-
Notifications
You must be signed in to change notification settings - Fork 138
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
RA-1875: EMPT110 Fixed XSS Vulnerability in AppId field on User App Page #89
Conversation
@@ -52,27 +53,28 @@ public void get(PageModel model, @RequestParam(value = "appId", required = false | |||
public String post(PageModel model, @ModelAttribute(value = "appId") @BindParams UserApp userApp, | |||
@RequestParam("action") String action, | |||
@SpringBean("appFrameworkService") AppFrameworkService service, HttpSession session, UiUtils ui) { | |||
|
|||
|
|||
String htmlSafeAppId = StringEscapeUtils.escapeHtml(userApp.getAppId()); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM! cc @isears
try { | ||
AppDescriptor descriptor = mapper.readValue(userApp.getJson(), AppDescriptor.class); | ||
if (!userApp.getAppId().equals(descriptor.getId())) { | ||
if (!htmlSafeAppId.equals(descriptor.getId())) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is using the htmlSafeAppId
here instead of the real appId strictly necessary to prevent XSS? (also on line 63)
If not, let's just use the real unescaped appId and only use the html-escaped app-id when it gets displayed in UI messages.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@isears I have restricted encoding of appId to just when error messages are displayed
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Great thanks for the update @The-Lady !
Description of What I Changed
I encoded the AppId (entered by the user via AppId field) before it is referenced for further processing to prevent any XSS attacks.
Issue I Worked On
A script or an iframe could be injected in the AppId field while adding app definition. I encoded the AppId in the controller file before it was referenced for usage to prevent any XSS.
Steps to reproduce the vulnerability:
</script><script>alert('XSS');</script>
.Output: A dialog box pops up with 'XSS' written on it.
Link to ticket
RA-1875
@isears