Changeset - 603f5f7c323d
Parent rev.
Child rev.
[Not reviewed]
stable
0 2 0
Thomas De Schampheleire - 7 years ago 2019-02-26 21:50:15
thomas.de_schampheleire@nokia.com
pullrequests: prevent XSS in 'Potential Reviewers' list when first and last names cannot be trusted

If a user first or last name contains javascript, these fields need proper
escaping to avoid XSS attacks.

An example scenario is:
- the malicious user creates a repository. This will cause this user to be
listed automatically under 'Potential Reviewers' in pull requests.
- another user creates a pull request on that repository and selects the
suggested reviewer from the 'Potential Reviewers' list.

Reported by Bob Hogg <wombat@rwhogg.site> (thanks!).


Technical note: the other caller of addReviewMember in base.js itself does
_not_ need to be adapted to escape the input values, because the input
values (oData) are _already_ escaped (by the YUI framework).
2 files changed with 12 insertions and 1 deletions:
kallithea/public/js/base.js
4
kallithea/templates/pullrequests/pullrequest_show.html
8
1
0 comments (0 inline, 0 general)
kallithea/public/js/base.js
Show inline comments
 
@@ -1268,155 +1268,159 @@ var MentionsAutoComplete = function ($in
 

			




	
	
	
		
 
    // in this keybuffer we will gather current value of search !

			




	
	
	
		
 
    // since we need to get this just when someone does `@` then we do the

			




	
	
	
		
 
    // search

			




	
	
	
		
 
    mentionsAC.dataSource.chunks = [];

			




	
	
	
		
 
    mentionsAC.dataSource.mentionQuery = null;

			




	
	
	
		
 

			




	
	
	
		
 
    mentionsAC.get_mention = function(msg, max_pos) {

			




	
	
	
		
 
        var org = msg;

			




	
	
	
		
 
        // Must match utils2.py MENTIONS_REGEX.

			




	
	
	
		
 
        // Only matching on string up to cursor, so it must end with $

			




	
	
	
		
 
        var re = new RegExp('(?:^|[^a-zA-Z0-9])@([a-zA-Z0-9][-_.a-zA-Z0-9]*[a-zA-Z0-9])$');

			




	
	
	
		
 
        var chunks  = [];

			




	
	
	
		
 

			




	
	
	
		
 
        // cut first chunk until current pos

			




	
	
	
		
 
        var to_max = msg.substr(0, max_pos);

			




	
	
	
		
 
        var at_pos = Math.max(0,to_max.lastIndexOf('@')-1);

			




	
	
	
		
 
        var msg2 = to_max.substr(at_pos);

			




	
	
	
		
 

			




	
	
	
		
 
        chunks.push(org.substr(0,at_pos)); // prefix chunk

			




	
	
	
		
 
        chunks.push(msg2);                 // search chunk

			




	
	
	
		
 
        chunks.push(org.substr(max_pos));  // postfix chunk

			




	
	
	
		
 

			




	
	
	
		
 
        // clean up msg2 for filtering and regex match

			




	
	
	
		
 
        var msg2 = msg2.lstrip(' ').lstrip('\n');

			




	
	
	
		
 

			




	
	
	
		
 
        if(re.test(msg2)){

			




	
	
	
		
 
            var unam = re.exec(msg2)[1];

			




	
	
	
		
 
            return [unam, chunks];

			




	
	
	
		
 
        }

			




	
	
	
		
 
        return [null, null];

			




	
	
	
		
 
    };

			




	
	
	
		
 

			




	
	
	
		
 
    $inputElement.keyup(function(e){

			




	
	
	
		
 
            var currentMessage = $inputElement.val();

			




	
	
	
		
 
            var currentCaretPosition = $inputElement[0].selectionStart;

			




	
	
	
		
 

			




	
	
	
		
 
            var unam = mentionsAC.get_mention(currentMessage, currentCaretPosition);

			




	
	
	
		
 
            var curr_search = null;

			




	
	
	
		
 
            if(unam[0]){

			




	
	
	
		
 
                curr_search = unam[0];

			




	
	
	
		
 
            }

			




	
	
	
		
 

			




	
	
	
		
 
            mentionsAC.dataSource.chunks = unam[1];

			




	
	
	
		
 
            mentionsAC.dataSource.mentionQuery = curr_search;

			




	
	
	
		
 
        });

			




	
	
	
		
 
}

			




	
	
	
		
 

			




	
	
	
		
 
// Important: input arguments to addReviewMember should be safe (escaped) for

			




	
	
	
		
 
// inclusion into HTML.

