From 5c36699fec8a746f115292499d8ff7347b2b7783 Mon Sep 17 00:00:00 2001 From: Davi Frossard Date: Mon, 14 Apr 2025 16:26:35 -0300 Subject: [PATCH] Address XSS vulnerability in Data Network Creation Add server-side validation to "name" field to prevent special characters and reduce risk of HTML/SQL injection. Introduce escapeHtml function in hosttopology.js to sanitize user input and prevent rendering of malicious tags. TEST-PLAN: 1. Log in to the StarlingX control panel as an administrator. 2. Navigate to **Admin -> Platform -> Data Networks**. 3. Click **Create Data Networks**. 4. Enter the following payload into the **Name** field: `test` 5. Select any **Type**. 6. Click the **Create Data Networks** button. Assert that it is not possible to create such Data Network. 7. Create the Data Network directly from CLI. 8. Log in as a different user. 9. Navigate to **Admin -> Platform -> Data Network Topology**. Observe that there is no JavaScript alert box displaying the domain. Closes-bug: 2103647 Change-Id: Ia2bd091eca6cdfdfc13b061cb895bcd5664f26e7 Signed-off-by: Davi Frossard --- .../dashboards/admin/datanets/datanets/forms.py | 15 +++++++++------ .../static/js/horizon.hosttopology.js | 10 +++++++++- 2 files changed, 18 insertions(+), 7 deletions(-) diff --git a/starlingx-dashboard/starlingx-dashboard/starlingx_dashboard/dashboards/admin/datanets/datanets/forms.py b/starlingx-dashboard/starlingx-dashboard/starlingx_dashboard/dashboards/admin/datanets/datanets/forms.py index 970cb4c4..a0a40fa5 100644 --- a/starlingx-dashboard/starlingx-dashboard/starlingx_dashboard/dashboards/admin/datanets/datanets/forms.py +++ b/starlingx-dashboard/starlingx-dashboard/starlingx_dashboard/dashboards/admin/datanets/datanets/forms.py @@ -33,9 +33,15 @@ LOG = logging.getLogger(__name__) class CreateDataNetwork(forms.SelfHandlingForm): - name = forms.CharField(max_length=255, - label=_("Name"), - required=True) + name = forms.RegexField( + label=_("Name"), + max_length=255, + required=True, + regex=r'^[\w\.\-]+$', + error_messages={ + 'invalid': _('Name may only ' + 'contain letters, numbers, underscores, ' + 'periods and hyphens.')}) description = forms.CharField(max_length=255, label=_("Description"), required=False) @@ -133,9 +139,6 @@ class CreateDataNetwork(forms.SelfHandlingForm): def clean(self): cleaned_data = super(CreateDataNetwork, self).clean() - if len(cleaned_data['name'].lstrip()) == 0: - raise forms.ValidationError('invalid data network name') - return cleaned_data def handle(self, request, data): diff --git a/starlingx-dashboard/starlingx-dashboard/starlingx_dashboard/static/js/horizon.hosttopology.js b/starlingx-dashboard/starlingx-dashboard/starlingx_dashboard/static/js/horizon.hosttopology.js index b47ee774..af33a208 100644 --- a/starlingx-dashboard/starlingx-dashboard/starlingx_dashboard/static/js/horizon.hosttopology.js +++ b/starlingx-dashboard/starlingx-dashboard/starlingx_dashboard/static/js/horizon.hosttopology.js @@ -42,6 +42,14 @@ horizon.host_topology = { host_name_max_size:20, name_suffix:'..' }, + escapeHtml:function(unsafe){ + return unsafe + .replace(/&/g, '&') + .replace(//g, '>') + .replace(/"/g, '"') + .replace(/'/g, '''); + }, init:function() { var self = this; self.$container = $(self.svg_container); @@ -329,7 +337,7 @@ horizon.host_topology = { .attr('href',"#") .attr('class',"list-group-item list-group-item-action") .attr("id","net-" + network.name) - .append(network.name) + .append(self.escapeHtml(network.name)) .on('click',function(d){ self.zoom_to(d,network); self.select_network(network);