Skip to content

Fix XSS vulnerabilities #29336

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 7 commits into from
Feb 22, 2024
Merged

Fix XSS vulnerabilities #29336

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
7 commits
Select commit Hold shift + click to select a range
559fae5
Fix XSS in wiki last commit information
Gusted Jan 17, 2024
6cae6fb
Fix XSS in dismissed review
Gusted Jan 17, 2024
f1bd0b2
review(kn4ck3r): more template escapes
jolheiser Feb 1, 2024
b5cb166
Remove TestXSSReviewDismissed, as we dont have all needed functions e…
6543 Feb 22, 2024
97006c0
Merge branch 'release/v1.21' into xss_vuln
6543 Feb 22, 2024
ab61050
tests
6543 Feb 22, 2024
e1b0c3f
what about the panic
6543 Feb 22, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion templates/repo/issue/view_content/comments.tmpl
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -615,7 +615,7 @@
{{else}}
{{$reviewerName = .Review.OriginalAuthor}}
{{end}}
{{ctx.Locale.Tr "repo.issues.review.dismissed" $reviewerName $createdStr | Safe}}
<span class="dismissed-message">{{ctx.Locale.Tr "repo.issues.review.dismissed" ($reviewerName | Escape) $createdStr | Safe}}</span>
</span>
</div>
{{if .Content}}
Expand Down
6 changes: 3 additions & 3 deletions templates/repo/migrate/migrating.tmpl
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -21,12 +21,12 @@
<div class="ui stackable middle very relaxed page grid">
<div class="sixteen wide center aligned centered column">
<div id="repo_migrating_progress">
<p>{{ctx.Locale.Tr "repo.migrate.migrating" .CloneAddr | Safe}}</p>
<p>{{ctx.Locale.Tr "repo.migrate.migrating" (.CloneAddr | Escape) | Safe}}</p>
<p id="repo_migrating_progress_message"></p>
</div>
<div id="repo_migrating_failed" class="gt-hidden">
{{if .CloneAddr}}
<p>{{ctx.Locale.Tr "repo.migrate.migrating_failed" .CloneAddr | Safe}}</p>
<p>{{ctx.Locale.Tr "repo.migrate.migrating_failed" (.CloneAddr | Escape) | Safe}}</p>
{{else}}
<p>{{ctx.Locale.Tr "repo.migrate.migrating_failed_no_addr" | Safe}}</p>
{{end}}
Expand Down Expand Up @@ -58,7 +58,7 @@
<div class="content">
<div class="ui warning message">
{{ctx.Locale.Tr "repo.settings.delete_notices_1" | Safe}}<br>
{{ctx.Locale.Tr "repo.settings.delete_notices_2" .Repository.FullName | Safe}}
{{ctx.Locale.Tr "repo.settings.delete_notices_2" (.Repository.FullName | Escape) | Safe}}
{{if .Repository.NumForks}}<br>
{{ctx.Locale.Tr "repo.settings.delete_notices_fork_1"}}
{{end}}
Expand Down
4 changes: 2 additions & 2 deletions templates/repo/settings/options.tmpl
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -906,7 +906,7 @@
<div class="content">
<div class="ui warning message">
{{ctx.Locale.Tr "repo.settings.delete_notices_1" | Safe}}<br>
{{ctx.Locale.Tr "repo.settings.delete_notices_2" .Repository.FullName | Safe}}
{{ctx.Locale.Tr "repo.settings.delete_notices_2" (.Repository.FullName | Escape) | Safe}}
{{if .Repository.NumForks}}<br>
{{ctx.Locale.Tr "repo.settings.delete_notices_fork_1"}}
{{end}}
Expand Down Expand Up @@ -941,7 +941,7 @@
<div class="content">
<div class="ui warning message">
{{ctx.Locale.Tr "repo.settings.delete_notices_1" | Safe}}<br>
{{ctx.Locale.Tr "repo.settings.wiki_delete_notices_1" .Repository.Name | Safe}}
{{ctx.Locale.Tr "repo.settings.wiki_delete_notices_1" (.Repository.Name | Escape) | Safe}}
</div>
<form class="ui form" action="{{.Link}}" method="post">
{{.CsrfTokenHtml}}
Expand Down
2 changes: 1 addition & 1 deletion templates/repo/wiki/revision.tmpl
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -10,7 +10,7 @@
{{$title}}
<div class="ui sub header gt-word-break">
{{$timeSince := TimeSince .Author.When ctx.Locale}}
{{ctx.Locale.Tr "repo.wiki.last_commit_info" .Author.Name $timeSince | Safe}}
{{ctx.Locale.Tr "repo.wiki.last_commit_info" (.Author.Name | Escape) $timeSince | Safe}}
</div>
</div>
</div>
Expand Down
2 changes: 1 addition & 1 deletion templates/repo/wiki/view.tmpl
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -40,7 +40,7 @@
{{$title}}
<div class="ui sub header">
{{$timeSince := TimeSince .Author.When ctx.Locale}}
{{ctx.Locale.Tr "repo.wiki.last_commit_info" .Author.Name $timeSince | Safe}}
{{ctx.Locale.Tr "repo.wiki.last_commit_info" (.Author.Name | Escape) $timeSince | Safe}}
</div>
</div>
<div class="eight wide right aligned column">
Expand Down
85 changes: 85 additions & 0 deletions tests/integration/xss_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,13 +4,23 @@
package integration