			




	
	
	
		
 
var addReviewMember = function(id,fname,lname,nname,gravatar_link,gravatar_size){

			




	
	
	
		
 
    var displayname = nname;

			




	
	
	
		
 
    if ((fname != "") && (lname != "")) {

			




	
	
	
		
 
        displayname = "{0} {1} ({2})".format(fname, lname, nname);

			




	
	
	
		
 
    }

			




	
	
	
		
 
    var gravatarelm = gravatar(gravatar_link, gravatar_size, "");

			




	
	
	
		
 
    // WARNING: the HTML below is duplicate with

			




	
	
	
		
 
    // kallithea/templates/pullrequests/pullrequest_show.html

			




	
	
	
		
 
    // If you change something here it should be reflected in the template too.

			




	
	
	
		
 
    var element = (

			




	
	
	
		
 
        '     <li id="reviewer_{2}">\n'+

			




	
	
	
		
 
        '       <div class="reviewers_member">\n'+

			




	
	
	
		
 
        '           <div class="reviewer_status tooltip" title="not_reviewed">\n'+

			




	
	
	
		
 
        '             <i class="icon-circle changeset-status-not_reviewed"></i>\n'+

			




	
	
	
		
 
        '           </div>\n'+

			




	
	
	
		
 
        '         <div class="reviewer_gravatar gravatar">{0}</div>\n'+

			




	
	
	
		
 
        '         <div style="float:left;">{1}</div>\n'+

			




	
	
	
		
 
        '         <input type="hidden" value="{2}" name="review_members" />\n'+

			




	
	
	
		
 
        '         <div class="reviewer_member_remove action_button" onclick="removeReviewMember({2})">\n'+

			




	
	
	
		
 
        '             <i class="icon-minus-circled"></i>\n'+

			




	
	
	
		
 
        '         </div> (add not saved)\n'+

			




	
	
	
		
 
        '       </div>\n'+

			




	
	
	
		
 
        '     </li>\n'

			




	
	
	
		
 
        ).format(gravatarelm, displayname, id);

			




	
	
	
		
 
    // check if we don't have this ID already in

			




	
	
	
		
 
    var ids = [];

			




	
	
	
		
 
    $('#review_members').find('li').each(function() {

			




	
	
	
		
 
            ids.push(this.id);

			




	
	
	
		
 
        });

			




	
	
	
		
 
    if(ids.indexOf('reviewer_'+id) == -1){

			




	
	
	
		
 
        //only add if it's not there

			




	
	
	
		
 
        $('#review_members').append(element);

			




	
	
	
		
 
    }

			




	
	
	
		
 
}

			




	
	
	
		
 

			




	
	
	
		
 
var removeReviewMember = function(reviewer_id, repo_name, pull_request_id){

			




	
	
	
		
 
    var $li = $('#reviewer_{0}'.format(reviewer_id));

			




	
	
	
		
 
    $li.find('div div').css("text-decoration", "line-through");

			




	
	
	
		
 
    $li.find('input').prop('name', 'review_members_removed');

			




	
	
	
		
 
    $li.find('.reviewer_member_remove').replaceWith('&nbsp;(remove not saved)');

			




	
	
	
		
 
}

			




	
	
	
		
 

			




	
	
	
		
 
/* activate auto completion of users as PR reviewers */

			




	
	
	
		
 
var PullRequestAutoComplete = function ($inputElement, $container, users_list) {

			




	
	
	
		
 

			




	
	
	
		
 
    var matchUsers = function (sQuery) {

			




	
	
	
		
 
        return autocompleteMatchUsers(sQuery, users_list);

			




	
	
	
		
 
    };

			




	
	
	
		
 

			




	
	
	
		
 
    var reviewerAC = autocompleteCreate($inputElement, $container, matchUsers);

			




	
	
	
		
 
    reviewerAC.suppressInputUpdate = true;

			




	
	
	
		
 

			




	
	
	
		
 
    // Handler for selection of an entry

			




	
	
	
		
 
    if(reviewerAC.itemSelectEvent){

			




	
	
	
		
 
        reviewerAC.itemSelectEvent.subscribe(function (sType, aArgs) {

			




	
	
	
		
 
            var myAC = aArgs[0]; // reference back to the AC instance

			




	
	
	
		
 
            var elLI = aArgs[1]; // reference to the selected LI element

			




	
	
	
		
 
            var oData = aArgs[2]; // object literal of selected item's result data

			




	
	
	
		
 

			




	
	
	
		
 
            // The fields in oData have already been escaped by the YUI

			




	
	
	
		
 
            // framework. We thus should not add explicit escaping here anymore.

