sync with 0.8.57

pradip-allwyn · Mar 30, 2021 · 6186811 · 6186811
1 parent 32e2e08
commit 6186811
Show file tree

Hide file tree

Showing 8 changed files with 81 additions and 8 deletions.
diff --git a/htdocs/index-dev.html b/htdocs/index-dev.html
@@ -163,7 +163,8 @@
 			$.widget("ui.tooltip", $.ui.tooltip, {
 				options: {
 					content: function () {
-						return $(this).prop('title');
+						let title = $(this).prop('title');
+						return `${title}`.replace(/script/ig, 'scrpt'); // prevent xss
 					}
 				}
 			});

diff --git a/lib/api.js b/lib/api.js
@@ -195,6 +195,12 @@ module.exports = Class.create({
 		};
 		if (!this.validateOptionalParams(event, rules, callback)) return false;
 
+		// make sure title doesn't contain HTML metacharacters
+		if (event.title && event.title.match(/[<>]/)) {
+			this.doError('api', "Malformed title parameter: Cannot contain HTML metacharacters", callback);
+			return false;
+		}
+
 		// params
 		if (("params" in event) && (typeof (event.params) != 'object')) {
 			this.doError('api', "Malformed event parameter: params (must be object)", callback);

diff --git a/lib/api/apikey.js b/lib/api/apikey.js
@@ -89,6 +89,11 @@ module.exports = Class.create({
 			title: /\S/,
 			key: /\S/
 		}, callback)) return;
+
+		// make sure title doesn't contain HTML metacharacters
+		if (params.title && params.title.match(/[<>]/)) {
+			return this.doError('api', "Malformed title parameter: Cannot contain HTML metacharacters", callback);
+		}
 
 		this.loadSession(args, function(err, session, user) {
 			if (err) return self.doError('session', err.message, callback);
@@ -133,6 +138,13 @@ module.exports = Class.create({
 		if (!this.requireParams(params, {
 			id: /^\w+$/
 		}, callback)) return;
+
+	    // make sure title doesn't contain HTML metacharacters
+	    if (params.title && params.title.match(/[<>]/)) {
+		  return this.doError('api', "Malformed title parameter: Cannot contain HTML metacharacters", callback);
+	    }
+
+
 
 		this.loadSession(args, function(err, session, user) {
 			if (err) return self.doError('session', err.message, callback);

diff --git a/lib/api/category.js b/lib/api/category.js
@@ -47,6 +47,11 @@ module.exports = Class.create({
 			title: /\S/,
 			max_children: /^\d+$/
 		}, callback)) return;
+
+	   // make sure title doesn't contain HTML metacharacters
+	    if (cat.title && cat.title.match(/[<>]/)) {
+		  return this.doError('api', "Malformed title parameter: Cannot contain HTML metacharacters", callback);
+	    }		
 
 		this.loadSession(args, function(err, session, user) {
 			if (err) return self.doError('session', err.message, callback);
@@ -96,6 +101,11 @@ module.exports = Class.create({
 		if (!this.requireParams(params, {
 			id: /^\w+$/
 		}, callback)) return;
+
+		// make sure title doesn't contain HTML metacharacters
+		if (params.title && params.title.match(/[<>]/)) {
+			return this.doError('api', "Malformed title parameter: Cannot contain HTML metacharacters", callback);
+		}		
 
 		this.loadSession(args, function(err, session, user) {
 			if (err) return self.doError('session', err.message, callback);

diff --git a/lib/api/confkey.js b/lib/api/confkey.js
@@ -66,6 +66,11 @@ module.exports = Class.create({
 			key: /\S/
 		}, callback)) return;
 
+	    // make sure title doesn't contain HTML metacharacters
+	    if (params.title && params.title.match(/[<>]/)) {
+		  return this.doError('api', "Malformed title parameter: Cannot contain HTML metacharacters", callback);
+	    }
+
 		this.loadSession(args, async function (err, session, user) {
 			if (err) return self.doError('session', err.message, callback);
 			if (!self.requireAdmin(session, user, callback)) return;
@@ -131,6 +136,11 @@ module.exports = Class.create({
 			title: /\S/,
 		}, callback)) return;
 
