Address XSS vulnerability in Data Network Creation

Add server-side validation to "name" field to prevent special characters and reduce risk of HTML/SQL injection. Introduce escapeHtml function in hosttopology.js to sanitize user input and prevent rendering of malicious tags. TEST-PLAN: 1. Log in to the StarlingX control panel as an administrator. 2. Navigate to **Admin -> Platform -> Data Networks**. 3. Click **Create Data Networks**. 4. Enter the following payload into the **Name** field: `test<script>alert(document.domain)</script>` 5. Select any **Type**. 6. Click the **Create Data Networks** button. Assert that it is not possible to create such Data Network. 7. Create the Data Network directly from CLI. 8. Log in as a different user. 9. Navigate to **Admin -> Platform -> Data Network Topology**. Observe that there is no JavaScript alert box displaying the domain. Closes-bug: 2103647 Change-Id: Ia2bd091eca6cdfdfc13b061cb895bcd5664f26e7 Signed-off-by: Davi Frossard <dbarrosf@windriver.com>
2025-04-14 16:26:35 -03:00 · 2025-04-14 16:26:35 -03:00 · 5c36699fec
commit 5c36699fec
parent 2fbdd29f0b
2 changed files with 18 additions and 7 deletions
--- a/starlingx-dashboard/starlingx-dashboard/starlingx_dashboard/dashboards/admin/datanets/datanets/forms.py
+++ b/starlingx-dashboard/starlingx-dashboard/starlingx_dashboard/dashboards/admin/datanets/datanets/forms.py
@ -33,9 +33,15 @@ LOG = logging.getLogger(__name__)


 class CreateDataNetwork(forms.SelfHandlingForm):
-    name = forms.CharField(max_length=255,
-                           label=_("Name"),
-                           required=True)
+    name = forms.RegexField(
+        label=_("Name"),
+        max_length=255,
+        required=True,
+        regex=r'^[\w\.\-]+$',
+        error_messages={
+            'invalid': _('Name may only '
+                         'contain letters, numbers, underscores, '
+                         'periods and hyphens.')})
    description = forms.CharField(max_length=255,
                                  label=_("Description"),
                                  required=False)
@ -133,9 +139,6 @@ class CreateDataNetwork(forms.SelfHandlingForm):

    def clean(self):
        cleaned_data = super(CreateDataNetwork, self).clean()
-        if len(cleaned_data['name'].lstrip()) == 0:
-            raise forms.ValidationError('invalid data network name')
-
        return cleaned_data

    def handle(self, request, data):
--- a/starlingx-dashboard/starlingx-dashboard/starlingx_dashboard/static/js/horizon.hosttopology.js
+++ b/starlingx-dashboard/starlingx-dashboard/starlingx_dashboard/static/js/horizon.hosttopology.js
@ -42,6 +42,14 @@ horizon.host_topology = {
    host_name_max_size:20,
    name_suffix:'..'
  },
+  escapeHtml:function(unsafe){
+    return unsafe
+      .replace(/&/g, '&amp;')
+      .replace(/</g, '&lt;')
+      .replace(/>/g, '&gt;')
+      .replace(/"/g, '&quot;')
+      .replace(/'/g, '&#039;');
+  },
  init:function() {
    var self = this;
    self.$container = $(self.svg_container);
@ -329,7 +337,7 @@ horizon.host_topology = {
            .attr('href',"#")
            .attr('class',"list-group-item list-group-item-action")
            .attr("id","net-" + network.name)
-            .append(network.name)
+            .append(self.escapeHtml(network.name))
            .on('click',function(d){
              self.zoom_to(d,network);
              self.select_network(network);