From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: by yocto-www.yoctoproject.org (Postfix, from userid 118) id 10BE2E008FF; Wed, 12 Nov 2014 08:54:23 -0800 (PST) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on yocto-www.yoctoproject.org X-Spam-Level: X-Spam-Status: No, score=-2.6 required=5.0 tests=BAYES_00,RCVD_IN_DNSWL_LOW autolearn=ham version=3.3.1 X-Spam-HAM-Report: * -0.7 RCVD_IN_DNSWL_LOW RBL: Sender listed at http://www.dnswl.org/, low * trust * [74.125.82.45 listed in list.dnswl.org] * -1.9 BAYES_00 BODY: Bayes spam probability is 0 to 1% * [score: 0.0000] Received: from mail-wg0-f45.google.com (mail-wg0-f45.google.com [74.125.82.45]) by yocto-www.yoctoproject.org (Postfix) with ESMTP id 45BACE00777 for ; Wed, 12 Nov 2014 08:54:11 -0800 (PST) Received: by mail-wg0-f45.google.com with SMTP id x12so14707855wgg.4 for ; Wed, 12 Nov 2014 08:54:10 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:message-id:date:from:user-agent:mime-version:to :cc:subject:references:in-reply-to:content-type :content-transfer-encoding; bh=sxn0yEVp8heUaxDA9u1fW1W/NWArwhU7PdBoaiS8GFM=; b=gParWNbqRbn1Wi/LjeQv7tzInYjZjgR8jmr/8u+9Om6IN8Cg9BZMgs23KK9SivhHNU AB8DmKcwHnfQtHLbpbNatsuWvlRg12iP8Wev0lUnvVBsoEYKE6vzG2fhSZWXjb8YMJNO v8XeydMZJLrXp2GsZnc837kRavbqxbC5vVmKDdhOgjdyg4+g//ZwAshvioT9YS/1RegO gcbGwLanPtOJv8W4CcPpJCPdXWQuIILuUcFkS65a/apnHhz7FqQCrJ0yOw4/cIuqYOwi AuHwOyTfnOJ4+BZcM+akh8i4CUZJ2oggIURi6lomGFZ8GOFQ9s5RWY2DTm74ijXoXYwG DjHg== X-Gm-Message-State: ALoCoQltuUzcoPie588iWsiA4Umk2l16gd717bm3cbfITe36aHj2Z5g/vUG5jqLU2elyGH5IWM+7 X-Received: by 10.194.92.82 with SMTP id ck18mr65138716wjb.103.1415811250740; Wed, 12 Nov 2014 08:54:10 -0800 (PST) Received: from [192.168.2.117] ([83.217.123.106]) by mx.google.com with ESMTPSA id fi9sm22327347wib.6.2014.11.12.08.54.10 for (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Wed, 12 Nov 2014 08:54:10 -0800 (PST) Message-ID: <546390B1.7090903@intel.com> Date: Wed, 12 Nov 2014 16:54:09 +0000 From: Michael Wood User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.2.0 MIME-Version: 1.0 To: "Damian, Alexandru" References: <1415290298-4049-1-git-send-email-michael.g.wood@intel.com> <5461F383.1070402@intel.com> In-Reply-To: Cc: "toaster@yoctoproject.org" Subject: Re: [review-request][PATCH] bitbake: toaster: project use escapejs filter to avoid tag interpretation X-BeenThere: toaster@yoctoproject.org X-Mailman-Version: 2.1.13 Precedence: list List-Id: Web based interface for BitBake List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 12 Nov 2014 16:54:23 -0000 Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 7bit Yep this works for me. Michael On 11/11/14 17:17, Damian, Alexandru wrote: > Agreed that this is an XSS security issue - Thank you for > demonstrating it ! > > I wrongly assumed that json.dumps() will HTML-escape the strings > passed to it - apparently it lacks the option to do so, even if it's > in the JSON spec. > > I have a modified patch that: > - provides Python-to-JSON dump in a template filter > - said template filter escapes HTML content, keeping the output > JSON-compatible > - modifies all occurences of json.dumps in views.py to use this filter > > In the same patch I have several other security fixes, since the XSS > path remained open inside Angular, or for the commands sent to the server. > > Can you please review the patch at: > > http://git.yoctoproject.org/cgit/cgit.cgi/poky-contrib/log/?h=toaster/master > > Cheers, > Alex > > > > > On Tue, Nov 11, 2014 at 11:31 AM, Michael Wood > > wrote: > > Hi, > > Valid json can contain unescaped markup tags which will break the > javascript e.g. if you put your project name to "

Hi > mum

