status-im
/
consul
mirror of https://github.com/status-im/consul.git
2
0
Fork 0
Code Issues Projects Releases Wiki Activity

properly escape session and acl data in UI (#2456) 

* update libv8 gem to something that compiles

* properly escape session and acl data in UI

fixes an XSS vulnerability caused by having the sessionName, sessionMeta, and aclName blindly returning data as Handlebars.SafeStrings
This commit is contained in:
Blake Walters 2016-10-31 19:16:43 -06:00 committed by James Phillips
parent e1f8a41a35
commit c3109072f5
2 changed files with 9 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
ui/Gemfile.lock
View File

@ -3,7 +3,7 @@ GEM
specs:
execjs (2.3.0)
json (1.8.2)
libv8 (3.16.14.7)
libv8 (3.16.14.15)
ref (1.0.5)
sass (3.4.11)
therubyracer (0.12.1)
@ -20,3 +20,6 @@ DEPENDENCIES
sass
therubyracer
uglifier
BUNDLED WITH
1.12.5

10
ui/javascripts/app/helpers.js
View File

@ -24,19 +24,19 @@ Ember.Handlebars.helper('sessionName', function(session) {
var name;
if (session.Name === "") {
name = '<span>' + session.ID + '</span>';
name = '<span>' + Handlebars.Utils.escapeExpression(session.ID) + '</span>';
} else {
name = '<span>' + session.Name + '</span>' + ' <small>' + session.ID + '</small>';
name = '<span>' + Handlebars.Utils.escapeExpression(session.Name) + '</span>' + ' <small>' + Handlebars.Utils.escapeExpression(session.ID) + '</small>';
}
return new Handlebars.SafeString(name);
});
Ember.Handlebars.helper('sessionMeta', function(session) {
var meta = '<div class="metadata">' + session.Behavior + ' behavior</div>';
var meta = '<div class="metadata">' + Handlebars.Utils.escapeExpression(session.Behavior) + ' behavior</div>';
if (session.TTL !== "") {
meta = meta + '<div class="metadata">, ' + session.TTL + ' TTL</div>';
meta = meta + '<div class="metadata">, ' + Handlebars.Utils.escapeExpression(session.TTL) + ' TTL</div>';
}
return new Handlebars.SafeString(meta);
@ -46,7 +46,7 @@ Ember.Handlebars.helper('aclName', function(name, id) {
if (name === "") {
return id;
} else {
return new Handlebars.SafeString(name + ' <small class="pull-right no-case">' + id + '</small>');
return new Handlebars.SafeString(Handlebars.Utils.escapeExpression(name) + ' <small class="pull-right no-case">' + Handlebars.Utils.escapeExpression(id) + '</small>');
}
});