import (
"context"
"fmt"
"net/http"
"net/url"
"os"
"path/filepath"
"strings"
"testing"
"time"

"code.gitea.io/gitea/models/unittest"
user_model "code.gitea.io/gitea/models/user"
"code.gitea.io/gitea/modules/git"
"code.gitea.io/gitea/tests"

gogit "github.com/go-git/go-git/v5"
"github.com/go-git/go-git/v5/plumbing/object"
"github.com/stretchr/testify/assert"
)

Expand All @@ -37,3 +47,78 @@ func TestXSSUserFullName(t *testing.T) {
htmlDoc.doc.Find("div.content").Find(".header.text.center").Text(),
)
}

func TestXSSUncycloLastCommitInfo(t *testing.T) {
onGiteaRun(t, func(t *testing.T, u *url.URL) {
// Prepare the environment.
dstPath := t.TempDir()
r := fmt.Sprintf("%suser2/repo1.wiki.git", u.String())
u, err := url.Parse(r)
assert.NoError(t, err)
u.User = url.UserPassword("user2", userPassword)
assert.NoError(t, git.CloneWithArgs(context.Background(), git.AllowLFSFiltersArgs(), u.String(), dstPath, git.CloneRepoOptions{}))

// Use go-git here, because using git wouldn't work, it has code to remove
// `<`, `>` and `\n` in user names. Even though this is permitted and
// wouldn't result in a error by a Git server.
gitRepo, err := gogit.PlainOpen(dstPath)
if err != nil {
panic(err)
}

w, err := gitRepo.Worktree()
if err != nil {
panic(err)
}

filename := filepath.Join(dstPath, "Home.md")
err = os.WriteFile(filename, []byte("Oh, a XSS attack?"), 0o644)
if !assert.NoError(t, err) {
t.FailNow()
}

_, err = w.Add("Home.md")
if !assert.NoError(t, err) {
t.FailNow()
}

_, err = w.Commit("Yay XSS", &gogit.CommitOptions{
Author: &object.Signature{
Name: `Gusted <script class="evil">alert('Oh no!');</script>`,
Email: "[email protected]",
When: time.Date(2024, time.January, 31, 0, 0, 0, 0, time.UTC),
},
})
if !assert.NoError(t, err) {
t.FailNow()
}

// Push.
_, _, err = git.NewCommand(git.DefaultContext, "push").AddArguments(git.ToTrustedCmdArgs([]string{"origin", "master"})...).RunStdString(&git.RunOpts{Dir: dstPath})
assert.NoError(t, err)

// Check on page view.
t.Run("Page view", func(t *testing.T) {
defer tests.PrintCurrentTest(t)()

req := NewRequest(t, http.MethodGet, "/user2/repo1/wiki/Home")
resp := MakeRequest(t, req, http.StatusOK)
htmlDoc := NewHTMLParser(t, resp.Body)

htmlDoc.AssertElement(t, "script.evil", false)
assert.EqualValues(t, `Gusted edited this page 0001-01-01 00:00:00 +00:00`, strings.TrimSpace(htmlDoc.Find(".ui.sub.header").Text()))
})

// Check on revisions page.
t.Run("Revision page", func(t *testing.T) {
defer tests.PrintCurrentTest(t)()

req := NewRequest(t, http.MethodGet, "/user2/repo1/wiki/Home?action=_revision")
resp := MakeRequest(t, req, http.StatusOK)
htmlDoc := NewHTMLParser(t, resp.Body)

htmlDoc.AssertElement(t, "script.evil", false)
assert.EqualValues(t, `Gusted edited this page 0001-01-01 00:00:00 +00:00`, strings.TrimSpace(htmlDoc.Find(".ui.sub.header").Text()))
})
})
}