kallithea Changeset - 391fde4cbf12

Changeset - 391fde4cbf12

Parent rev.

Child rev.

[Not reviewed]

default

0 1 0

Mads Kiilerich - 7 years ago 2019-02-27 02:30:18
mads@kiilerich.com

base: escape branch/tag/bookmark names in 'Switch To' menu to prevent XSS

On repository pages, the 'Switch To' did not escape branches correctly.

This means that if an attacker is able to push a branch/tag/bookmark
containing HTML/JavaScript in its name, then that code would be evaluated.
This is a cross-site scripting (XSS) vulnerability.

Fix the problem by correctly escaping the branch/tag/bookmarks with
.html_escape() .

1 file changed with 2 insertions and 2 deletions:

kallithea/templates/base/base.html

0 comments (0 inline, 0 general)

kallithea/templates/base/base.html

➞

Show inline comments

 ## -*- coding: utf-8 -*-
 <%inherit file="root.html"/>
 <!-- CONTENT -->
 <div id="content" class="container-fluid">
     ${self.flash_msg()}
     <div id="main">
         ${next.main()}
     </div>
 </div>
 <!-- END CONTENT -->
 <!-- FOOTER -->
 <div class="footer navbar navbar-inverse">
     <span class="navbar-text pull-left">
         ${_('Server instance: %s') % c.instance_id if c.instance_id else ''}
     </span>
     <span class="navbar-text pull-right">
         This site is powered by
         %if c.visual.show_version:
             <a class="navbar-link" href="${h.url('kallithea_project_url')}" target="_blank">Kallithea</a> ${c.kallithea_version},
         %else:
             <a class="navbar-link" href="${h.url('kallithea_project_url')}" target="_blank">Kallithea</a>,
         %endif
         which is
         <a class="navbar-link" href="${h.canonical_url('about')}#copyright">&copy; 2010&ndash;2018 by various authors &amp; licensed under GPLv3</a>.
         %if c.issues_url:
             &ndash; <a class="navbar-link" href="${c.issues_url}" target="_blank">${_('Support')}</a>
         %endif
     </span>
 </div>
 <!-- END FOOTER -->
 ### MAKO DEFS ###
 <%block name="branding_title">
     %if c.site_name:
     &middot; ${c.site_name}
     %endif
 </%block>
 <%def name="flash_msg()">
     <%include file="/base/flash_msg.html"/>
 </%def>
 <%def name="breadcrumbs()">
     <div class="panel-title">
     ${self.breadcrumbs_links()}
     </div>
 </%def>
 <%def name="admin_menu()">
   <ul class="dropdown-menu" role="menu">
       <li><a href="${h.url('admin_home')}"><i class="icon-book"></i>${_('Admin Journal')}</a></li>
       <li><a href="${h.url('repos')}"><i class="icon-database"></i>${_('Repositories')}</a></li>
       <li><a href="${h.url('repos_groups')}"><i class="icon-folder"></i>${_('Repository Groups')}</a></li>
       <li><a href="${h.url('users')}"><i class="icon-user"></i>${_('Users')}</a></li>
       <li><a href="${h.url('users_groups')}"><i class="icon-users"></i>${_('User Groups')}</a></li>
       <li><a href="${h.url('admin_permissions')}"><i class="icon-block"></i>${_('Default Permissions')}</a></li>
       <li><a href="${h.url('auth_home')}"><i class="icon-key"></i>${_('Authentication')}</a></li>
       <li><a href="${h.url('defaults')}"><i class="icon-wrench"></i>${_('Repository Defaults')}</a></li>
       <li class="last"><a href="${h.url('admin_settings')}"><i class="icon-gear"></i>${_('Settings')}</a></li>
   </ul>
 </%def>
 ## admin menu used for people that have some admin resources
 <%def name="admin_menu_simple(repositories=None, repository_groups=None, user_groups=None)">
   <ul class="dropdown-menu" role="menu">
    %if repositories:
       <li><a href="${h.url('repos')}"><i class="icon-database"></i>${_('Repositories')}</a></li>
    %endif
    %if repository_groups:
       <li><a href="${h.url('repos_groups')}"><i class="icon-folder"></i>${_('Repository Groups')}</a></li>
    %endif
    %if user_groups:
       <li><a href="${h.url('users_groups')}"><i class="icon-users"></i>${_('User Groups')}</a></li>
    %endif
   </ul>
 </%def>
 <%def name="repolabel(repo)">
   %if h.is_hg(repo):
     <span class="label label-repo" title="${_('Mercurial repository')}">hg</span>
   %endif
   %if h.is_git(repo):
     <span class="label label-repo" title="${_('Git repository')}">git</span>
   %endif
 </%def>
 <%def name="repo_context_bar(current=None, rev=None)">
   <% rev = None if rev == 'tip' else rev %>
   <!--- CONTEXT BAR -->
   <nav id="context-bar" class="navbar navbar-inverse">
