New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
fix XSS vulnerabilities in dashboard links #11813
Conversation
37f69b1
to
76f92ac
Compare
|
Hello, good to see a PR. I found this vulnerability when I typed XSS in the Drilldown / detail link in the title field. After filling in the title field the dashboard field was automatically filled with the same value (XSS). When adding the detail link and hovering over the information icon, the XSS was also executed. |
|
@1Jesper1 so could you confirm this PR fixes it? |
|
Yes, this PR fixes it. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Code looks good and it fixes XSS problems with link titles and tooltips.
Would be nice with some XSS tests for the link_srv though.
I tried and added javascript:alert('XSS') to the url (for absolute url's) and clicking such a link executes the javascript. Don't know if we should create a separate issue for that or try to solve it in this. What do you think?
|
I think we can cover several XSS issues by this PR. |
* grafana/master: Templating : return __empty__ value when all value return nothing to prevent elasticsearch syntaxe error (grafana#9701) http_server: All files in public/build have now a huge max-age (grafana#11536) fix: ldap unit test only error log when err is not nil rename alerting engine to service case-insensitive LDAP group comparison (grafana#9926) changelog: add notes about closing grafana#11813 docs: updated changelog fix XSS vulnerabilities in dashboard links (grafana#11813) PR: ux changes to grafana#11528 decrease length of auth_id column in user_auth table PR comments Make dashboard JSON editable
|
Good to see this issue fixed! When will this be rolled out? |
|
@1Jesper1 Currently targeted for the upcoming 5.2 release (no release date yet). |
Dropped the whitespace changes for public/test/specs/helpers.js while manually applying the change. Backport of grafana#11813 (cherry picked from commit 00454b3)
|
The same vulnerability also occurs in the following places:
And, these vulnerabilities are currently registered as CVE. How can I get help to fix it? |
|
Thank you!
…-----Original Message-----
From: "Marcus Efraimsson"<notifications@github.com>
To: "grafana/grafana"<grafana@noreply.github.com>;
Cc: "noasand"<noasand@naver.com>; "Mention"<mention@noreply.github.com>;
Sent: 2019-01-28 (월) 17:58:45
Subject: Re: [grafana/grafana] fix XSS vulnerabilities in dashboard links (#11813)
@noasand for 1) will be fixed in next major release by #4117. 2) and 3) Please open a new issue. Thanks
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub, or mute the thread.
|
This PR fixes XSS vulnerabilities in dashboard link components. This happens when you put html with XSS as a link title, like
<img src='' onerror=alert("XSS") />inPanel -> General -> Drilldown / detail link -> Title or
Dashboard -> Links -> Tooltip