Files @ 9beef1d91c4c
Branch filter:

Location: kallithea/init.d/kallithea-daemon-arch

9beef1d91c4c 1.3 KiB text/plain Show Annotation Show as Raw Download as Raw
Mads Kiilerich
pullrequests: prevent XSS when 'Potential Reviewers' are selected and first and last names cannot be trusted

The user information passed to autocompleteFormatter from select2 is the raw
data which might contain HTML markup controlled by the user.

That could cause XSS issues, already when adding rogue users as reviewers on a PR.

To avoid that, make sure select2 use the default escapeMarkup function. In
addReviewMember, use .html_escape when expanding the reviewer template.
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
#!/bin/bash
###########################################
#### THIS IS AN ARCH LINUX RC.D SCRIPT ####
###########################################

. /etc/rc.conf
. /etc/rc.d/functions

DAEMON=kallithea
APP_HOMEDIR="/srv"
APP_PATH="$APP_HOMEDIR/$DAEMON"
CONF_NAME="production.ini"
LOG_FILE="/var/log/$DAEMON.log"
PID_FILE="/run/daemons/$DAEMON"
APPL=/usr/bin/gearbox
RUN_AS="*****"

ARGS="serve --daemon \
--user=$RUN_AS \
--group=$RUN_AS \
--pid-file=$PID_FILE \
--log-file=$LOG_FILE \
-c $APP_PATH/$CONF_NAME"

[ -r /etc/conf.d/$DAEMON ] && . /etc/conf.d/$DAEMON

if [[ -r $PID_FILE ]]; then
    read -r PID < "$PID_FILE"
    if [[ $PID && ! -d /proc/$PID ]]; then
        unset PID
        rm_daemon $DAEMON
    fi
fi

case "$1" in
start)
    stat_busy "Starting $DAEMON"
    export HOME=$APP_PATH
    [ -z "$PID" ] && $APPL $ARGS &>/dev/null
    if [ $? = 0 ]; then
        add_daemon $DAEMON
        stat_done
    else
        stat_fail
        exit 1
    fi
    ;;
stop)
    stat_busy "Stopping $DAEMON"
    [ -n "$PID" ] && kill $PID &>/dev/null
    if [ $? = 0 ]; then
        rm_daemon $DAEMON
        stat_done
    else
        stat_fail
        exit 1
    fi
    ;;
restart)
    $0 stop
    sleep 1
    $0 start
    ;;
status)
    stat_busy "Checking $name status";
    ck_status $name
    ;;
*)
    echo "usage: $0 {start|stop|restart|status}"
esac
This site is powered by Kallithea 0.7.0, which is © 2010–2025 by various authors & licensed under GPLv3.