-
Notifications
You must be signed in to change notification settings - Fork 1.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
fix composer saved graphs target escaping #2587
fix composer saved graphs target escaping #2587
Conversation
This pull request introduces 1 alert and fixes 8 when merging 4c9a083 into 910bdea - view on LGTM.com new alerts:
fixed alerts:
|
8d7f422
to
f89c24f
Compare
saved graphs targets were html-escaped in the json response to fix an XSS vulnerability in graphite-project#1662 ... but that was not really the right place to escape the graph targets, it broke targets using quotes: graphite-project#1801 graphite-project#2334 so effectively revert the original fix, and instead html-escape the targets just before rendering them in the GraphDataWindow Ext.ListView also skip the `str()` around `graph.url`, it's already a string, in both python2 and python3
f89c24f
to
3b566c4
Compare
same XSS vulnerability as the composer saved user graphs data view had
3b566c4
to
e2433a3
Compare
This is done and tested with both python-2.7 and python-3.7 I tested by pasting (and I also tested target expressions with double quotes like Before this branch, pasting the svg-alert expression in either place and hitting enter to finish the edit would immediately cause the popup. In the composer, saving and loading the graph and viewing the data targets would no longer cause the popup, but would mess-up the legit double-quotes in the expression, breaking the graph. In the dashboard, saving and loading the dashboard and viewing the data targets would cause the XSS popup (but expressions with double-quotes worked correctly). After this branch, pasting the svg-alert expression and hitting enter to finish the edit no longer causes popups, saving/loading/viewing does not cause popups in either place, and graphs with quotes work correctly. Figuring out the ancient extjs parts were admittedly tricky.
|
please take a look @deniszh |
Wow, @ploxiln , missed that somehow, sorry! Look good, awesome job! |
If @cbowman0 or others have no objections I'll merge it soon |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks good
Thanks :) |
saved graphs targets were html-escaped in the json response
to fix an XSS vulnerability in #1662
... but that was not really the right place to escape the graph targets,
it broke targets using quotes: #1801 #2334
so effectively revert the original fix, and instead html-escape the
targets just before rendering them in the GraphDataWindow Ext.ListView
TODO:
str(thing)
is never the right way :)