Escape HTML characters in ExecutionController.renderOutput #2068

Merged
merged 6 commits into from Sep 12, 2016

Projects

None yet

2 participants

@jrunningen

renderOutput was not sanitizing task logs correctly for an HTML view. If
an attacker controlled a node, they could send Javascript code in the
response, which would be executed in the user's browser upon viewing the
page.

Jeff Runningen and others added some commits Sep 12, 2016
Jeff Runningen Escape HTML characters in ExecutionController.renderOutput
renderOutput was not sanitizing task logs correctly for an HTML view. If
an attacker controlled a node, they could send Javascript code in the
response, which would be executed in the user's browser upon viewing the
page.
4645d08
@gschueler gschueler Add issue template for bug reports/enhancements 22ff42c
@gschueler
Contributor

Thank you: If the log message has no ansi escapes it is not being encoded properly.

If there are Ansi escapes, the encoder does escape chars < and > from the output, using the HTMLElement codec, but that should be replaced with encodeAsHTML.

note the "renderOutput" action is used when the "html" or "text" view link is followed from the execution page.

@gschueler
Contributor

correction: just the "html" view link. the "text" link outputs text/plain content

@gschueler gschueler added the bug label Sep 12, 2016
@gschueler gschueler added this to the 2.6.10 milestone Sep 12, 2016
@gschueler gschueler merged commit c2c4d76 into rundeck:master Sep 12, 2016

1 check passed

continuous-integration/travis-ci/pr The Travis CI build passed
Details
@gschueler
Contributor

👍

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment