From 8526f8f87784db822bd94b8a0dc03f9e35d4ce6c Mon Sep 17 00:00:00 2001 From: MaKyOtOx Date: Thu, 9 Dec 2021 14:51:07 +0100 Subject: [PATCH] Fix multiple XSS --- assets/templates/details-asset-group.html | 2 +- assets/templates/details-asset.html | 4 +- assets/templates/list-assets.html | 5 +- common/utils/cpe.py | 2 +- engines/templates/list-engine-policies.html | 2 +- engines/templates/list-scan-engines.html | 20 ++++---- events/utils.py | 57 ++++++++++++++++----- findings/templates/list-findings.html | 6 +-- rules/templates/list-rules.html | 2 +- scans/templates/add-scan-definition.html | 13 +++-- scans/templates/details-scan-def.html | 4 +- scans/templates/details-scan.html | 2 +- scans/templates/edit-scan-definition.html | 24 +++++---- scans/templates/list-scan-definitions.html | 4 +- scans/templates/list-scans-performed.html | 10 ++-- settings/templates/menu-settings.html | 8 +-- templates/base.html | 11 +++- 17 files changed, 112 insertions(+), 64 deletions(-) diff --git a/assets/templates/details-asset-group.html b/assets/templates/details-asset-group.html index 18473d3..ee03935 100644 --- a/assets/templates/details-asset-group.html +++ b/assets/templates/details-asset-group.html @@ -1102,7 +1102,7 @@ finding_id = e.relatedTarget.getAttribute('finding-id'); finding_title = e.relatedTarget.getAttribute('finding-title'); $("div#delete-finding").attr('finding-id', finding_id); - $("div#delete-finding").html("Finding: "+finding_title+"

"); + $("div#delete-finding").html("Finding: "+encodeURIComponent(finding_title)+"

"); }); $("button.btn-delete-finding").on('click', function (e) { finding_id = $("div#delete-finding").attr('finding-id'); diff --git a/assets/templates/details-asset.html b/assets/templates/details-asset.html index c339f83..c18c1c1 100644 --- a/assets/templates/details-asset.html +++ b/assets/templates/details-asset.html @@ -1202,7 +1202,7 @@ finding_id = e.relatedTarget.getAttribute('finding-id'); finding_title = e.relatedTarget.getAttribute('finding-title'); $("div#delete-finding").attr('finding-id', finding_id); - $("div#delete-finding").html("Finding: "+finding_title+"

"); + $("div#delete-finding").html("Finding: "+encodeURIComponent(finding_title)+"

"); }); $("button.btn-delete-finding").on('click', function (e) { finding_id = $("div#delete-finding").attr('finding-id'); @@ -1222,7 +1222,7 @@ id = e.relatedTarget.getAttribute('scan-id'); scan_title = e.relatedTarget.getAttribute('scan-title'); $("div#delete-scan").attr('scan-id', id); - $("div#delete-scan").html("Title: "+scan_title+"

"); + $("div#delete-scan").html("Title: "+encodeURIComponent(scan_title)+"

"); }); $("button.btn-delete-scan").on('click', function (e) { id = $("div#delete-scan").attr('scan-id'); diff --git a/assets/templates/list-assets.html b/assets/templates/list-assets.html index 2cdebdf..d37e6a1 100644 --- a/assets/templates/list-assets.html +++ b/assets/templates/list-assets.html @@ -626,7 +626,7 @@ id = e.relatedTarget.getAttribute('asset-id'); asset_value = e.relatedTarget.getAttribute('asset-value'); $("div#delete-asset").attr('asset-id', id); - $("div#delete-asset").html("Asset: "+asset_value+"

"); + $("div#delete-asset").html("Asset: "+encodeURIComponent(asset_value)+"

"); }); $("button.btn-delete-asset").on('click', function (e) { id = $("div#delete-asset").attr('asset-id'); @@ -641,12 +641,13 @@ }); }); + // Delete asset group modal $("#modal-delete-asset-group").on('show.bs.modal', function (e) { id = e.relatedTarget.getAttribute('asset-group-id'); asset_group_value = e.relatedTarget.getAttribute('asset-group-value'); $("div#delete-asset-group").attr('asset-group-id', id); - $("div#delete-asset-group").html("Asset Group Name: "+asset_group_value+"

"); + $("div#delete-asset-group").html("Asset Group Name: "+encodeURIComponent(asset_group_value)+"