     <div class="container-fluid">
     <div class="navbar-header">
       <div class="navbar-brand">
         ${repolabel(c.db_repo)}
         ## public/private
         %if c.db_repo.private:
           <i class="icon-lock"></i>
         %else:
           <i class="icon-globe"></i>
         %endif
         %for group in c.db_repo.groups_with_parents:
           ${h.link_to(group.name, url('repos_group_home', group_name=group.group_name), class_='navbar-link')}
           &raquo;
         %endfor
         ${h.link_to(c.db_repo.just_name, url('summary_home', repo_name=c.db_repo.repo_name), class_='navbar-link')}
         %if current == 'createfork':
          - ${_('Create Fork')}
         %endif
       </div>
       <button type="button" class="navbar-toggle collapsed" data-toggle="collapse" data-target="#context-pages" aria-expanded="false">
         <span class="sr-only">Toggle navigation</span>
         <span class="icon-bar"></span>
         <span class="icon-bar"></span>
         <span class="icon-bar"></span>
       </button>
     </div>
     <div id="context-pages" class="navbar-collapse collapse">
     <ul class="nav navbar-nav navbar-right">
         <li class="${'active' if current == 'summary' else ''}" data-context="summary"><a href="${h.url('summary_home', repo_name=c.repo_name)}"><i class="icon-doc-text"></i>${_('Summary')}</a></li>
         %if rev:
         <li class="${'active' if current == 'changelog' else ''}" data-context="changelog"><a href="${h.url('changelog_file_home', repo_name=c.repo_name, revision=rev, f_path='')}"><i class="icon-clock"></i>${_('Changelog')}</a></li>
         %else:
         <li class="${'active' if current == 'changelog' else ''}" data-context="changelog"><a href="${h.url('changelog_home', repo_name=c.repo_name)}"><i class="icon-clock"></i>${_('Changelog')}</a></li>
         %endif
         <li class="${'active' if current == 'files' else ''}" data-context="files"><a href="${h.url('files_home', repo_name=c.repo_name, revision=rev or 'tip')}"><i class="icon-doc-inv"></i>${_('Files')}</a></li>
         <li class="${'active' if current == 'showpullrequest' else ''}" data-context="showpullrequest">
           <a href="${h.url('pullrequest_show_all',repo_name=c.repo_name)}" title="${_('Show Pull Requests for %s') % c.repo_name}"> <i class="icon-git-pull-request"></i>${_('Pull Requests')}
             %if c.repository_pull_requests:
               <span class="badge">${c.repository_pull_requests}</span>
             %endif
           </a>
         </li>
         <li class="${'active' if current == 'switch-to' else ''}" data-context="switch-to">
           <input id="branch_switcher" name="branch_switcher" type="hidden">
         </li>
         <li class="${'active' if current == 'options' else ''} dropdown" data-context="options">
              %if h.HasRepoPermissionLevel('admin')(c.repo_name):
                <a href="${h.url('edit_repo',repo_name=c.repo_name)}" class="dropdown-toggle" data-toggle="dropdown" role="button" aria-expanded="false" aria-haspopup="true"><i class="icon-wrench"></i>${_('Options')} <i class="caret"></i></a>
              %else:
                <a href="#" class="dropdown-toggle" data-toggle="dropdown" role="button" aria-expanded="false" aria-haspopup="true"><i class="icon-wrench"></i>${_('Options')} <i class="caret"></i></a>
              %endif
           <ul class="dropdown-menu" role="menu" aria-hidden="true">
              %if h.HasRepoPermissionLevel('admin')(c.repo_name):
                    <li><a href="${h.url('edit_repo',repo_name=c.repo_name)}"><i class="icon-gear"></i>${_('Settings')}</a></li>
              %endif
               %if c.db_repo.fork:
                <li><a href="${h.url('compare_url',repo_name=c.db_repo.fork.repo_name,org_ref_type=c.db_repo.landing_rev[0],org_ref_name=c.db_repo.landing_rev[1], other_repo=c.repo_name,other_ref_type='branch' if request.GET.get('branch') else c.db_repo.landing_rev[0],other_ref_name=request.GET.get('branch') or c.db_repo.landing_rev[1], merge=1)}">
                    <i class="icon-git-compare"></i>${_('Compare Fork')}</a></li>
               %endif
               <li><a href="${h.url('compare_home',repo_name=c.repo_name)}"><i class="icon-git-compare"></i>${_('Compare')}</a></li>