" the project page will > interpret that. > > http://jsfiddle.net/uLpecL5o/ > > The escapejs filter will escape all the correct characters the > resulting string of the json can then be safely parsed by the browser. > If we want to use |safe we really need to be sure that data is > safe, which may mean that instead we sanitise it before storing it. > > Oops yes too long working with jinja2 which is based on django got > confused there! > > Michael > > On 07/11/14 16:52, Damian, Alexandru wrote: > > Hi, > > Hi, this is a good point you raise here - there are some > aspects that need considering, though - > > the data coming in this page (e.g. prj, builds, etc..) is > already coming as JSON, the conversion is done in the view. > Here we mark the value as not needing any further escape > (through the safe filter) because we know it's already a valid > json string. > > json is already valid javascript code, so we don't need to > parse it manually, the browser will interpret it as such. > > btw, we're not using jinja2 templating engine, we use the > built-in django templating engine :) > > > Cheers, > Alex > > > > On Thu, Nov 6, 2014 at 4:11 PM, Michael Wood > > >> wrote: > > When passing the data from the jinja2 template to > javascript make sure > we escape and parse the JSON to avoid any invalid values being > interpreted. > > Signed-off-by: Michael Wood > >> > > --- > bitbake/lib/toaster/toastergui/templates/project.html | 14 > +++++++------- > 1 file changed, 7 insertions(+), 7 deletions(-) > > diff --git > a/bitbake/lib/toaster/toastergui/templates/project.html > b/bitbake/lib/toaster/toastergui/templates/project.html > index 6a81283..00fb2b4 100644 > --- a/bitbake/lib/toaster/toastergui/templates/project.html > +++ b/bitbake/lib/toaster/toastergui/templates/project.html > @@ -335,13 +335,13 @@ > angular.element(document).ready(function() { > scope.urls.layers = "{% url 'layers' %}"; > scope.urls.targets = "{% url 'targets' %}"; > scope.urls.importlayer = "{% url 'importlayer'%}" > - scope.project = {{prj|safe}}; > - scope.builds = {{builds|safe}}; > - scope.layers = {{layers|safe}}; > - scope.targets = {{targets|safe}}; > - scope.frequenttargets = {{freqtargets|safe}}; > - scope.machine = {{machine|safe}}; > - scope.releases = {{releases|safe}}; > + scope.project = JSON.parse ("{{prj|escapejs}}"); > + scope.builds = JSON.parse ("{{builds|escapejs}}"); > + scope.layers = JSON.parse ("{{layers|escapejs}}"); > + scope.targets = JSON.parse ("{{targets|escapejs}}"); > + scope.frequenttargets = JSON.parse > ("{{freqtargets|escapejs}}"); > + scope.machine = JSON.parse ("{{machine|escapejs}}"); > + scope.releases = JSON.parse ("{{releases|escapejs}}"); > > scope.zone1alerts = []; > scope.zone2alerts = []; > -- > 1.9.1 > > -- > _______________________________________________ > toaster mailing list > toaster@yoctoproject.org > > > https://lists.yoctoproject.org/listinfo/toaster > > > > > -- > Alex Damian > Yocto Project > SSG / OTC > > --------------------------------------------------------------------- > Intel Corporation (UK) Limited > Registered No. 1134945 (England) > Registered Office: Pipers Way, Swindon SN3 1RJ > VAT No: 860 2173 47 > > This e-mail and any attachments may contain confidential > material for > the sole use of the intended recipient(s). Any review or > distribution > by others is strictly prohibited. If you are not the intended > recipient, please contact the sender and delete all copies. > > > --------------------------------------------------------------------- > Intel Corporation (UK) Limited > Registered No. 1134945 (England) > Registered Office: Pipers Way, Swindon SN3 1RJ > VAT No: 860 2173 47 > > This e-mail and any attachments may contain confidential material for > the sole use of the intended recipient(s). Any review or distribution > by others is strictly prohibited. If you are not the intended > recipient, please contact the sender and delete all copies. > > > > > -- > Alex Damian > Yocto Project > SSG / OTC > > --------------------------------------------------------------------- > Intel Corporation (UK) Limited > Registered No. 1134945 (England) > Registered Office: Pipers Way, Swindon SN3 1RJ > VAT No: 860 2173 47 > > This e-mail and any attachments may contain confidential material for > the sole use of the intended recipient(s). Any review or distribution > by others is strictly prohibited. If you are not the intended > recipient, please contact the sender and delete all copies. >