Project

General

Profile

Bug #24807

toast notification sends strings through as HTML

Added by Chris Duryee 3 months ago. Updated about 2 months ago.

Status:
Closed
Priority:
High
Assignee:
Category:
Security
Target version:
-

Description

If you call `Notification.setErrorMessage()` with a string that contains `<` and `>`, the string will get sent through to the browser and the browser will attempt to render it as HTML.

For example, it's possible to get Pulp to raise an error message like "The configuration parameter <foo> is not valid". This will display in the browser as "The configuration parameter is not valid".

It would be better if the notification escaped these strings so the "<>" is not lost.


Related issues

Related to Foreman - Bug #25230: compute resource test connection is html incorrectly escapedClosed

Associated revisions

Revision 744091c5 (diff)
Added by Avi Sharvit 3 months ago

Fixes #24807 - unsafe html in toast notification

toast notification sends strings through as HTML

History

#2 Updated by Tomer Brisker 3 months ago

  • Priority changed from Normal to High
  • Assignee set to Avi Sharvit
  • Category set to Security

#3 Updated by Tomer Brisker 3 months ago

  • Found in Releases 1.16.0, 1.16.0-RC1, 1.16.0-RC2, 1.16.1, 1.16.2, 1.17.0, 1.17.0-RC1, 1.17.0-RC2, 1.17.1, 1.17.2, 1.17.3, 1.17.4, 1.18.0, 1.18.0-RC1, 1.18.0-RC2, 1.18.0-RC3, 1.18.1, 1.18.2, 1.19.0, 1.19.0-RC1, 1.19.0-RC2, 1.19.0-RC3 added

This was introduced in https://github.com/theforeman/foreman/commit/68cd4bba826df1e155445bf10a7fc2cb186c9d82 which is in 1.16.0 or newer. On the server side, when using the foreman core functions for toast notifications, the messages are escaped: https://github.com/theforeman/foreman/blob/develop/app/controllers/concerns/foreman/controller/flash.rb#L67 therefor this could only be exploited from creating a toast notification in a different manner.

#4 Updated by The Foreman Bot 3 months ago

  • Status changed from New to Ready For Testing
  • Pull request https://github.com/theforeman/foreman/pull/6041 added

#5 Updated by Tomer Brisker 3 months ago

  • Fixed in Releases 1.19.1, 1.20.0 added

Foreman core helpers already escape messages before passing them on to the notifications, and therefor this isn't a significant risk of XSS here, but we fixed it just to be on the safe side.

#6 Updated by Avi Sharvit 3 months ago

  • Status changed from Ready For Testing to Closed

#7 Updated by The Foreman Bot 2 months ago

  • Pull request https://github.com/theforeman/foreman/pull/6060 added

#8 Updated by Tomer Brisker about 2 months ago

  • Fixed in Releases 1.18.3 added

#9 Updated by Ohad Levy about 1 month ago

  • Related to Bug #25230: compute resource test connection is html incorrectly escaped added

Also available in: Atom PDF