               <li><a href="${h.url('search_repo',repo_name=c.repo_name)}"><i class="icon-search"></i>${_('Search')}</a></li>
               %if h.HasRepoPermissionLevel('write')(c.repo_name) and c.db_repo.enable_locking:
                 %if c.db_repo.locked[0]:
                   <li><a href="${h.url('toggle_locking', repo_name=c.repo_name)}"><i class="icon-lock"></i>${_('Unlock')}</a></li>
                 %else:
                   <li><a href="${h.url('toggle_locking', repo_name=c.repo_name)}"><i class="icon-lock-open-alt"></i>${_('Lock')}</a></li>
                 %endif
               %endif
               ## TODO: this check feels wrong, it would be better to have a check for permissions
               ## also it feels like a job for the controller
               %if request.authuser.username != 'default':
                   <li>
                    <a href="#" class="${'following' if c.repository_following else 'follow'}" onclick="toggleFollowingRepo(this, ${c.db_repo.repo_id});">
                     <span class="show-follow"><i class="icon-heart-empty"></i>${_('Follow')}</span>
                     <span class="show-following"><i class="icon-heart"></i>${_('Unfollow')}</span>
                    </a>
                   </li>
                   <li><a href="${h.url('repo_fork_home',repo_name=c.repo_name)}"><i class="icon-git-pull-request"></i>${_('Fork')}</a></li>
                   <li><a href="${h.url('pullrequest_home',repo_name=c.repo_name)}"><i class="icon-git-pull-request"></i>${_('Create Pull Request')}</a></li>
               %endif
              </ul>
         </li>
     </ul>
     </div>
     </div>
   </nav>
   <script type="text/javascript">
     $(document).ready(function() {
       var bcache = {};
       var branch_switcher_placeholder = '<i class="icon-exchange"></i>' + ${h.jshtml(_('Switch To'))} + ' <span class="caret"></span>';
       $("#branch_switcher").select2({
           placeholder: branch_switcher_placeholder,
           dropdownAutoWidth: true,
           sortResults: prefixFirstSort,
           formatResult: function(obj) {
               return obj.text;
+              return obj.text.html_escape();
           },
           formatSelection: function(obj) {
               return obj.text;
+              return obj.text.html_escape();
           },
           formatNoMatches: function(term) {
               return ${h.jshtml(_('No matches found'))};
           },
           escapeMarkup: function(m) {
               if (m == branch_switcher_placeholder)
                   return branch_switcher_placeholder;
               return Select2.util.escapeMarkup(m);
           },
           containerCssClass: "branch-switcher",
           dropdownCssClass: "repo-switcher-dropdown",
           query: function(query) {
               var key = 'cache';
               var cached = bcache[key];
               if (cached) {
                   var data = {
                       results: []
                   };
                   // filter results
                   $.each(cached.results, function() {
                       var section = this.text;
                       var children = [];
                       $.each(this.children, function() {
                           if (query.term.length === 0 || this.text.toUpperCase().indexOf(query.term.toUpperCase()) >= 0) {
                               children.push({
                                   'id': this.id,
                                   'text': this.text,
                                   'type': this.type,
                                   'obj': this.obj
                               });
+                          }
                       });
                       if (children.length !== 0) {
                           data.results.push({
                               'text': section,
                               'children': children
                           });
+                      }
                   });
                   query.callback(data);
               } else {
                   $.ajax({
                       url: pyroutes.url('repo_refs_data', {
                           'repo_name': ${h.js(c.repo_name)}
                       }),
                       data: {},
                       dataType: 'json',
                       type: 'GET',
                       success: function(data) {
                           bcache[key] = data;
