[PPP-5370][Update XSS Vulnerabilities] #5758
Conversation
This comment has been minimized.
This comment has been minimized.
|
Note:Frogbot also supports Contextual Analysis, Secret Detection, IaC and SAST Vulnerabilities Scanning. This features are included as part of the JFrog Advanced Security package, which isn't enabled on your system. |
This comment has been minimized.
This comment has been minimized.
| @@ -73,7 +77,7 @@ function xmlResolveEntities(s) { | |||
| // through the W3C DOM. W3C DOM access is specified to resolve | |||
| // entities. | |||
| var span = window.document.createElement('span'); | |||
| span.innerHTML = '&' + rp[0] + '; '; | |||
| xssUtil.setHtml(span, '&' + rp[0] + '; '); | |||
There was a problem hiding this comment.
In this file, which is not prepared to be a RequireJS module, you should use the global version of the method: pho.util.xss.setHtml(., .) (and undo the proposed RequireJS modifications).
| @@ -10,6 +10,9 @@ | |||
| * Change Date: 2028-08-13 | |||
| ******************************************************************************/ | |||
|
|
|||
| define(['common-ui/util/xss'], | |||
There was a problem hiding this comment.
AFAICT, this file is not referenced anywhere.
It appears to demonstrate use of some Google Maps component (GeoCoder) via Pentaho XActions. XActions are essentially deprecated.
Unless you can find a reference to it, solving the XSS issue by removing the file.
| @@ -20,11 +23,11 @@ function runInBackground( url, target ) | |||
| url = url + "&background=true"; | |||
| if ( target.toLowerCase().indexOf( 'new' ) >= 0 ) | |||
| { | |||
| var targetWin = window.open( url ); | |||
| var targetWin = window.open(xssUtil.sanitizeHtml(url), 'noopener,noreferrer'); | |||
There was a problem hiding this comment.
This file is not prepared to be a RequireJS module, and, as such, you should use the global version of the XSS utility library, available under pho.util.xss (and undo the proposed RequireJS modifications).
However, the library does not currently offer any mechanism to validate URLs. AFAIR (but please confirm!), URL protection against XSS consists of ensuring that the URL does not have a javascript protocol. A function such as sanitizeUrl(url) should be added to the XSS utility and then used here.
I am not sure what's the best source to base our implementation of, in this regard. Some pointers:
There was a problem hiding this comment.
Regarding this, I think we might be able to use DOMPurify to this effect.
In the DOMPlurify playground page, https://cure53.de/purify, try out the following sample Dirty HTML:
<a href='
javas cript:alert(1)'>I am a dolphin!</a>
<a href='http://www.google.com'>I am a dolphin!</a>It cleans it as:
<a>I am a dolphin!</a>
<a href="http://www.google.com">I am a dolphin!</a>As such, we should be able to implement sanitizeUrl(url) by creating a dummy a element string with the URL as the href attribute: '<a href="' + url + '">'. Then reading back the resulting href value, if any.
There was a problem hiding this comment.
Or, we can just base our implementation on their own, from:
- https://github.com/cure53/DOMPurify/blob/211ffb5bb94c24b6482b91021b6334295b1152e4/src/purify.ts#L1224
- https://github.com/cure53/DOMPurify/blob/211ffb5bb94c24b6482b91021b6334295b1152e4/src/purify.ts#L1303
Which seems like somewhat concise regexp code that we can mimic.
There was a problem hiding this comment.
Another aspect which must be considered is whether the suggested sanitizeUrl() method alone would automatically resolve the AppScan finding. I believe the finding is being triggered due to any use of window.open() with a URL string. And so we should need to also create a method such as xssUtil.openWindow(window, url, options) that achieves this in a safe way (by internally sanitizing the URL and hiding the call to window.open).
| @@ -360,7 +363,7 @@ function executeAction (target, submitUrl) { | |||
| // convert characters from entities like ı to display characters (HTML) | |||
| function convertHtmlEntitiesToCharacters(theStr) { | |||
| var newDiv = document.createElement(newDiv); | |||
| newDiv.innerHTML = theStr; | |||
| xssUtil.setHtml(newDiv, theStr); | |||
There was a problem hiding this comment.
In this file, which is not prepared to be a RequireJS module, you should use the global version of the method: pho.util.xss.setHtml(., .) (and undo the proposed RequireJS modifications).
| @@ -210,7 +213,7 @@ dojo.html.createNodesFromText = function(/* string */txt, /* boolean? */trim){ | |||
| txt = "<table>" + txt + "</table>"; | |||
| tableType = "section"; | |||
| } | |||
| tn.innerHTML = txt; | |||
| xssUtil.setHtml(tn, txt); | |||
There was a problem hiding this comment.
In this file, which is not prepared to be a RequireJS module, you should use the global version of the method: pho.util.xss.setHtml(., .) (and undo the proposed RequireJS modifications).
| document.getElementById(datePickerDivID).innerHTML = html; | ||
|
|
||
| xssUtil.setHtml(document.getElementById(datePickerDivID), html); |
There was a problem hiding this comment.
This file is not prepared to be a RequireJS module, and, as such, you should use the global version of the XSS utility library, available under pho.util.xss (and undo the proposed RequireJS modifications).
As you can see in the code above, there are multiple instances of event handler attributes (e.g. onMouseOut, onClick), which using setHtml would eliminate altogether, breaking the functionality.
Instead, must sanitize/encode the parts used to build the HTML string which may pose a XSS risk.
The arguments year, month and day are already properly handled in a safe manner.
The argument dateFieldName however is being used directly as a JavaScript string (with quotes, double or single, provided outside). It should be escaped before use. We need a a function such as encodeForJavaScript(text) (following, for example, OWASP's functionality of OWASP Encoder) and add it to the XSS utility and then use here.
Then, in this same line, mark the setting of unsafe HTML using xssUtil.setHtmlUnsafe(document.getElementById(datePickerDivID), html); instead.
Note that method getButtonCode also needs to be changed.
| window.open( url ); | ||
| /* noopener and noreferrer: These attributes mitigate the risk of tabnabbing and | ||
| prevent the new page from accessing the original window’s properties. */ | ||
| window.open(xssUtil.sanitizeHtml(url),'noopener,noreferrer'); |
There was a problem hiding this comment.
This file is not prepared to be a RequireJS module, and, as such, you should use the global version of the XSS utility library, available under pho.util.xss (and undo the proposed RequireJS modifications).
Please, use the new method suggested above, pho.util.xss.sanitizeUrl(..).
| window.open(href, "_blank"); | ||
| /* noopener and noreferrer: These attributes mitigate the risk of tabnabbing and | ||
| prevent the new page from accessing the original window’s properties. */ | ||
| window.open(xssUtil.sanitizeHtml(href), "_blank", 'noopener,noreferrer'); |
There was a problem hiding this comment.
Please, use the new method suggested above, xssUtil.sanitizeUrl(..).
|
❌ Build failed in 1h 5sBuild command: mvn clean verify -B -e -Daudit -Djs.no.sandbox👌 All tests passed! Tests run: 2724, Failures: 0, Skipped: 5 Test Results ℹ️ This is an automatic message |
Update XSS Vulnerabilities