			




	
	
	
		
 
            addReviewMember(oData.id, oData.fname, oData.lname, oData.nname,

			




	
	
	
		
 
                            oData.gravatar_lnk, oData.gravatar_size);

			




	
	
	
		
 
            myAC.getInputEl().value = '';

			




	
	
	
		
 
        });

			




	
	
	
		
 
    }

			




	
	
	
		
 
}

			




	
	
	
		
 

			




	
	
	
		
 
/**

			




	
	
	
		
 
 * Activate .quick_repo_menu

			




	
	
	
		
 
 */

			




	
	
	
		
 
var quick_repo_menu = function(){

			




	
	
	
		
 
    $(".quick_repo_menu").mouseenter(function(e) {

			




	
	
	
		
 
            var $menu = $(e.currentTarget).children().first().children().first();

			




	
	
	
		
 
            if($menu.hasClass('hidden')){

			




	
	
	
		
 
                $menu.removeClass('hidden').addClass('active');

			




	
	
	
		
 
                $(e.currentTarget).removeClass('hidden').addClass('active');

			




	
	
	
		
 
            }

			




	
	
	
		
 
        });

			




	
	
	
		
 
    $(".quick_repo_menu").mouseleave(function(e) {

			




	
	
	
		
 
            var $menu = $(e.currentTarget).children().first().children().first();

			




	
	
	
		
 
            if($menu.hasClass('active')){

			




	
	
	
		
 
                $menu.removeClass('active').addClass('hidden');

			




	
	
	
		
 
                $(e.currentTarget).removeClass('active').addClass('hidden');

			




	
	
	
		
 
            }

			




	
	
	
		
 
        });

			




	
	
	
		
 
};

			




	
	
	
		
 

			




	
	
	
		
 

			




	
	
	
		
 
/**

			




	
	
	
		
 
 * TABLE SORTING

			




	
	
	
		
 
 */

			




	
	
	
		
 

			




	
	
	
		
 
var revisionSort = function(a, b, desc, field) {

			




	
	
	
		
 
    var a_ = parseInt(a.getData('last_rev_raw') || 0);

			




	
	
	
		
 
    var b_ = parseInt(b.getData('last_rev_raw') || 0);

			




	
	
	
		
 

			




	
	
	
		
 
    return YAHOO.util.Sort.compare(a_, b_, desc);

			




	
	
	
		
 
};

			




	
	
	
		
 

			




	
	
	
		
 
var ageSort = function(a, b, desc, field) {

			




	
	
	
		
 
    // data is like: <span class="tooltip" date="2014-06-04 18:18:55.325474" title="Wed, 04 Jun 2014 18:18:55">1 day and 23 hours ago</span>

			




	
	
	
		
 
    var a_ = $(a.getData(field)).attr('date');

			




	
	
	
		
 
    var b_ = $(b.getData(field)).attr('date');

			




	
	
	
		
 

			




	
	
	
		
 
    return YAHOO.util.Sort.compare(a_, b_, desc);

			




	
	
	
		
 
};

			




	
	
	
		
 

			




	
	
	
		
 
var lastLoginSort = function(a, b, desc, field) {

			




        

    


    
    

    

        

                

                    kallithea/templates/pullrequests/pullrequest_show.html
                

                

                  
                      
                        

                      

                      
                        
                  

                  
                      
                  
                      
                  
                      
                  
                      
                  
                  
                

                

                    Show inline comments
                    
                

        

        

            



	
	
		
 
@@ -367,56 +367,63 @@ ${self.repo_context_bar('showpullrequest

			




	
	
	
		
 
    ## template for inline comment form

			




	
	
	
		
 
    ${comment.comment_inline_form()}

			




	
	
	
		
 

			




	
	
	
		
 
    ## render comments and inlines

			




	
	
	
		