                           query.callback(data);
+                      }
                   });
+              }
+          }
       });
       $("#branch_switcher").on('select2-selecting', function(e) {
           e.preventDefault();
           var context = $('#context-bar .active').data('context');
           if (context == 'files') {
               window.location = pyroutes.url('files_home', {
                   'repo_name': REPO_NAME,
                   'revision': e.choice.id,
                   'f_path': '',
                   'at': e.choice.text
               });
           } else if (context == 'changelog') {
               if (e.choice.type == 'tag' || e.choice.type == 'book') {
                   $("#branch_filter").append($('<'+'option/>').val(e.choice.text));
+              }
               $("#branch_filter").val(e.choice.text).change();
           } else {
               window.location = pyroutes.url('changelog_home', {
                   'repo_name': ${h.js(c.repo_name)},
                   'branch': e.choice.text
               });
+          }
       });
     });
   </script>
   <!--- END CONTEXT BAR -->
 </%def>
 <%def name="menu(current=None)">
   <ul id="quick" class="nav navbar-nav navbar-right">
     <!-- repo switcher -->
     <li class="${'active' if current == 'repositories' else ''}">
       <input id="repo_switcher" name="repo_switcher" type="hidden">
     </li>
     ##ROOT MENU
     %if request.authuser.username != 'default':
       <li class="${'active' if current == 'journal' else ''}">
         <a class="menu_link" title="${_('Show recent activity')}"  href="${h.url('journal')}">
           <i class="icon-book"></i>${_('Journal')}
         </a>
       </li>
     %else:
       <li class="${'active' if current == 'journal' else ''}">
         <a class="menu_link" title="${_('Public journal')}"  href="${h.url('public_journal')}">
           <i class="icon-book"></i>${_('Public journal')}
         </a>
       </li>
     %endif
       <li class="${'active' if current == 'gists' else ''} dropdown">
         <a class="menu_link dropdown-toggle" data-toggle="dropdown" role="button" title="${_('Show public gists')}"  href="${h.url('gists')}">
           <i class="icon-clippy"></i>${_('Gists')} <span class="caret"></span>
         </a>
           <ul class="dropdown-menu" role="menu">
             <li><a href="${h.url('new_gist', public=1)}"><i class="icon-paste"></i>${_('Create New Gist')}</a></li>
             <li><a href="${h.url('gists')}"><i class="icon-globe"></i>${_('All Public Gists')}</a></li>
             %if request.authuser.username != 'default':
               <li><a href="${h.url('gists', public=1)}"><i class="icon-user"></i>${_('My Public Gists')}</a></li>
               <li><a href="${h.url('gists', private=1)}"><i class="icon-lock"></i>${_('My Private Gists')}</a></li>
             %endif
           </ul>
       </li>
     <li class="${'active' if current == 'search' else ''}">
         <a class="menu_link" title="${_('Search in repositories')}"  href="${h.url('search')}">
           <i class="icon-search"></i>${_('Search')}
         </a>
     </li>
     % if h.HasPermissionAny('hg.admin')('access admin main page'):
       <li class="${'active' if current == 'admin' else ''} dropdown">
         <a class="menu_link dropdown-toggle" data-toggle="dropdown" role="button" title="${_('Admin')}" href="${h.url('admin_home')}">
           <i class="icon-gear"></i>${_('Admin')} <span class="caret"></span>
         </a>
         ${admin_menu()}
       </li>
     % elif request.authuser.repositories_admin or request.authuser.repository_groups_admin or request.authuser.user_groups_admin:
     <li class="${'active' if current == 'admin' else ''} dropdown">
         <a class="menu_link dropdown-toggle" data-toggle="dropdown" role="button" title="${_('Admin')}" href="">
           <i class="icon-gear"></i>${_('Admin')}
         </a>
         ${admin_menu_simple(request.authuser.repositories_admin,
                             request.authuser.repository_groups_admin,
                             request.authuser.user_groups_admin or h.HasPermissionAny('hg.usergroup.create.true')())}
     </li>
     % endif
     <li class="${'active' if current == 'my_pullrequests' else ''}">
       <a class="menu_link" title="${_('My Pull Requests')}" href="${h.url('my_pullrequests')}">
