Revision f5576998
Added by Tomer Brisker over 8 years ago
app/helpers/common_parameters_helper.rb | ||
---|---|---|
|
||
def parameter_value_field(value)
|
||
source_name = value[:source_name] ? "(#{value[:source_name]})" : nil
|
||
popover_tag = popover('', _("<b>Source:</b> %{type} %{name}") % { :type => _(value[:source].to_s), :name => source_name }, :data => { :placement => 'top' })
|
||
popover_tag = popover('', _("<b>Source:</b> %{type} %{name}") % { :type => _(value[:source].to_s), :name => html_escape(source_name) }, :data => { :placement => 'top' })
|
||
parameter_value_content("value_#{value[:safe_value]}", value[:safe_value], :popover => popover_tag)
|
||
end
|
||
|
app/helpers/lookup_keys_helper.rb | ||
---|---|---|
def hostgroup_key_with_diagnostic(hostgroup, key)
|
||
value, origin = hostgroup.inherited_lookup_value key
|
||
original_value = key.value_before_type_cast value
|
||
diagnostic_helper = popover('', _("<b>Description:</b> %{desc}<br><b>Type:</b> %{type}<br> <b>Matcher:</b> %{matcher}") % { :desc => key.description, :type => key.key_type, :matcher => origin}, :data => { :placement => 'top' })
|
||
diagnostic_helper = popover('', _("<b>Description:</b> %{desc}<br><b>Type:</b> %{type}<br> <b>Matcher:</b> %{matcher}") % { :desc => html_escape(key.description), :type => key.key_type, :matcher => html_escape(origin)}, :data => { :placement => 'top' })
|
||
parameter_value_content("value_#{key.key}", original_value, :popover => diagnostic_helper)
|
||
end
|
||
|
||
... | ... | |
if no_value
|
||
if key.required
|
||
diagnostic_class = 'error'
|
||
diagnostic_helper = popover('', _("Required parameter without value.<br/><b>Please override!</b> <br><br><b>Description:</b>: %s") % key.description, :icon => "exclamation-sign")
|
||
diagnostic_helper = popover('', _("Required parameter without value.<br/><b>Please override!</b> <br><br><b>Description:</b>: %s") % html_escape(key.description), :icon => "exclamation-sign")
|
||
else
|
||
diagnostic_class = 'warning'
|
||
diagnostic_helper = popover('', _("Optional parameter without value.<br/><i>Won\'t be given to Puppet.</i> <br><br><b>Description:</b> %s") % key.description, :icon => "warning-sign")
|
||
diagnostic_helper = popover('', _("Optional parameter without value.<br/><i>Won\'t be given to Puppet.</i> <br><br><b>Description:</b> %s") % html_escape(key.description), :icon => "warning-sign")
|
||
end
|
||
else
|
||
diagnostic_helper = popover('', _("<b>Description:</b> %{desc}<br><b>Type:</b> %{type}<br> <b>Matcher:</b> %{matcher}") % { :desc => key.description, :type => key.key_type, :matcher => matcher}, :data => { :placement => 'top' })
|
||
diagnostic_helper = popover('', _("<b>Description:</b> %{desc}<br><b>Type:</b> %{type}<br> <b>Matcher:</b> %{matcher}") % { :desc => html_escape(key.description), :type => key.key_type, :matcher => html_escape(matcher)}, :data => { :placement => 'top' })
|
||
end
|
||
|
||
text_area_class = "override-param" if key.overridden?(host)
|
test/functional/hosts_controller_test.rb | ||
---|---|---|
assert Host.find(@host1.id).host_parameters[0][:value] == "hello"
|
||
assert Host.find(@host2.id).host_parameters[0][:value] == "hello"
|
||
end
|
||
|
||
test "parameter details should be html escaped" do
|
||
hg = FactoryGirl.create(:hostgroup, :name => "<script>alert('hacked')</script>")
|
||
host = FactoryGirl.create(:host, :with_puppetclass, :hostgroup => hg)
|
||
FactoryGirl.create(:puppetclass_lookup_key, :as_smart_class_param,
|
||
:override => true, :key_type => 'string',
|
||
:default_value => "<script>alert('hacked!');</script>",
|
||
:description => "<script>alert('hacked!');</script>",
|
||
:puppetclass => host.puppetclasses.first)
|
||
FactoryGirl.create(:hostgroup_parameter, :hostgroup => hg)
|
||
get :edit, {:id => host.name}, set_session_user
|
||
refute response.body.include?("<script>alert(")
|
||
assert response.body.include?("<script>alert(")
|
||
assert_equal 2, response.body.scan("<script>alert(").size
|
||
assert_equal 2, response.body.scan("&lt;script&gt;alert(").size
|
||
end
|
||
|
||
test "should get errors" do
|
||
get :errors, {}, set_session_user
|
||
assert_response :success
|
Also available in: Unified diff
Fixes #12611 - CVE-2015-7518 prevent XSS on host edit form
The host edit forms allowed stored XSS attacks by storing html content
in smart class parameter and smart variable description or inherited
values, which is then passed unescaped to an html-allowing popover.
This patch makes sure these user-controlled strings are correctly
escaped before being inserted into the popover.
(cherry picked from commit 32468bce938067b1bbde1c2025771b5b83ce88ec)