+	    // make sure title doesn't contain HTML metacharacters
+	    if (params.title && params.title.match(/[<>]/)) {
+			return this.doError('api', "Malformed title parameter: Cannot contain HTML metacharacters", callback);
+		}		
+
 		this.loadSession(args, async function (err, session, user) {
 			if (err) return self.doError('session', err.message, callback);
 			if (!self.requireAdmin(session, user, callback)) return;

diff --git a/lib/api/group.js b/lib/api/group.js
@@ -25,6 +25,11 @@ module.exports = Class.create({
 			title: /\S/,
 			regexp: /\S/
 		}, callback)) return;
+
+		// make sure title doesn't contain HTML metacharacters
+	    if (group.title && group.title.match(/[<>]/)) {
+		   return this.doError('api', "Malformed title parameter: Cannot contain HTML metacharacters", callback);
+	    }		
 
 		this.loadSession(args, function(err, session, user) {
 			if (err) return self.doError('session', err.message, callback);
@@ -68,6 +73,13 @@ module.exports = Class.create({
 		if (!this.requireParams(params, {
 			id: /^\w+$/
 		}, callback)) return;
+
+
+		// make sure title doesn't contain HTML metacharacters
+		if (params.title && params.title.match(/[<>]/)) {
+			return this.doError('api', "Malformed title parameter: Cannot contain HTML metacharacters", callback);
+		}
+
 
 		this.loadSession(args, function(err, session, user) {
 			if (err) return self.doError('session', err.message, callback);

diff --git a/lib/api/job.js b/lib/api/job.js
@@ -207,15 +207,25 @@ module.exports = Class.create({
 			args.user = user;
 			args.session = session;
 
-			var job = self.findJob(params);
-			if (!job) return self.doError('job', "Failed to locate job: " + params.id, callback);
-			if (!self.requireCategoryPrivilege(user, job.category, callback)) return;
-			if (!self.requireGroupPrivilege(args, user, job.target, callback)) return;
+			var job = null;
+
+			// due to a race condition, the job may not be registered yet
+			async.retry( { times: 20, interval: 250 },
+				async.ensureAsync( function(callback) {
+					job = self.findJob(params);
+					return job ? callback() : callback("NOPE");
+				} ),
+				function(err) {
+					if (err) return self.doError('job', "Failed to locate job for log watch auth: " + params.id, callback);
+					if (!self.requireCategoryPrivilege(user, job.category, callback)) return;
+					if (!self.requireGroupPrivilege(args, user, job.target, callback)) return;
 
-			// generate token
-			var token = Tools.digestHex(params.id + self.server.config.get('secret_key'));
+					// generate token
+					var token = Tools.digestHex(params.id + self.server.config.get('secret_key'));
 
-			callback({ code: 0, token: token });
+					callback({ code: 0, token: token });
+				}
+			); // async.retry
 		});
 	},
 

diff --git a/lib/api/plugin.js b/lib/api/plugin.js
@@ -46,6 +46,11 @@ module.exports = Class.create({
 			title: /\S/,
 			command: /\S/
 		}, callback)) return;
+
+		// make sure title doesn't contain HTML metacharacters
+		if (plugin.title && plugin.title.match(/[<>]/)) {
+			return this.doError('api', "Malformed title parameter: Cannot contain HTML metacharacters", callback);
+		}
 
 		if (!this.requireValidPluginCommand(plugin.command, callback)) return;
 
@@ -91,6 +96,13 @@ module.exports = Class.create({
 		if (!this.requireParams(params, {
 			id: /^\w+$/
 		}, callback)) return;
+
+		// make sure title doesn't contain HTML metacharacters
+		if (params.title && params.title.match(/[<>]/)) {
+			return this.doError('api', "Malformed title parameter: Cannot contain HTML metacharacters", callback);
+		}
+
+
 
 		if (params.command) {
 			if (!this.requireValidPluginCommand(params.command, callback)) return;