         <i class="icon-git-pull-request"></i>${_('My Pull Requests')}
         %if c.my_pr_count != 0:
           <span class="badge">${c.my_pr_count}</span>
         %endif
       </a>
     </li>
     ## USER MENU
     <li class="dropdown">
       <a class="menu_link dropdown-toggle" data-toggle="dropdown" role="button" id="quick_login_link"
         aria-expanded="false" aria-controls="quick_login" href="#">
           ${h.gravatar_div(request.authuser.email, size=20, div_class="icon")}
           %if request.authuser.username != 'default':
             <span class="menu_link_user">${request.authuser.username}</span>
           %else:
               <span>${_('Not Logged In')}</span>
           %endif
           <i class="caret"></i>
       </a>
       <div class="dropdown-menu user-menu" role="menu">
         <div id="quick_login" role="form" aria-describedby="quick_login_h" aria-hidden="true" class="container-fluid">
           %if request.authuser.username == 'default' or request.authuser.user_id is None:
             ${h.form(h.url('login_home', came_from=request.path_qs), class_='form clearfix')}
                 <h4 id="quick_login_h">${_('Login to Your Account')}</h4>
                 <label>
                     ${_('Username')}:
                     ${h.text('username',class_='form-control')}
                 </label>
                 <label>
                     ${_('Password')}:
                     ${h.password('password',class_='form-control')}
                 </label>
                 <div class="password_forgotten">
                     ${h.link_to(_('Forgot password?'),h.url('reset_password'))}
                 </div>
                 <div class="register">
                     %if h.HasPermissionAny('hg.admin', 'hg.register.auto_activate', 'hg.register.manual_activate')():
                         ${h.link_to(_("Don't have an account?"),h.url('register'))}
                     %endif
                 </div>
                 <div class="submit">
                     ${h.submit('sign_in',_('Log In'),class_="btn btn-default btn-xs")}
                 </div>
             ${h.end_form()}
           %else:
             <div class="pull-left">
                 ${h.gravatar_div(request.authuser.email, size=48, div_class="big_gravatar")}
                 <b class="full_name">${request.authuser.full_name_or_username}</b>
                 <div class="email">${request.authuser.email}</div>
             </div>
             <div id="quick_login_h" class="pull-right list-group text-right">
               ${h.link_to(_('My Account'),h.url('my_account'),class_='list-group-item')}
               %if not request.authuser.is_external_auth:
                 ## Cannot log out if using external (container) authentication.
                 ${h.link_to(_('Log Out'), h.url('logout_home'),class_='list-group-item')}
               %endif
             </div>
           %endif
         </div>
       </div>
     </li>
   </ul>
     <script type="text/javascript">
         $(document).ready(function(){
             var visual_show_public_icon = ${h.js(c.visual.show_public_icon)};
             var cache = {}
             /*format the look of items in the list*/
             var format = function(state){
                 if (!state.id){
                   return state.text.html_escape(); // optgroup
+                }
                 var obj_dict = state.obj;
                 var tmpl = '';
                 if(obj_dict && state.type == 'repo'){
                     tmpl += '<span class="repo-icons">';
                     if(obj_dict['repo_type'] === 'hg'){
                         tmpl += '<span class="label label-repo" title="${_('Mercurial repository')}">hg</span> ';
+                    }
                     else if(obj_dict['repo_type'] === 'git'){
                         tmpl += '<span class="label label-repo" title="${_('Git repository')}">git</span> ';
+                    }
                     if(obj_dict['private']){
                         tmpl += '<i class="icon-lock"></i>';
+                    }
                     else if(visual_show_public_icon){
                         tmpl += '<i class="icon-globe"></i>';
+                    }
                     tmpl += '</span>';
+                }
                 if(obj_dict && state.type == 'group'){
