From 33088b005b9127a9451a147fdb2ab8c287f3ce01 Mon Sep 17 00:00:00 2001 From: miketwc1984 Date: Wed, 5 May 2021 00:13:22 -0400 Subject: [PATCH] xss update --- DockerfileDev | 7 +++++-- htdocs/index-dev.html | 4 ++-- htdocs/js/pages/Base.class.js | 2 +- htdocs/js/pages/admin/APIKeys.js | 2 +- htdocs/js/pages/admin/Activity.js | 2 +- htdocs/js/pages/admin/Categories.js | 2 +- htdocs/js/pages/admin/ConfigKeys.js | 4 ++-- htdocs/js/pages/admin/Users.js | 4 ++-- package-lock.json | 21 ++++++++++++++++++++- package.json | 1 + sample_conf/setup.json | 1 + 11 files changed, 37 insertions(+), 13 deletions(-) diff --git a/DockerfileDev b/DockerfileDev index 23bf082..cb66772 100644 --- a/DockerfileDev +++ b/DockerfileDev @@ -21,11 +21,14 @@ ARG CRONICLE_UID=1007 ARG CRONICLE_GID=1099 RUN addgroup cronicle --gid $CRONICLE_GID && adduser -D -h /opt/cronicle -u $CRONICLE_UID -G cronicle cronicle -COPY . /opt/cronicle -WORKDIR /opt/cronicle ARG echo RUN echo $echo +COPY . /opt/cronicle +WORKDIR /opt/cronicle + RUN npm audit fix --force; npm install +# downgrade chartjs for now +RUN npm i chart.js@2.7.1 RUN node bin/build dist # protect sensitive folders diff --git a/htdocs/index-dev.html b/htdocs/index-dev.html index 6b1ac1c..47b6948 100644 --- a/htdocs/index-dev.html +++ b/htdocs/index-dev.html @@ -23,6 +23,7 @@ + @@ -163,8 +164,7 @@ $.widget("ui.tooltip", $.ui.tooltip, { options: { content: function () { - let title = $(this).prop('title'); - return `${title}`.replace(/script/ig, 'scrpt'); // prevent xss + return filterXSS($(this).prop('title')); } } }); diff --git a/htdocs/js/pages/Base.class.js b/htdocs/js/pages/Base.class.js index ad8a024..3cb0fe5 100644 --- a/htdocs/js/pages/Base.class.js +++ b/htdocs/js/pages/Base.class.js @@ -67,7 +67,7 @@ Class.subclass(Page, "Page.Base", { if (!extra) extra = ''; let icon_class = 'fa fa-clock-o'; if(title.plugin == 'workflow') icon_class = 'fa fa-folder'; - let notes = title.notes ? title.notes : "" + let notes = title.notes ? title.notes.replace(/\"/g, """) : "" if (typeof (title) == 'object') { title = title.title } diff --git a/htdocs/js/pages/admin/APIKeys.js b/htdocs/js/pages/admin/APIKeys.js index 85c3a47..cf0bc8e 100644 --- a/htdocs/js/pages/admin/APIKeys.js +++ b/htdocs/js/pages/admin/APIKeys.js @@ -55,7 +55,7 @@ Class.add( Page.Admin, { ]; return [ '
' + self.getNiceAPIKey(item, true, col_width) + '
', - '
' + item.key + '
', + '
' + encode_entities(item.key) + '
', item.active ? ' Active' : ' Suspended', self.getNiceUsername(item.username, true, col_width), ''+get_nice_date(item.created, true)+'', diff --git a/htdocs/js/pages/admin/Activity.js b/htdocs/js/pages/admin/Activity.js index c3c6350..5ac4be8 100644 --- a/htdocs/js/pages/admin/Activity.js +++ b/htdocs/js/pages/admin/Activity.js @@ -287,7 +287,7 @@ Class.add( Page.Admin, { var tds = [ '
' + get_nice_date_time( item.epoch || 0, false, true ) + '
', '
' + item_type + '
', - '
' + desc + '
', + '
' + filterXSS(desc) + '
', '
' + self.getNiceUsername(item, true) + '
', (item.ip || 'n/a').replace(/^\:\:ffff\:(\d+\.\d+\.\d+\.\d+)$/, '$1'), '
' + actions.join(' | ') + '
' diff --git a/htdocs/js/pages/admin/Categories.js b/htdocs/js/pages/admin/Categories.js index 7cc9c4d..24a253f 100644 --- a/htdocs/js/pages/admin/Categories.js +++ b/htdocs/js/pages/admin/Categories.js @@ -52,7 +52,7 @@ Class.add( Page.Admin, { var tds = [ '
' + self.getNiceCategory(cat, col_width) + '
', - '
' + (cat.description || '(No description)') + '
', + '
' + encode_entities(cat.description || '(No description)') + '
