Skip to content

Commit

Permalink
properly escape session and acl data in UI (#2456)
Browse files Browse the repository at this point in the history 
* update libv8 gem to something that compiles

* properly escape session and acl data in UI

fixes an XSS vulnerability caused by having the sessionName, sessionMeta, and aclName blindly returning data as Handlebars.SafeStrings
  • Loading branch information
@markupboy @slackpad
markupboy authored and slackpad committed Nov 1, 2016
1 parent d58d234 commit 1e179b7
Show file tree
Hide file tree
Showing 2 changed files with 9 additions and 6 deletions.
5 changes: 4 additions & 1 deletion Gemfile.lock
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,7 @@ GEM
specs:
execjs (2.3.0)
json (1.8.2)
libv8 (3.16.14.7)
libv8 (3.16.14.15)
ref (1.0.5)
sass (3.4.11)
therubyracer (0.12.1)
Expand All @@ -20,3 +20,6 @@ DEPENDENCIES
sass
therubyracer
uglifier

BUNDLED WITH
1.12.5
10 changes: 5 additions & 5 deletions javascripts/app/helpers.js
View file
Original file line number Diff line number Diff line change
Expand Up @@ -24,19 +24,19 @@ Ember.Handlebars.helper('sessionName', function(session) {
var name;

if (session.Name === "") {
name = '<span>' + session.ID + '</span>';
name = '<span>' + Handlebars.Utils.escapeExpression(session.ID) + '</span>';
} else {
name = '<span>' + session.Name + '</span>' + ' <small>' + session.ID + '</small>';
name = '<span>' + Handlebars.Utils.escapeExpression(session.Name) + '</span>' + ' <small>' + Handlebars.Utils.escapeExpression(session.ID) + '</small>';
}

return new Handlebars.SafeString(name);
});

Ember.Handlebars.helper('sessionMeta', function(session) {
var meta = '<div class="metadata">' + session.Behavior + ' behavior</div>';
var meta = '<div class="metadata">' + Handlebars.Utils.escapeExpression(session.Behavior) + ' behavior</div>';

if (session.TTL !== "") {
meta = meta + '<div class="metadata">, ' + session.TTL + ' TTL</div>';
meta = meta + '<div class="metadata">, ' + Handlebars.Utils.escapeExpression(session.TTL) + ' TTL</div>';
}

return new Handlebars.SafeString(meta);
Expand All @@ -46,7 +46,7 @@ Ember.Handlebars.helper('aclName', function(name, id) {
if (name === "") {
return id;
} else {
return new Handlebars.SafeString(name + ' <small class="pull-right no-case">' + id + '</small>');
return new Handlebars.SafeString(Handlebars.Utils.escapeExpression(name) + ' <small class="pull-right no-case">' + Handlebars.Utils.escapeExpression(id) + '</small>');
}
});

Expand Down

0 comments on commit 1e179b7

Please sign in to comment.