Fixes #25169 - fix xss on pages with breadcrumbs

(cherry picked from commit 3a0c10c)
theforeman · Nov 5, 2018 · bd57e02 · bd57e02
1 parent 8b3afc3
commit bd57e02
Show file tree

Hide file tree

Showing 21 changed files with 145 additions and 53 deletions.
diff --git a/app/assets/javascripts/host_edit_interfaces.js b/app/assets/javascripts/host_edit_interfaces.js
@@ -317,12 +317,12 @@ $(document).on('change', '.virtual', function () {
 function update_fqdn() {
   var host_name = $('#host_name').val();
   var domain_name = primary_nic_form().find('.interface_domain option:selected').text();
-
+  var pathname = window.location.pathname;
   var name = fqdn(host_name, domain_name)
-  if (name.length > 0)
-    name = "| " + name
-
-  $('#hostFQDN').text(name);
+  if (name.length > 0 && pathname === '/hosts/new') {
+    name = __("Create Host") + " | " + name
+    tfm.breadcrumbs.updateTitle(name);
+  }
 }
 
 $(document).on('change', '.interface_mac', function (event) {

diff --git a/app/helpers/hosts_helper.rb b/app/helpers/hosts_helper.rb
@@ -67,11 +67,6 @@ def host_taxonomy_select(f, taxonomy)
             select_opts, html_opts
   end
 
-  def new_host_title
-    t = _("Create Host")
-    title(t, (t + ' <span id="hostFQDN"></span>').html_safe)
-  end
-
   def flags_for_nic(nic)
     flags = ""
     flags += "<i class=\"nic-flag glyphicon glyphicon glyphicon-tag\" title=\"#{_('Primary')}\"></i>" if nic.primary?

diff --git a/app/helpers/layout_helper.rb b/app/helpers/layout_helper.rb
@@ -1,7 +1,7 @@
 module LayoutHelper
   def title(page_title, page_header = nil)
     content_for(:title, page_title.to_s)
-    @page_header ||= page_header || @content_for_title || page_title.to_s
+    @page_header ||= page_header || page_title.to_s
   end
 
   def title_actions(*elements)

diff --git a/app/helpers/operatingsystems_helper.rb b/app/helpers/operatingsystems_helper.rb
@@ -44,6 +44,7 @@ def icon(record, opts = {})
                return "" if record.family.blank?
                record.family
              end
+    return image_path(family + ".png") if opts[:path]
 
     image_tag(family + ".png", opts) + " "
   end

diff --git a/app/views/hosts/new.html.erb b/app/views/hosts/new.html.erb
@@ -1,3 +1,2 @@
-<% new_host_title %>
-
+<% title _("Create Host") %>
 <%= render :partial => 'form' %>
diff --git a/app/views/hosts/show.html.erb b/app/views/hosts/show.html.erb
@@ -1,5 +1,5 @@
 <% javascript 'charts', 'hosts' %>
-<% title @host.to_label, icon(@host.operatingsystem) + @host.to_label %>
+<% title @host.to_label, text: @host.to_label, icon: icon(@host.operatingsystem, path: true) %>
 <% host_breadcrumb %>
 <%= host_title_actions(@host) %>
 <% content_for(:search_bar) {reports_show} %>

diff --git a/test/integration/host_js_test.rb b/test/integration/host_js_test.rb
@@ -596,7 +596,6 @@ class HostJSTest < IntegrationTestWithJavascript
         modal.find(:button, "Ok").click
 
         assert table.find('td.fqdn').has_content?('name.' + domain.name)
-        assert page.find('#hostFQDN').has_content?('| name.' + domain.name)
 
         click_link('host_tab')
         assert_equal 'name', page.find('#host_name', :visible => false).value

diff --git a/webpack/assets/javascripts/bundle.js b/webpack/assets/javascripts/bundle.js
@@ -36,4 +36,5 @@ window.tfm = Object.assign(window.tfm || {}, {
   editor: require('./foreman_editor'),
   nav: require('./foreman_navigation'),
   medium: require('./foreman_medium'),
+  breadcrumbs: require('./foreman_breadcrumbs'),
 });
diff --git a/webpack/assets/javascripts/foreman_breadcrumbs.js b/webpack/assets/javascripts/foreman_breadcrumbs.js
@@ -0,0 +1,6 @@
+import store from './react_app/redux';
+
+import { updateBreadcrumbTitle } from './react_app/components/BreadcrumbBar/BreadcrumbBarActions';
+
+export const updateTitle = title =>
+  store.dispatch(updateBreadcrumbTitle(title));
diff --git a/webpack/assets/javascripts/react_app/components/BreadcrumbBar/BreadcrumbBar.fixtures.js b/webpack/assets/javascripts/react_app/components/BreadcrumbBar/BreadcrumbBar.fixtures.js
@@ -24,6 +24,20 @@ export const breadcrumbTitleItems = {
   ],
 };
 
