Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
SUSE:SLE-12-SP2:GA
portus.5728
bsc_1059664.patch
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File bsc_1059664.patch of Package portus.5728
From c21dfec24cfcf93f0ac06c1b9a08afad1824e41f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Miquel=20Sabat=C3=A9=20Sol=C3=A0?= <msabate@suse.com> Date: Tue, 19 Sep 2017 16:56:44 +0200 Subject: [PATCH] Mitigate a possible XSS attack on typeahead MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Thanks Ricardo Sánchez for reporting! Signed-off-by: Miquel Sabaté Solà <msabate@suse.com> --- app/controllers/namespaces_controller.rb | 2 +- app/controllers/teams_controller.rb | 4 ++-- spec/controllers/namespaces_controller_spec.rb | 12 ++++++++++++ 3 files changed, 15 insertions(+), 3 deletions(-) diff --git a/app/controllers/namespaces_controller.rb b/app/controllers/namespaces_controller.rb index 408d0407..27e56027 100644 --- a/app/controllers/namespaces_controller.rb +++ b/app/controllers/namespaces_controller.rb @@ -76,7 +76,7 @@ def typeahead @query = params[:query] valid_teams = TeamUser.get_valid_team_ids(current_user.id) matches = Team.search_from_query(valid_teams, "#{@query}%").pluck(:name) - matches = matches.map { |team| { name: team } } + matches = matches.map { |team| { name: ActionController::Base.helpers.sanitize(team) } } respond_to do |format| format.json { render json: matches.to_json } end diff --git a/app/controllers/teams_controller.rb b/app/controllers/teams_controller.rb index b3c24ae4..0471afbd 100644 --- a/app/controllers/teams_controller.rb +++ b/app/controllers/teams_controller.rb @@ -50,7 +50,7 @@ def typeahead authorize @team @query = params[:query] matches = User.search_from_query(@team.member_ids, "#{@query}%").pluck(:username) - matches = matches.map { |user| { name: user } } + matches = matches.map { |user| { name: ActionController::Base.helpers.sanitize(user) } } respond_to do |format| format.json { render json: matches.to_json } end @@ -60,7 +60,7 @@ def typeahead def all_with_query query = "#{params[:query]}%" teams = policy_scope(Team).where("name LIKE ?", query).pluck(:name) - matches = teams.map { |t| { name: t } } + matches = teams.map { |t| { name: ActionController::Base.helpers.sanitize(t) } } respond_to do |format| format.json { render json: matches.to_json } end diff --git a/spec/controllers/namespaces_controller_spec.rb b/spec/controllers/namespaces_controller_spec.rb index 811ddec5..39de7bbd 100644 --- a/spec/controllers/namespaces_controller_spec.rb +++ b/spec/controllers/namespaces_controller_spec.rb @@ -349,6 +349,7 @@ describe "typeahead" do render_views + it "does allow to search for valid teams by owner" do testing_team = create(:team, name: "testing", owners: [owner]) sign_in owner @@ -367,6 +368,17 @@ teamnames = JSON.parse(response.body) expect(teamnames.length).to eq(0) end + + it "prevents XSS attacks" do + create(:team, name: "<script>alert(1)</script>", owners: [owner]) + + sign_in owner + get :typeahead, query: "<", format: "json" + expect(response.status).to eq(200) + teamnames = JSON.parse(response.body) + + expect(teamnames[0]["name"]).to eq("alert(1)") + end end describe "activity tracking" do
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor