Bug #24807
closed
CVE-2018-16861 - toast notification sends strings through as HTML
Description
If you call `Notification.setErrorMessage()` with a string that contains `<` and `>`, the string will get sent through to the browser and the browser will attempt to render it as HTML.
For example, it's possible to get Pulp to raise an error message like "The configuration parameter <foo> is not valid". This will display in the browser as "The configuration parameter is not valid".
It would be better if the notification escaped these strings so the "<>" is not lost.
Updated by John Mitsch over 6 years ago
I think this is related to the dangerouslySetInnerHtml prop here https://github.com/theforeman/foreman/blob/develop/webpack/assets/javascripts/react_app/components/common/Alert/AlertBody.js#L13
Updated by Tomer Brisker over 6 years ago
- Category set to Security
- Assignee set to Avi Sharvit
- Priority changed from Normal to High
Updated by Tomer Brisker over 6 years ago
- Found in Releases 1.16.0, 1.16.0-RC1, 1.16.0-RC2, 1.16.1, 1.16.2, 1.17.0, 1.17.0-RC1, 1.17.0-RC2, 1.17.1, 1.17.2, 1.17.3, 1.17.4, 1.18.0, 1.18.0-RC1, 1.18.0-RC2, 1.18.0-RC3, 1.18.1, 1.18.2, 1.19.0, 1.19.0-RC1, 1.19.0-RC2, 1.19.0-RC3 added
This was introduced in https://github.com/theforeman/foreman/commit/68cd4bba826df1e155445bf10a7fc2cb186c9d82 which is in 1.16.0 or newer. On the server side, when using the foreman core functions for toast notifications, the messages are escaped: https://github.com/theforeman/foreman/blob/develop/app/controllers/concerns/foreman/controller/flash.rb#L67 therefor this could only be exploited from creating a toast notification in a different manner.
Updated by The Foreman Bot over 6 years ago
- Status changed from New to Ready For Testing
- Pull request https://github.com/theforeman/foreman/pull/6041 added
Updated by Tomer Brisker over 6 years ago
- Fixed in Releases 1.19.1, 1.20.0 added
Foreman core helpers already escape messages before passing them on to the notifications, and therefor this isn't a significant risk of XSS here, but we fixed it just to be on the safe side.
Updated by Avi Sharvit over 6 years ago
- Status changed from Ready For Testing to Closed
Applied in changeset 744091c54261b892306b0f0e8dc0ea8d593515fa.
Updated by The Foreman Bot over 6 years ago
- Pull request https://github.com/theforeman/foreman/pull/6060 added
Updated by Ohad Levy over 6 years ago
- Related to Bug #25230: compute resource test connection is html incorrectly escaped added
Updated by Tomer Brisker about 6 years ago
- Subject changed from toast notification sends strings through as HTML to CVE-2018-16861 - toast notification sends strings through as HTML