=<repository>&h=refs/heads/master<script>alert(“hi”)</script>
6.  Observe the javascript alert
Expected Output:
    An error message stating the input was invalid.
Actual Output:
    The execution of the javascript alert injected with the h parameter
Environment:
    Gitblit Version 1.6.0 running on rhel 6 / tomcat 7 / apache httpd 2.2 with proxy ajp

Reported by 1988porsche944 on 2014-09-05 13:45:05

@gitblit
Copy link
Collaborator Author

gitblit commented Aug 12, 2015

I have a preliminary fix for this, but I'm still considering if I am taking the right
approach.

Reported by James.Moger on 2014-09-05 23:24:08

@gitblit
Copy link
Collaborator Author

gitblit commented Aug 12, 2015

An XSS filter based on JSoup has been merged to master & develop.

This filter will strip out all html elements for url parameters and any non-whitelisted
HTML elements from form inputs, markup docs, and optionally commit messages.  The whitelist
is based in part on stock JSoup and GitHub's documented html sanitizer.

Reported by James.Moger on 2014-09-07 16:59:27

  • Status changed: Queued
  • Labels added: Milestone-1.6.1

@gitblit
Copy link
Collaborator Author

gitblit commented Aug 12, 2015

v1.6.1 released

Reported by James.Moger on 2014-10-20 21:36:03

  • Status changed: Done

@gitblit gitblit closed this as completed Aug 12, 2015
@flaix flaix modified the milestone: 1.6.1 Dec 13, 2016
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

2 participants