+
+export const breadcrumbsWithReplacementTitle = {
+  titleReplacement: 'override title',
+  items: [
+    {
+      caption: 'root',
+      url: '/some-url',
+    },
+    {
+      caption: 'active child',
+    },
+  ],
+};
+
 export const resource = {
   resourceUrl: 'some/url',
   nameField: 'name',

diff --git a/webpack/assets/javascripts/react_app/components/BreadcrumbBar/BreadcrumbBar.js b/webpack/assets/javascripts/react_app/components/BreadcrumbBar/BreadcrumbBar.js
@@ -21,7 +21,9 @@ class BreadcrumbBar extends React.Component {
 
   render() {
     const {
-      data: { breadcrumbItems, isSwitchable, resource },
+      data: {
+        breadcrumbItems, isSwitchable, resource,
+      },
       currentPage,
       totalPages,
       resourceSwitcherItems,
@@ -35,6 +37,7 @@ class BreadcrumbBar extends React.Component {
       removeSearchQuery,
       searchDebounceTimeout,
       onSwitcherItemClick,
+      titleReplacement,
     } = this.props;
 
     const isTitle = breadcrumbItems.length === 1;
@@ -50,7 +53,12 @@ class BreadcrumbBar extends React.Component {
 
     return (
       <div className="breadcrumb-bar">
-        <Breadcrumb title items={breadcrumbItems} isTitle={isTitle}>
+        <Breadcrumb
+          title
+          items={breadcrumbItems}
+          isTitle={isTitle}
+          titleReplacement={titleReplacement}
+        >
           {isSwitchable && (
             <BreadcrumbSwitcher
               open={isSwitcherOpen}
@@ -106,6 +114,7 @@ BreadcrumbBar.propTypes = {
   loadSwitcherResourcesByResource: PropTypes.func,
   onSearchChange: PropTypes.func,
   onSwitcherItemClick: PropTypes.func,
+  titleReplacement: PropTypes.string,
 };
 
 BreadcrumbBar.defaultProps = {
@@ -126,6 +135,7 @@ BreadcrumbBar.defaultProps = {
   onSearchChange: noop,
   searchDebounceTimeout: 300,
   onSwitcherItemClick: noop,
+  titleReplacement: null,
 };
 
 export default BreadcrumbBar;
diff --git a/webpack/assets/javascripts/react_app/components/BreadcrumbBar/BreadcrumbBarActions.js b/webpack/assets/javascripts/react_app/components/BreadcrumbBar/BreadcrumbBarActions.js
@@ -8,6 +8,7 @@ import {
   BREADCRUMB_BAR_RESOURCES_SUCCESS,
   BREADCRUMB_BAR_RESOURCES_FAILURE,
   BREADCRUMB_BAR_CLEAR_SEARCH,
+  BREADCRUMB_BAR_UPDATE_TITLE,
 } from './BreadcrumbBarConstants';
 
 export const toggleSwitcher = () => ({
@@ -25,6 +26,12 @@ export const removeSearchQuery = resource => (dispatch) => {
   loadSwitcherResourcesByResource(resource)(dispatch);
 };
 
+export const updateBreadcrumbTitle = title =>
+  ({
+    type: BREADCRUMB_BAR_UPDATE_TITLE,
+    payload: title,
+  });
+
 export const loadSwitcherResourcesByResource = (resource, { page = 1, searchQuery = '' } = {}) => (dispatch) => {
   const { resourceUrl, nameField, switcherItemUrl } = resource;
   const options = { page, searchQuery };

diff --git a/webpack/assets/javascripts/react_app/components/BreadcrumbBar/BreadcrumbBarConstants.js b/webpack/assets/javascripts/react_app/components/BreadcrumbBar/BreadcrumbBarConstants.js
@@ -4,4 +4,5 @@ export const BREADCRUMB_BAR_RESOURCES_REQUEST = 'BREADCRUMB_BAR_RESOURCES_REQUES
 export const BREADCRUMB_BAR_RESOURCES_SUCCESS = 'BREADCRUMB_BAR_RESOURCES_SUCCESS';
 export const BREADCRUMB_BAR_RESOURCES_FAILURE = 'BREADCRUMB_BAR_RESOURCES_FAILURE';
 export const BREADCRUMB_BAR_CLEAR_SEARCH = 'BREADCRUMB_BAR_DELETE_SEARCH';
+export const BREADCRUMB_BAR_UPDATE_TITLE = 'BREADCRUMB_BAR_UPDATE_TITLE';
 
diff --git a/webpack/assets/javascripts/react_app/components/BreadcrumbBar/BreadcrumbBarReducer.js b/webpack/assets/javascripts/react_app/components/BreadcrumbBar/BreadcrumbBarReducer.js
@@ -7,6 +7,7 @@ import {
   BREADCRUMB_BAR_RESOURCES_SUCCESS,
   BREADCRUMB_BAR_RESOURCES_FAILURE,
   BREADCRUMB_BAR_CLEAR_SEARCH,
+  BREADCRUMB_BAR_UPDATE_TITLE,
 } from './BreadcrumbBarConstants';
 
 const initialState = Immutable({
@@ -18,6 +19,7 @@ const initialState = Immutable({
   currentPage: null,
   searchQuery: '',
   pages: null,
+  titleReplacement: null,
 });
 
 export default (state = initialState, action) => {
@@ -27,6 +29,9 @@ export default (state = initialState, action) => {
     case BREADCRUMB_BAR_CLEAR_SEARCH:
       return state.set('searchQuery', '');
 
