Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Test for XSS vulnerabilities #3081

Closed
6 tasks done
mssalvatore opened this issue Mar 9, 2023 · 0 comments
Closed
6 tasks done

Test for XSS vulnerabilities #3081

mssalvatore opened this issue Mar 9, 2023 · 0 comments
Assignees
@ilija-lazoroski
Labels
Complexity: Medium Impact: Critical Security
Milestone
v2.1.0

Comments

@mssalvatore
Copy link
Collaborator

mssalvatore commented Mar 9, 2023
edited
Loading

Description

The two main vectors for XSS attacks are plugins (via the titles/descriptions in the manifest or config schema) and an imported configuration. Verify the Island UI is safe from XSS attacks from these two vectors.

Pay special attention to any uses of dangerouslySetInnerHTML.

Tasks

  • Prove the Island UI is safe from XSS attacks if malicious plugins are loaded (0d)
    • Manifest
    • Config Schema
    • Disallow malicious plugins in the backend
  • Prove the Island UI is safe from XSS attacks if a malicious config is imported (0d)
  • Prove that other inputs are safe from XSS attacks (0d)
@ordabach ordabach mentioned this issue Mar 21, 2023
Merged
10 tasks
ordabach added a commit that referenced this issue Mar 21, 2023
@ordabach
UI: Deletion of the HtmlFieldDescription component
20bb67d 
Issue: #3081
PR: #3129
mssalvatore pushed a commit that referenced this issue Mar 21, 2023
@ordabach @mssalvatore
UI: Deletion of the HtmlFieldDescription component
fa7e27e 
Issue: #3081
PR: #3129
ordabach added a commit that referenced this issue Mar 22, 2023
@ordabach
UI: Added URI sanitization function.
55aa0d2 
Issue: #3081
PR:
@ilija-lazoroski ilija-lazoroski mentioned this issue Mar 22, 2023
Merged
9 tasks
mssalvatore pushed a commit that referenced this issue Mar 22, 2023
@ilija-lazoroski @mssalvatore
Common: Add HttpUrl validator to AgentPluginManifest.link_to_document…
66d32a2 
…ation

Issue #3081
PR #3135
mssalvatore pushed a commit that referenced this issue Mar 22, 2023
@ilija-lazoroski @mssalvatore
Common: Add HttpUrl validator to AgentPluginManifest.link_to_document…
315326e 
…ation

Issue #3081
PR #3135
ordabach added a commit that referenced this issue Mar 22, 2023
@ordabach
UI:
b46d357 
Freeze regex objects of uri validation
Added new unwanted chars and bad prefix

Issue: #3081
PR:
ordabach added a commit that referenced this issue Mar 23, 2023
@ordabach
UI:
09a8f50 
Removed the ftps option from the uri sanitizer

Issue: #3081
PR:
ordabach added a commit that referenced this issue Mar 23, 2023
@ordabach
UI: Added back the functionality of links to be opened in new tab.
3bb6360 
Issue: #3081
PR:
@ordabach ordabach mentioned this issue Mar 23, 2023
Merged
10 tasks
ilija-lazoroski added a commit that referenced this issue Mar 23, 2023
@ilija-lazoroski
Common: Add HttpUrl validator to AgentPluginManifest.link_to_document…
db5c81e 
…ation

Issue #3081
PR #3135
ilija-lazoroski pushed a commit that referenced this issue Mar 23, 2023
@ordabach @ilija-lazoroski
UI: Added URI sanitization function.
4ad8a2f 
Issue: #3081
PR:
mssalvatore added a commit that referenced this issue Mar 23, 2023
@mssalvatore
Merge branch '3081-uri-sanitization' into develop
e93a111 
Issue #3081
PR #3136
mssalvatore added a commit that referenced this issue Mar 28, 2023
@mssalvatore
Changelog: Add an entry for #3081
c10ec13
@mssalvatore mssalvatore added this to the v2.1.0 milestone Mar 28, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@ilija-lazoroski ilija-lazoroski

Labels
Complexity: Medium Impact: Critical Security
Projects
None yet
Milestone
v2.1.0
Development

No branches or pull requests
2 participants
@ilija-lazoroski @mssalvatore