Fixes XSS vulnerabilities (#6831)

* Properly escape log_meta values

* Vue syntax fix to allow npm run dev to work again

* Janky fix for Select2 bug

* Compiled production assets

* Escape user’s last name in API

* Removed duplicate alertClass

* Compiled production assets
This commit is contained in:
snipe 2019-03-18 20:49:32 -07:00 committed by GitHub
parent dec77890bd
commit dee92cfc6c
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
11 changed files with 32 additions and 11 deletions

View file

@ -26,6 +26,18 @@ class ActionlogsTransformer
if ($actionlog->filename!='') { if ($actionlog->filename!='') {
$icon = e(\App\Helpers\Helper::filetype_icon($actionlog->filename)); $icon = e(\App\Helpers\Helper::filetype_icon($actionlog->filename));
} }
// This is necessary since we can't escape special characters within a JSON object
if (($actionlog->log_meta) && ($actionlog->log_meta!='')) {
$meta_array = json_decode($actionlog->log_meta);
foreach ($meta_array as $key => $value) {
foreach ($value as $meta_key => $meta_value) {
$clean_meta[$key][$meta_key] = e($meta_value);
}
}
}
$array = [ $array = [
'id' => (int) $actionlog->id, 'id' => (int) $actionlog->id,
'icon' => $icon, 'icon' => $icon,
@ -64,7 +76,7 @@ class ActionlogsTransformer
'note' => ($actionlog->note) ? e($actionlog->note): null, 'note' => ($actionlog->note) ? e($actionlog->note): null,
'signature_file' => ($actionlog->accept_signature) ? route('log.signature.view', ['filename' => $actionlog->accept_signature ]) : null, 'signature_file' => ($actionlog->accept_signature) ? route('log.signature.view', ['filename' => $actionlog->accept_signature ]) : null,
'log_meta' => ($actionlog->log_meta) ? json_decode($actionlog->log_meta): null, 'log_meta' => ((isset($clean_meta)) && (is_array($clean_meta))) ? $clean_meta: null,
]; ];

View file

@ -24,7 +24,7 @@ class UsersTransformer
$array = [ $array = [
'id' => (int) $user->id, 'id' => (int) $user->id,
'avatar' => e($user->present()->gravatar), 'avatar' => e($user->present()->gravatar),
'name' => e($user->first_name).' '.($user->last_name), 'name' => e($user->first_name).' '.e($user->last_name),
'first_name' => e($user->first_name), 'first_name' => e($user->first_name),
'last_name' => e($user->last_name), 'last_name' => e($user->last_name),
'username' => e($user->username), 'username' => e($user->username),

Binary file not shown.

Binary file not shown.

Binary file not shown.

Binary file not shown.

Binary file not shown.

BIN
public/js/dist/all.js vendored

Binary file not shown.

View file

@ -1,14 +1,14 @@
{ {
"/js/build/vue.js": "/js/build/vue.js?id=af0a53aa1b89d0e19039", "/js/build/vue.js": "/js/build/vue.js?id=96f90510b797ac27a94b",
"/css/AdminLTE.css": "/css/AdminLTE.css?id=5e72463a66acbcc740d5", "/css/AdminLTE.css": "/css/AdminLTE.css?id=5e72463a66acbcc740d5",
"/css/app.css": "/css/app.css?id=407edb63cc6b6dc62405", "/css/app.css": "/css/app.css?id=407edb63cc6b6dc62405",
"/css/overrides.css": "/css/overrides.css?id=2d81c3704393bac77011", "/css/overrides.css": "/css/overrides.css?id=2d81c3704393bac77011",
"/js/build/vue.js.map": "/js/build/vue.js.map?id=79fce5e6515d8a4cc760", "/js/build/vue.js.map": "/js/build/vue.js.map?id=423f16f63b86abd6b196",
"/css/AdminLTE.css.map": "/css/AdminLTE.css.map?id=0be7790b84909dca6a0a", "/css/AdminLTE.css.map": "/css/AdminLTE.css.map?id=0be7790b84909dca6a0a",
"/css/app.css.map": "/css/app.css.map?id=96b5c985e860716e6a16", "/css/app.css.map": "/css/app.css.map?id=96b5c985e860716e6a16",
"/css/overrides.css.map": "/css/overrides.css.map?id=f7ce9ca49027594ac402", "/css/overrides.css.map": "/css/overrides.css.map?id=f7ce9ca49027594ac402",
"/css/dist/all.css": "/css/dist/all.css?id=98db4e9b7650453c8b00", "/css/dist/all.css": "/css/dist/all.css?id=98db4e9b7650453c8b00",
"/js/dist/all.js": "/js/dist/all.js?id=a3a656ed6316d4c4efe7", "/js/dist/all.js": "/js/dist/all.js?id=114f1025a1b3e8975476",
"/css/build/all.css": "/css/build/all.css?id=98db4e9b7650453c8b00", "/css/build/all.css": "/css/build/all.css?id=98db4e9b7650453c8b00",
"/js/build/all.js": "/js/build/all.js?id=a3a656ed6316d4c4efe7" "/js/build/all.js": "/js/build/all.js?id=114f1025a1b3e8975476"
} }

View file

@ -40,9 +40,8 @@ tr {
</div> </div>
</div> </div>
</div> </div>
<div class="alert col-md-12" <div class="alert col-md-12" style="text-align:left"
:class="alertClass" :class="alertClass"
style="text-align:left"
v-if="statusText"> v-if="statusText">
{{ this.statusText }} {{ this.statusText }}
</div> </div>
@ -84,7 +83,6 @@ tr {
<div class="alert col-md-12" style="padding-top: 20px;" <div class="alert col-md-12" style="padding-top: 20px;"
:class="alertClass" :class="alertClass"
style="text-align:left"
v-if="statusText"> v-if="statusText">
{{ this.statusText }} {{ this.statusText }}
</div> </div>

View file

@ -260,7 +260,18 @@ $(document).ready(function () {
} }
function formatDataSelection (datalist) { function formatDataSelection (datalist) {
return datalist.text; // This a heinous workaround for a known bug in Select2.
// Without this, the rich selectlists are vulnerable to XSS.
// Many thanks to @uberbrady for this fix. It ain't pretty,
// but it resolves the issue until Select2 addresses it on their end.
//
// Bug was reported in 2016 :{
// https://github.com/select2/select2/issues/4587
return datalist.text.replace(/>/g, '&gt;')
.replace(/</g, '&lt;')
.replace(/"/g, '&quot;')
.replace(/'/g, '&#039;');
} }
// This handles the radio button selectors for the checkout-to-foo options // This handles the radio button selectors for the checkout-to-foo options