kallithea Changeset - ddad3be4dc44

Changeset - ddad3be4dc44

Parent rev.

Child rev.

[Not reviewed]

stable

0 1 0

Thomas De Schampheleire - 7 years ago 2019-04-19 20:54:46
thomas.de_schampheleire@nokia.com

changeset: fix XSS vulnerability in parent-child navigation

The 'Parent Rev.' - 'Child Rev.' links on changesets and in the file browser
normally immediately jump to the correct revision upon click. But, if there
are multiple candidates, e.g. two children of a commit, then a list of
revisions is shown as hyperlinks instead.

These hyperlinks have a 'title' attribute containing the full commit message
of the corresponding commit. When this commit message contains characters
special to HTML, like ", >, etc. they were added literally to the HTML code.

This can lead to a cross-site scripting (XSS) vulnerability when an attacker
has write access to a repository. They could craft a special commit message
that would introduce HTML and/or JavaScript code when the commit is listed
in such 'parent-child' navigation links.

Escape the commit message before using it further.

1 file changed with 1 insertions and 1 deletions:

kallithea/public/js/base.js

0 comments (0 inline, 0 general)

kallithea/public/js/base.js

➞

Show inline comments

@@ @@ -1304,206 +1304,206 @@ var PullRequestAutoComplete = function ( @@
 function addPermAction(perm_type) {
     var template =
         '<td><input type="radio" value="{1}.none" name="perm_new_member_{0}" id="perm_new_member_{0}"></td>' +
         '<td><input type="radio" value="{1}.read" checked="checked" name="perm_new_member_{0}" id="perm_new_member_{0}"></td>' +
         '<td><input type="radio" value="{1}.write" name="perm_new_member_{0}" id="perm_new_member_{0}"></td>' +
         '<td><input type="radio" value="{1}.admin" name="perm_new_member_{0}" id="perm_new_member_{0}"></td>' +
         '<td>' +
                 '<input class="form-control" id="perm_new_member_name_{0}" name="perm_new_member_name_{0}" value="" type="text" placeholder="{2}">' +
                 '<input id="perm_new_member_type_{0}" name="perm_new_member_type_{0}" value="" type="hidden">' +
         '</td>' +
         '<td></td>';
     var $last_node = $('.last_new_member').last(); // empty tr between last and add
     var next_id = $('.new_members').length;
     $last_node.before($('<tr class="new_members">').append(template.format(next_id, perm_type, _TM['Type name of user or member to grant permission'])));
     MembersAutoComplete($("#perm_new_member_name_"+next_id), $("#perm_new_member_type_"+next_id));
+}
 function ajaxActionRevokePermission(url, obj_id, obj_type, field_id, extra_data) {
     var success = function (o) {
             $('#' + field_id).remove();
         };
     var failure = function (o) {
             alert(_TM['Failed to revoke permission'] + ": " + o.status);
         };
     var query_params = {};
     // put extra data into POST
     if (extra_data !== undefined && (typeof extra_data === 'object')){
         for(var k in extra_data){
             query_params[k] = extra_data[k];
+        }
+    }
     if (obj_type=='user'){
         query_params['user_id'] = obj_id;
         query_params['obj_type'] = 'user';
+    }
     else if (obj_type=='user_group'){
         query_params['user_group_id'] = obj_id;
         query_params['obj_type'] = 'user_group';
+    }
     ajaxPOST(url, query_params, success, failure);
 };
 /* Multi selectors */
 var MultiSelectWidget = function(selected_id, available_id, form_id){
     var $availableselect = $('#' + available_id);
     var $selectedselect = $('#' + selected_id);
     //fill available only with those not in selected
     var $selectedoptions = $selectedselect.children('option');
     $availableselect.children('option').filter(function(i, e){
             for(var j = 0, node; node = $selectedoptions[j]; j++){
                 if(node.value == e.value){
                     return true;
+                }
+            }
             return false;
         }).remove();
     $('#add_element').click(function(e){
             $selectedselect.append($availableselect.children('option:selected'));
         });
     $('#remove_element').click(function(e){
             $availableselect.append($selectedselect.children('option:selected'));
         });
     $('#'+form_id).submit(function(){
             $selectedselect.children('option').each(function(i, e){
                 e.selected = 'selected';
             });
         });
+}
 /**
  Branch Sorting callback for select2, modifying the filtered result so prefix
  matches come before matches in the line.
  **/
 var branchSort = function(results, container, query) {
     if (query.term) {