"); }); $("button.btn-delete-asset-group").on('click', function (e) { id = $("div#delete-asset-group").attr('asset-group-id'); diff --git a/common/utils/cpe.py b/common/utils/cpe.py index a83604f..3ab35f6 100644 --- a/common/utils/cpe.py +++ b/common/utils/cpe.py @@ -11,7 +11,7 @@ def extract_cpe(cpe_vector): vendor = c.get_vendor()[0] product = c.get_product()[0] print("-->", c, vendor, product) - except Except as e: + except Exception as e: print(e) return vendor, product diff --git a/engines/templates/list-engine-policies.html b/engines/templates/list-engine-policies.html index b78d5ea..a83ccf3 100644 --- a/engines/templates/list-engine-policies.html +++ b/engines/templates/list-engine-policies.html @@ -185,7 +185,7 @@ policy_id = e.relatedTarget.getAttribute('policy-id'); policy_name = e.relatedTarget.getAttribute('policy-name'); $("div#delete-policy").attr('policy-id', policy_id); - $("div#delete-policy").html("Policy: "+policy_name+"

"); + $("div#delete-policy").html("Policy: "+encodeURIComponent(policy_name)+"

"); }); $("button.btn-delete-policy").on('click', function (e) { policy_id = $("div#delete-policy").attr('policy-id'); diff --git a/engines/templates/list-scan-engines.html b/engines/templates/list-scan-engines.html index 79662b0..21a7174 100644 --- a/engines/templates/list-scan-engines.html +++ b/engines/templates/list-scan-engines.html @@ -196,20 +196,20 @@ $("div#info-engine").html("Loading..."); }, success: function(data, textStatus, jqXHR){ - info_data = "Engine: "+data["engine"]["name"]+"
"; - info_data+= "API URL: "+data["engine"]["api_url"]+"
"; + info_data = "Engine: "+encodeURIComponent(data["engine"]["name"])+"
"; + info_data+= "API URL: "+encodeURIComponent(data["engine"]["api_url"])+"
"; if(data["engine_infos"]["status"] == "ERROR") { info_data+= "Oper status: ERROR
"; if(data["engine_infos"]["details"]){ - info_data+= "Request: "+data["engine_infos"]["details"]["request"]+"
" - info_data+= "Reason: "+data["engine_infos"]["details"]["reason"]+"
" + info_data+= "Request: "+encodeURIComponent(data["engine_infos"]["details"]["request"])+"
" + info_data+= "Reason: "+encodeURIComponent(data["engine_infos"]["details"]["reason"])+"
" } } else { - info_data+= "Nb scans: "+data["nb_scans"]+"
"; - info_data+= "Oper status: "+data["engine_infos"]["engine_config"]["status"]+"
"; - info_data+= "Version: "+data["engine_infos"]["engine_config"]["version"]+"
"; - info_data+= "Description: "+data["engine_infos"]["engine_config"]["description"]+"
"; + info_data+= "Nb scans: "+encodeURIComponent(data["nb_scans"])+"
"; + info_data+= "Oper status: "+encodeURIComponent(data["engine_infos"]["engine_config"]["status"])+"
"; + info_data+= "Version: "+encodeURIComponent(data["engine_infos"]["engine_config"]["version"])+"
"; + info_data+= "Description: "+encodeURIComponent(data["engine_infos"]["engine_config"]["description"])+"
"; current_scans=data["current_scans"]; if (current_scans == null || Object.keys(current_scans).length === 0) { @@ -219,7 +219,7 @@ for (var scan in current_scans){ if (current_scans.hasOwnProperty(scan)) { scan_id = Object.keys(current_scans[scan])[0]; - info_data+= " * id="+scan_id+", started_at: "+new Date(current_scans[scan][scan_id]["started_at"])+", status: "+current_scans[scan][scan_id]["status"]+"
"; + info_data+= " * id="+scan_id+", started_at: "+new Date(current_scans[scan][scan_id]["started_at"])+", status: "+encodeURIComponent(current_scans[scan][scan_id]["status"])+"
"; } } } @@ -235,7 +235,7 @@ engine_id = e.relatedTarget.getAttribute('engine-id'); engine_name = e.relatedTarget.getAttribute('engine-name'); $("div#delete-engine").attr('engine-id', engine_id); - $("div#delete-engine").html("Engine: "+engine_name+"

"); + $("div#delete-engine").html("Engine: "+encodeURIComponent(engine_name)+"