', num_events ? commify( num_events ) : '(None)', cat.max_children ? commify(cat.max_children) : '(No limit)', actions.join(' | ') diff --git a/htdocs/js/pages/admin/ConfigKeys.js b/htdocs/js/pages/admin/ConfigKeys.js index c62f9ff..015a4e8 100644 --- a/htdocs/js/pages/admin/ConfigKeys.js +++ b/htdocs/js/pages/admin/ConfigKeys.js @@ -110,8 +110,8 @@ Class.add( Page.Admin, { if(item.type == "bool" && !item.key) key_disp = "☐" return [ - `
  ${item.title}
` - , `
${key_disp}
` + `
  ${item.title}
` + , `
${encode_entities(key_disp)}
` , '
' + actions.join(' | ') + '
' ]; }); diff --git a/htdocs/js/pages/admin/Users.js b/htdocs/js/pages/admin/Users.js index 4a54b4f..9538617 100644 --- a/htdocs/js/pages/admin/Users.js +++ b/htdocs/js/pages/admin/Users.js @@ -56,8 +56,8 @@ Class.add(Page.Admin, { ]; return [ '
' + self.getNiceUsername(user, true, col_width) + '
', - '
' + user.full_name + '
', - '
' + user.email + '
', + '
' + encode_entities(user.full_name) + '
', + '
' + encode_entities(user.email) + '
', user.active ? ' Active' : ' Suspended', user.privileges.admin ? ' Admin' : 'Standard', '' + get_nice_date(user.created, true) + '', diff --git a/package-lock.json b/package-lock.json index 947ab77..866c2a6 100644 --- a/package-lock.json +++ b/package-lock.json @@ -1,6 +1,6 @@ { "name": "Cronicle", - "version": "1.3.3", + "version": "1.3.4", "lockfileVersion": 1, "requires": true, "dependencies": { @@ -330,6 +330,11 @@ "delayed-stream": "~1.0.0" } }, + "commander": { + "version": "2.20.3", + "resolved": "https://registry.npmjs.org/commander/-/commander-2.20.3.tgz", + "integrity": "sha512-GpVkmM8vF2vQUkj2LvZmD35JxeJOLCwJ9cUkugyk2nuhbv3+mJvpLYYt+0+USMxE+oj+ey/lJEnhZw75x/OMcQ==" + }, "component-bind": { "version": "1.0.0", "resolved": "https://registry.npmjs.org/component-bind/-/component-bind-1.0.0.tgz", @@ -360,6 +365,11 @@ "resolved": "https://registry.npmjs.org/core-util-is/-/core-util-is-1.0.2.tgz", "integrity": "sha1-tf1UIgqivFq1eqtxQMlAdUUDwac=" }, + "cssfilter": { + "version": "0.0.10", + "resolved": "https://registry.npmjs.org/cssfilter/-/cssfilter-0.0.10.tgz", + "integrity": "sha1-xtJnJjKi5cg+AT5oZKQs6N79IK4=" + }, "daemon": { "version": "1.1.0", "resolved": "https://registry.npmjs.org/daemon/-/daemon-1.1.0.tgz", @@ -1468,6 +1478,15 @@ "resolved": "https://registry.npmjs.org/xmlhttprequest-ssl/-/xmlhttprequest-ssl-1.5.3.tgz", "integrity": "sha1-GFqIjATspGw+QHDZn3tJ3jUomS0=" }, + "xss": { + "version": "1.0.8", + "resolved": "https://registry.npmjs.org/xss/-/xss-1.0.8.tgz", + "integrity": "sha512-3MgPdaXV8rfQ/pNn16Eio6VXYPTkqwa0vc7GkiymmY/DqR1SE/7VPAAVZz1GJsJFrllMYO3RHfEaiUGjab6TNw==", + "requires": { + "commander": "^2.20.3", + "cssfilter": "0.0.10" + } + }, "yargs": { "version": "3.10.0", "resolved": "https://registry.npmjs.org/yargs/-/yargs-3.10.0.tgz", diff --git a/package.json b/package.json index 5e512ec..c05905b 100644 --- a/package.json +++ b/package.json @@ -60,6 +60,7 @@ "socket.io-client": "1.7.3", "uglify-js": "2.8.22", "uncatch": "^1.0.0", + "xss": "^1.0.8", "zxcvbn": "3.5.0" }, "devDependencies": { diff --git a/sample_conf/setup.json b/sample_conf/setup.json index 8d7aff2..05211d5 100644 --- a/sample_conf/setup.json +++ b/sample_conf/setup.json @@ -401,6 +401,7 @@ [ "symlinkCompress", "node_modules/zxcvbn/dist/zxcvbn.js", "htdocs/js/external/" ], [ "symlinkCompress", "node_modules/zxcvbn/dist/zxcvbn.js.map", "htdocs/js/external/" ], [ "symlinkCompress", "node_modules/chart.js/dist/Chart.min.js", "htdocs/js/external/" ], + [ "symlinkCompress", "node_modules/xss/dist/xss.min.js", "htdocs/js/external/" ], [ "symlinkCompress", "node_modules/font-awesome/css/font-awesome.min.css", "htdocs/css/" ],