         return results.sort(function (a, b) {
             // Put closed branches after open ones (a bit of a hack ...)
             var aClosed = a.text.indexOf("(closed)") > -1,
                 bClosed = b.text.indexOf("(closed)") > -1;
             if (aClosed && !bClosed) {
                 return 1;
+            }
             if (bClosed && !aClosed) {
                 return -1;
+            }
             // Put early (especially prefix) matches before later matches
             var aPos = a.text.toLowerCase().indexOf(query.term.toLowerCase()),
                 bPos = b.text.toLowerCase().indexOf(query.term.toLowerCase());
             if (aPos < bPos) {
                 return -1;
+            }
             if (bPos < aPos) {
                 return 1;
+            }
             // Default sorting
             if (a.text > b.text) {
                 return 1;
+            }
             if (a.text < b.text) {
                 return -1;
+            }
             return 0;
         });
+    }
     return results;
 };
 var prefixFirstSort = function(results, container, query) {
     if (query.term) {
         return results.sort(function (a, b) {
             // if parent node, no sorting
             if (a.children != undefined || b.children != undefined) {
                 return 0;
+            }
             // Put prefix matches before matches in the line
             var aPos = a.text.toLowerCase().indexOf(query.term.toLowerCase()),
                 bPos = b.text.toLowerCase().indexOf(query.term.toLowerCase());
             if (aPos === 0 && bPos !== 0) {
                 return -1;
+            }
             if (bPos === 0 && aPos !== 0) {
                 return 1;
+            }
             // Default sorting
             if (a.text > b.text) {
                 return 1;
+            }
             if (a.text < b.text) {
                 return -1;
+            }
             return 0;
         });
+    }
     return results;
 };
 /* Helper for jQuery DataTables */
 var updateRowCountCallback = function updateRowCountCallback($elem, onlyDisplayed) {
     return function drawCallback() {
         var info = this.api().page.info(),
             count = onlyDisplayed === true ? info.recordsDisplay : info.recordsTotal;
         $elem.html(count);
+    }
 };
 /**
  * activate changeset parent/child navigation links
  */
 var activate_parent_child_links = function(){
     $('.parent-child-link').on('click', function(e){
         var $this = $(this);
         //fetch via ajax what is going to be the next link, if we have
         //>1 links show them to user to choose
         if(!$this.hasClass('disabled')){
             $.ajax({
                 url: $this.data('ajax-url'),
                 success: function(data) {
                     var repo_name = $this.data('reponame');
                     if(data.results.length === 0){
                         $this.addClass('disabled');
                         $this.text(_TM['No revisions']);
+                    }
                     if(data.results.length === 1){
                         var commit = data.results[0];
                         window.location = pyroutes.url('changeset_home', {'repo_name': repo_name, 'revision': commit.raw_id});
+                    }
                     else if(data.results.length > 1){
                         $this.addClass('disabled');
                         $this.addClass('double');
                         var template =
                             ($this.data('linktype') == 'parent' ? '<i class="icon-left-open"/> ' : '') +
                             '<a title="__title__" href="__url__">__rev__</a>' +
                             ($this.data('linktype') == 'child' ? ' <i class="icon-right-open"/>' : '');
                         var _html = [];
                         for(var i = 0; i < data.results.length; i++){
                             _html.push(template
                                 .replace('__rev__', 'r{0}:{1}'.format(data.results[i].revision, data.results[i].raw_id.substr(0, 6)))
                                 .replace('__title__', data.results[i].message)
+                                .replace('__title__', data.results[i].message.html_escape())
                                 .replace('__url__', pyroutes.url('changeset_home', {
                                     'repo_name': repo_name,
                                     'revision': data.results[i].raw_id}))
                                 );
+                        }
                         $this.html(_html.join('<br/>'));
+                    }
+                }
             });
         e.preventDefault();
+        }
     });
+}

0 comments (0 inline, 0 general)