 
    ${comment.generate_comments()}

			




	
	
	
		
 

			




	
	
	
		
 
    ## main comment form and it status

			




	
	
	
		
 
    ${comment.comments(h.url('pullrequest_comment', repo_name=c.repo_name,

			




	
	
	
		
 
                              pull_request_id=c.pull_request.pull_request_id),

			




	
	
	
		
 
                       c.current_voting_result,

			




	
	
	
		
 
                       is_pr=True, change_status=c.allowed_to_change_status)}

			




	
	
	
		
 

			




	
	
	
		
 
    <script type="text/javascript">

			




	
	
	
		
 
      $(document).ready(function(){

			




	
	
	
		
 
          PullRequestAutoComplete($('#user'), $('#reviewers_container'), _USERS_AC_DATA);

			




	
	
	
		
 
          SimpleUserAutoComplete($('#owner'), $('#owner_completion_container'), _USERS_AC_DATA);

			




	
	
	
		
 

			




	
	
	
		
 
          $('.code-difftable').on('click', '.add-bubble', function(e){

			




	
	
	
		
 
              show_comment_form($(this));

			




	
	
	
		
 
          });

			




	
	
	
		
 

			




	
	
	
		
 
          var avail_jsdata = ${c.avail_jsdata|n};

			




	
	
	
		
 
          var avail_r = new BranchRenderer('avail_graph_canvas', 'updaterevs-table', 'chg_available_');

			




	
	
	
		
 
          avail_r.render(avail_jsdata,40);

			




	
	
	
		
 

			




	
	
	
		
 
          move_comments($(".comments .comments-list-chunk"));

			




	
	
	
		
 

			




	
	
	
		
 
          $('#updaterevs input').change(function(e){

			




	
	
	
		
 
              var update = !!e.target.value;

			




	
	
	
		
 
              $('#pr-form-save').prop('disabled',update);

			




	
	
	
		
 
              $('#pr-form-clone').prop('disabled',!update);

			




	
	
	
		
 
          });

			




	
	
	
		
 
          var $org_review_members = $('#review_members').clone();

			




	
	
	
		
 
          $('#pr-form-reset').click(function(e){

			




	
	
	
		
 
              $('.pr-do-edit').hide();

			




	
	
	
		
 
              $('.pr-not-edit').show();

			




	
	
	
		
 
              $('#pr-form-save').prop('disabled',false);

			




	
	
	
		
 
              $('#pr-form-clone').prop('disabled',true);

			




	
	
	
		
 
              $('#review_members').html($org_review_members);

			




	
	
	
		
 
          });

			




	
	
	
		
 

			




	
	
	
		
 
          // hack: re-navigate to target after JS is done ... if a target is set and setting href thus won't reload

			




	
	
	
		
 
          if (window.location.hash != "") {

			




	
	
	
		
 
              window.location.href = window.location.href;

			




	
	
	
		
 
          }

			




	
	
	
		
 

			




	
	
	
		
 
          $('.missing_reviewer').click(function(){

			




	
	
	
		
 
            var $this = $(this);

			




	
	
	
		
 
            addReviewMember($this.attr('user_id'), $this.attr('fname'), $this.attr('lname'), $this.attr('nname'), $this.attr('gravatar_lnk'), $this.attr('gravatar_size'));

			




	
	
	
		
 
            addReviewMember(

			




	
	
	
		
 
                $this.attr('user_id'),

			




	
	
	
		
 
                $this.attr('fname').html_escape(),

			




	
	
	
		
 
                $this.attr('lname').html_escape(),

			




	
	
	
		
 
                $this.attr('nname').html_escape(),

			




	
	
	
		
 
                $this.attr('gravatar_lnk'),

			




	
	
	
		
 
                $this.attr('gravatar_size')

			




	
	
	
		
 
            );

			




	
	
	
		
 
          });

			




	
	
	
		
 
      });

			




	
	
	
		
 
    </script>

			




	
	
	
		
 

			




	
	
	
		
 
</div>

			




	
	
	
		
 

			




	
	
	
		
 
</%def>

			




        

    



    


    



    



      

      





    
    0 comments (0 inline, 0 general)
    





    


  

  







  


    




    








    
        
    
    
        This site is powered by
            Kallithea 0.7.0,
        which is
        © 2010–2025 by various authors & licensed under GPLv3.