Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Sanitize CI #385

Closed
wants to merge 4 commits into from
Closed
Show file tree
Hide file tree
Changes from 2 commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
22 changes: 11 additions & 11 deletions frontend/js/ci.js
Original file line number Diff line number Diff line change
Expand Up @@ -254,13 +254,13 @@ const displayCITable = (runs, url_params) => {
const label = el[4]
const duration = el[7]

li_node.innerHTML = `<td class="td-index">${value}</td>\
<td class="td-index">${label}</td>\
<td class="td-index">${run_link_node}</td>\
<td class="td-index"><span title="${created_at}">${dateToYMD(new Date(created_at))}</span></td>\
<td class="td-index" ${tooltip}>${short_hash}</td>\
<td class="td-index">${cpu}</td>\
<td class="td-index">${duration} seconds</td>`;
li_node.innerHTML = `<td class="td-index">${sanitize(value)}</td>\
<td class="td-index">${sanitize(label)}</td>\
<td class="td-index">${sanitize(run_link_node)}</td>\
<td class="td-index"><span title="${sanitize(created_at)}">${dateToYMD(new Date(sanitize(created_at)))}</span></td>\
<td class="td-index" ${sanitize(tooltip)}>${sanitize(short_hash)}</td>\
<td class="td-index">${sanitize(cpu)}</td>\
<td class="td-index">${sanitize(duration)} seconds</td>`;
document.querySelector("#ci-table").appendChild(li_node);
});
$('table').tablesort();
Expand Down Expand Up @@ -318,16 +318,16 @@ $(document).ready((e) => {
let repo_link = ''

if(badges_data.data[0][8] == 'github') {
repo_link = `https://github.com/${url_params.get('repo')}`;
repo_link = `https://github.com/${sanitize(url_params.get('repo'))}`;
}
else if(badges_data.data[0][8] == 'gitlab') {
repo_link = `https://gitlab.com/${url_params.get('repo')}`;
repo_link = `https://gitlab.com/${sanitize(url_params.get('repo'))}`;
}
//${repo_link}
const repo_link_node = `<a href="${repo_link}" target="_blank">${url_params.get('repo')}</a>`
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

why is url_params.get('repo') not sanitzed here?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Missed. Fixed in last commit

document.querySelector('#ci-data').insertAdjacentHTML('afterbegin', `<tr><td><strong>Repository:</strong></td><td>${repo_link_node}</td></tr>`)
document.querySelector('#ci-data').insertAdjacentHTML('afterbegin', `<tr><td><strong>Branch:</strong></td><td>${url_params.get('branch')}</td></tr>`)
document.querySelector('#ci-data').insertAdjacentHTML('afterbegin', `<tr><td><strong>Workflow:</strong></td><td>${url_params.get('workflow')}</td></tr>`)
document.querySelector('#ci-data').insertAdjacentHTML('afterbegin', `<tr><td><strong>Branch:</strong></td><td>${sanitize(url_params.get('branch'))}</td></tr>`)
document.querySelector('#ci-data').insertAdjacentHTML('afterbegin', `<tr><td><strong>Workflow:</strong></td><td>${sanitize(url_params.get('workflow'))}</td></tr>`)

displayCITable(badges_data.data, url_params);
chart_instance = displayGraph(badges_data.data)
Expand Down
12 changes: 12 additions & 0 deletions frontend/js/helpers/main.js
Original file line number Diff line number Diff line change
Expand Up @@ -32,6 +32,18 @@ class GMTMenu extends HTMLElement {
}
customElements.define('gmt-menu', GMTMenu);

function sanitize(string) {
const map = {
'&': '&amp;',
'<': '&lt;',
'>': '&gt;',
'"': '&quot;',
"'": '&#x27;'
};
const reg = /[&<>"']/ig;
return string.replace(reg, (match) => map[match]);
}

const replaceRepoIcon = (uri) => {
if (uri.startsWith("https://www.github.com") || uri.startsWith("https://github.com")) {
uri = uri.replace("https://www.github.com", '<i class="icon github"></i>');
Expand Down
2 changes: 1 addition & 1 deletion frontend/js/index.js
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,7 @@ const compareButton = () => {
checkedBoxes.forEach(checkbox => {
link = `${link}${checkbox.value},`;
});
window.location = link.substr(0,link.length-1);
window.location = encodeURIComponent(link.substr(0, link.length - 1));
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What is this supposed to do? Which part of the checkboxes is supposed to be malicious?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't honestly understand the vulnerability here, but this was the recommendation on how to resolve it.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do you have a link?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It was a ChatGPT suggestion:

To fix the warning about DOM text being reinterpreted as HTML without escaping meta-characters, you need to properly escape the text before assigning it to window.location. You can use the encodeURIComponent function to achieve this. Here's an updated version of the code:

window.location = encodeURIComponent(link.substr(0, link.length - 1));

By using encodeURIComponent, you ensure that any special characters in the link string are properly encoded, preventing any unintended interpretation as HTML meta-characters.

However, please note that directly manipulating window.location like this can have security implications. It's important to ensure that the link variable contains a trusted URL and to validate it before using it in this context.

}
const updateCompareCount = () => {
const countButton = document.getElementById('compare-button');
Expand Down