"); }); $("button.btn-delete-engine").on('click', function (e) { engine_id = $("div#delete-engine").attr('engine-id'); diff --git a/events/utils.py b/events/utils.py index 712cc04..a859d1f 100644 --- a/events/utils.py +++ b/events/utils.py @@ -2,6 +2,7 @@ from findings.models import Finding from assets.models import Asset from rules.models import Rule +from common.utils import cpe def _evaluate_alert_rules(finding, highest_severity="info"): @@ -79,25 +80,57 @@ def generate_finding_alert(finding_id, scan_id, severity="info", action="new_fin asset_id = asset.id asset_type = asset.type + # Prepare alert metadata + metadata = { + "finding_id": finding.id, + "finding_title": finding.title, + "finding_description": finding.description, + "finding_tags": finding.tags, + "finding_cves": [], + "finding_cpes": [], + "scan_id": scan_id, + "scan_definition_id": finding.scan.scan_definition.id, + "asset_name": finding.asset_name, + "asset_type": asset_type, + "asset_id": asset_id, + "asset_tags": [t.value for t in finding.asset.categories.all()], + } + + # Add CVE if any + if 'CVE' in finding.vuln_refs.keys(): + try: + if type(finding.vuln_refs['CVE']) is list: + metadata.update({'finding_cves': finding.vuln_refs['CVE']}) + else: + metadata.update({'finding_cves': [finding.vuln_refs['CVE']]}) + except Exception: + pass + + # Add CPE/Vendor/Product + if 'CPE' in finding.vuln_refs.keys(): + try: + for c in finding.vuln_refs['CPE']: + for cc in c.split('\n'): + vendor, product = cpe.extract_cpe(cc) + metadata.update({'finding_cpes': { + 'vector': cc, + 'vendor': vendor, + 'product': product, + }}) + except Exception: + pass + + # Create alert alert = Alert.objects.create( message=alert_message, type=alert_type, status='new', severity=severity, - metadata={ - "finding_id": finding.id, - "finding_title": finding.title, - "finding_description": finding.description, - "finding_tags": finding.tags, - "scan_id": scan_id, - "scan_definition_id": finding.scan.scan_definition.id, - "asset_name": finding.asset_name, - "asset_type": asset_type, - "asset_id": asset_id, - "asset_tags": [t.value for t in finding.asset.categories.all()], - }, + metadata=metadata, owner=finding.owner ) + + # Update Teams if finding.asset.teams.count() > 0: for team in finding.asset.teams.all(): alert.teams.add(team) diff --git a/findings/templates/list-findings.html b/findings/templates/list-findings.html index 73c65b1..f70d537 100644 --- a/findings/templates/list-findings.html +++ b/findings/templates/list-findings.html @@ -715,9 +715,9 @@ finding_severity = e.relatedTarget.getAttribute('finding-severity'); $("div#delete-finding").attr('finding-id', finding_id); $("div#delete-finding").html( - "Title: "+finding_title+"
\ - Asset: "+finding_asset+"
\ - Severity: "+finding_severity+"

" + "Title: "+encodeURIComponent(finding_title)+"
\ + Asset: "+encodeURIComponent(finding_asset)+"
\ + Severity: "+encodeURIComponent(finding_severity)+"

" ); }); $("button.btn-delete-finding").on('click', function (e) { diff --git a/rules/templates/list-rules.html b/rules/templates/list-rules.html index c392560..431c97f 100644 --- a/rules/templates/list-rules.html +++ b/rules/templates/list-rules.html @@ -372,7 +372,7 @@ rule_id = e.relatedTarget.getAttribute('rule-id'); rule_title = e.relatedTarget.getAttribute('rule-title'); $("div#delete-rule").attr('rule-id', rule_id); - $("div#delete-rule").html("Name: "+rule_title+"
"); + $("div#delete-rule").html("Name: "+encodeURIComponent(rule_title)+"
"); }); $("button.btn-delete-rule").on('click', function (e) { delete_rule_args = { diff --git a/scans/templates/add-scan-definition.html b/scans/templates/add-scan-definition.html index 5d61acd..615a8be 100644 --- a/scans/templates/add-scan-definition.html +++ b/scans/templates/add-scan-definition.html @@ -220,6 +220,9 @@ +{{ scan_policies_json|json_script:"scan_policies_json_script" }} +{{ engine_list|json_script:"engine_list_script" }} +