+    case BREADCRUMB_BAR_UPDATE_TITLE:
+      return state.set('titleReplacement', payload);
+
     case BREADCRUMB_BAR_RESOURCES_REQUEST:
       return state
         .set('resourceSwitcherItems', [])

diff --git a/...pts/react_app/components/BreadcrumbBar/__tests__/__snapshots__/BreadcrumbBar.test.js.snap b/...pts/react_app/components/BreadcrumbBar/__tests__/__snapshots__/BreadcrumbBar.test.js.snap
@@ -22,6 +22,7 @@ exports[`BreadcrumbBar rendering renders breadcrumb-bar 1`] = `
       ]
     }
     title={true}
+    titleReplacement={null}
   />
   <hr
     className="breadcrumb-line"
@@ -51,6 +52,7 @@ exports[`BreadcrumbBar rendering renders switchable breadcrumb-bar 1`] = `
       ]
     }
     title={true}
+    titleReplacement={null}
   >
     <BreadcrumbSwitcher
       currentPage={null}

diff --git a/...ct_app/components/BreadcrumbBar/__tests__/__snapshots__/BreadcrumbBarReducer.test.js.snap b/...ct_app/components/BreadcrumbBar/__tests__/__snapshots__/BreadcrumbBarReducer.test.js.snap
@@ -10,6 +10,7 @@ Object {
   "resourceSwitcherItems": Array [],
   "resourceUrl": null,
   "searchQuery": "",
+  "titleReplacement": null,
 }
 `;
 
@@ -23,6 +24,7 @@ Object {
   "resourceSwitcherItems": Array [],
   "resourceUrl": "some/url",
   "searchQuery": "",
+  "titleReplacement": null,
 }
 `;
 
@@ -36,6 +38,7 @@ Object {
   "resourceSwitcherItems": Array [],
   "resourceUrl": "some/url",
   "searchQuery": undefined,
+  "titleReplacement": null,
 }
 `;
 
@@ -49,6 +52,7 @@ Object {
   "resourceSwitcherItems": Array [],
   "resourceUrl": "some/url",
   "searchQuery": "some search",
+  "titleReplacement": null,
 }
 `;
 
@@ -90,6 +94,7 @@ Object {
   ],
   "resourceUrl": "some/url",
   "searchQuery": "",
+  "titleReplacement": null,
 }
 `;
 
@@ -103,6 +108,7 @@ Object {
   "resourceSwitcherItems": Array [],
   "resourceUrl": null,
   "searchQuery": "",
+  "titleReplacement": null,
 }
 `;
 
@@ -116,5 +122,6 @@ Object {
   "resourceSwitcherItems": Array [],
   "resourceUrl": null,
   "searchQuery": "",
+  "titleReplacement": null,
 }
 `;
diff --git a/...ripts/react_app/components/BreadcrumbBar/__tests__/__snapshots__/integration.test.js.snap b/...ripts/react_app/components/BreadcrumbBar/__tests__/__snapshots__/integration.test.js.snap
@@ -11,6 +11,7 @@ Object {
     "resourceSwitcherItems": Array [],
     "resourceUrl": null,
     "searchQuery": "",
+    "titleReplacement": null,
   },
 }
 `;
@@ -72,6 +73,7 @@ Object {
       ],
       "resourceUrl": "some/url",
       "searchQuery": "",
+      "titleReplacement": null,
     },
   },
 }
@@ -134,6 +136,7 @@ Object {
       ],
       "resourceUrl": "some/url",
       "searchQuery": "",
+      "titleReplacement": null,
     },
   },
 }
@@ -196,6 +199,7 @@ Object {
       ],
       "resourceUrl": "some/url",
       "searchQuery": "text",
+      "titleReplacement": null,
     },
   },
 }
@@ -258,6 +262,7 @@ Object {
       ],
       "resourceUrl": "some/url",
       "searchQuery": "",
+      "titleReplacement": null,
     },
   },
 }
@@ -298,6 +303,7 @@ Object {
       ],
       "resourceUrl": "some/url",
       "searchQuery": "",
+      "titleReplacement": null,
     },
   },
 }
@@ -329,6 +335,7 @@ Object {
       "resourceSwitcherItems": Array [],
       "resourceUrl": "some/url",
       "searchQuery": "",
+      "titleReplacement": null,
     },
   },
 }
@@ -391,6 +398,7 @@ Object {
       ],
       "resourceUrl": "some/url",
       "searchQuery": "",
+      "titleReplacement": null,
     },
   },
 }