Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix XSS in some dashboards queries #2785

Merged
merged 2 commits into from
Oct 31, 2022
Merged

Fix XSS in some dashboards queries #2785

merged 2 commits into from
Oct 31, 2022

Conversation

msaf1980
Copy link
Contributor

@msaf1980 msaf1980 commented Oct 27, 2022
edited
Loading

Fixes XSS in some dashboards queries:
issue #2744
issue #2745

Also fix:
issue #2746

@msaf1980 msaf1980 changed the title Fix some xss Fix XSS in some dashboards queries Oct 27, 2022
github-advanced-security[bot]
github-advanced-security bot found potential problems Oct 27, 2022
View reviewed changes
webapp/graphite/errors.py
@@ -111,6 +122,6 @@
except InputParameterError as e:
msgStr = str(e)
log.warning('%s', msgStr)
return HttpResponseBadRequest(escape(msgStr))
return HttpResponseBadRequest(htmlEscape(msgStr))

Check warning

Code scanning / CodeQL

Information exposure through an exception

[Stack trace information](1) flows to this location and may be exposed to an external user.
@msaf1980 msaf1980 force-pushed the fix_xss branch 2 times, most recently from 10e0e4f to b8c492f Compare October 27, 2022 16:56
@msaf1980 msaf1980 marked this pull request as draft October 27, 2022 16:59
@msaf1980 msaf1980 marked this pull request as ready for review October 27, 2022 17:54
msaf1980
msaf1980 commented Oct 28, 2022
View reviewed changes
webapp/graphite/errors.py


def is_unclean_str(s):
for symbol in '&<>~!@#$%^*()`':
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Minimal set of unsafe symbols is &<>. May be other symbols are accepted ?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Let's stick to wide set for now, we'll fix later, if needed

@deniszh deniszh merged commit 2f178f4 into graphite-project:master Oct 31, 2022
This was referenced Nov 6, 2022
Open
Open
Open
Open
@risicle
Copy link

risicle commented Jan 12, 2023

It would be nice to have a release incorporating this as it has now been indicated in 3 different CVEs: CVE-2022-4730, CVE-2022-4729 & CVE-2022-4728.

@deniszh
Copy link
Member

deniszh commented Jan 13, 2023

Agreed, will do release soon

@deniszh deniszh mentioned this pull request Feb 19, 2023
Merged
deniszh pushed a commit to deniszh/graphite-web that referenced this pull request Feb 19, 2023
@msaf1980 @deniszh
Fix XSS in some dashboards queries (graphite-project#2785)
4b88d95 
* prevent xss on time range text fields

* prevent xss on dashbord queries

(cherry picked from commit 2f178f4)

# Conflicts:
#	webapp/graphite/errors.py
#	webapp/tests/base.py
@deniszh
Copy link
Member

deniszh commented Feb 19, 2023

💚 All backports created successfully

Status Branch Result
1.1.x

Questions ?

Please refer to the Backport tool documentation

deniszh added a commit that referenced this pull request Feb 19, 2023
@deniszh
Merge pull request #2801 from deniszh/backport/1.1.x/pr-2785
2225774 
[1.1.x]  Fix XSS in some dashboards queries (#2785)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@deniszh deniszh deniszh left review comments

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@msaf1980 @risicle @deniszh