                         tmpl += '<i class="icon-folder"></i>';
+                }
                 tmpl += state.text.html_escape();
                 return tmpl;
+            }
             var repo_switcher_placeholder = '<i class="icon-database"></i>' + ${h.jshtml(_('Repositories'))} + ' <span class="caret"></span>';
             $("#repo_switcher").select2({
                 placeholder: repo_switcher_placeholder,
                 dropdownAutoWidth: true,
                 sortResults: prefixFirstSort,
                 formatResult: format,
                 formatSelection: format,
                 formatNoMatches: function(term){
                     return ${h.jshtml(_('No matches found'))};
                 },
                 containerCssClass: "repo-switcher",
                 dropdownCssClass: "repo-switcher-dropdown",
                 escapeMarkup: function(m){
                     if (m == repo_switcher_placeholder)
                         return repo_switcher_placeholder;
                     return Select2.util.escapeMarkup(m);
                 },
                 query: function(query){
                   var key = 'cache';
                   var cached = cache[key] ;
                   if(cached) {
                     var data = {results: []};
                     //filter results
                     $.each(cached.results, function(){
                         var section = this.text;
                         var children = [];
                         $.each(this.children, function(){
                             if(query.term.length == 0 || this.text.toUpperCase().indexOf(query.term.toUpperCase()) >= 0 ){
                                 children.push({'id': this.id, 'text': this.text, 'type': this.type, 'obj': this.obj});
+                            }
                         });
                         if(children.length !== 0){
                             data.results.push({'text': section, 'children': children});
+                        }
                     });
                     query.callback(data);
                   }else{
                       $.ajax({
                         url: ${h.js(h.url('repo_switcher_data'))},
                         data: {},
                         dataType: 'json',
                         type: 'GET',
                         success: function(data) {
                           cache[key] = data;
                           query.callback({results: data.results});
+                        }
                       });
+                  }
+                }
             });
             $("#repo_switcher").on('select2-selecting', function(e){
                 e.preventDefault();
                 window.location = pyroutes.url('summary_home', {'repo_name': e.val});
             });
             $(document).on('shown.bs.dropdown', function(event) {
                 var dropdown = $(event.target);
                 dropdown.attr('aria-expanded', true);
                 dropdown.find('.dropdown-menu').attr('aria-hidden', false);
             });
             $(document).on('hidden.bs.dropdown', function(event) {
                 var dropdown = $(event.target);
                 dropdown.attr('aria-expanded', false);
                 dropdown.find('.dropdown-menu').attr('aria-hidden', true);
             });
         });
     </script>
 </%def>
 <%def name="parent_child_navigation()">
     <div class="pull-left">
         <div class="parent-child-link"
              data-ajax-url="${h.url('changeset_parents',repo_name=c.repo_name, revision=c.changeset.raw_id)}"
              data-linktype="parent"
              data-reponame="${c.repo_name}">
             <i class="icon-left-open"></i><a href="#">${_('Parent rev.')}</a>
         </div>
     </div>
     <div class="pull-right">
         <div class="parent-child-link"
              data-ajax-url="${h.url('changeset_children',repo_name=c.repo_name, revision=c.changeset.raw_id)}"
              data-linktype="child"
              data-reponame="${c.repo_name}">
             <a href="#">${_('Child rev.')}</a><i class="icon-right-open"></i>
         </div>
     </div>
     <script type="text/javascript">
       $(document).ready(function(){
           activate_parent_child_links();
       });
     </script>
 </%def>

0 comments (0 inline, 0 general)