Skip to content

Commit

Permalink
Fix multiple XSS
Browse files Browse the repository at this point in the history
  • Loading branch information
MaKyOtOx committed Dec 9, 2021
1 parent 99cd78a commit 8526f8f
Show file tree
Hide file tree
Showing 17 changed files with 112 additions and 64 deletions.
2 changes: 1 addition & 1 deletion assets/templates/details-asset-group.html
View file
Expand Up @@ -1102,7 +1102,7 @@ <h4 class="modal-title" id="myModalLabel">Add tags</h4>
finding_id = e.relatedTarget.getAttribute('finding-id');
finding_title = e.relatedTarget.getAttribute('finding-title');
$("div#delete-finding").attr('finding-id', finding_id);
$("div#delete-finding").html("Finding: <b>"+finding_title+"</b><br/><br/>");
$("div#delete-finding").html("Finding: <b>"+encodeURIComponent(finding_title)+"</b><br/><br/>");
});
$("button.btn-delete-finding").on('click', function (e) {
finding_id = $("div#delete-finding").attr('finding-id');
Expand Down
4 changes: 2 additions & 2 deletions assets/templates/details-asset.html
View file
Expand Up @@ -1202,7 +1202,7 @@ <h4 class="modal-title" id="myModalLabel">Delete Scan</h4>
finding_id = e.relatedTarget.getAttribute('finding-id');
finding_title = e.relatedTarget.getAttribute('finding-title');
$("div#delete-finding").attr('finding-id', finding_id);
$("div#delete-finding").html("Finding: <strong>"+finding_title+"</strong><br/><br/>");
$("div#delete-finding").html("Finding: <strong>"+encodeURIComponent(finding_title)+"</strong><br/><br/>");
});
$("button.btn-delete-finding").on('click', function (e) {
finding_id = $("div#delete-finding").attr('finding-id');
Expand All @@ -1222,7 +1222,7 @@ <h4 class="modal-title" id="myModalLabel">Delete Scan</h4>
id = e.relatedTarget.getAttribute('scan-id');
scan_title = e.relatedTarget.getAttribute('scan-title');
$("div#delete-scan").attr('scan-id', id);
$("div#delete-scan").html("Title: <strong>"+scan_title+"</strong><br/><br/>");
$("div#delete-scan").html("Title: <strong>"+encodeURIComponent(scan_title)+"</strong><br/><br/>");
});
$("button.btn-delete-scan").on('click', function (e) {
id = $("div#delete-scan").attr('scan-id');
Expand Down
5 changes: 3 additions & 2 deletions assets/templates/list-assets.html
View file
Expand Up @@ -626,7 +626,7 @@ <h4 class="modal-title" id="myModalLabel">Update Assets</h4>
id = e.relatedTarget.getAttribute('asset-id');
asset_value = e.relatedTarget.getAttribute('asset-value');
$("div#delete-asset").attr('asset-id', id);
$("div#delete-asset").html("Asset: <b>"+asset_value+"</b><br/><br/>");
$("div#delete-asset").html("Asset: <b>"+encodeURIComponent(asset_value)+"</b><br/><br/>");
});
$("button.btn-delete-asset").on('click', function (e) {
id = $("div#delete-asset").attr('asset-id');
Expand All @@ -641,12 +641,13 @@ <h4 class="modal-title" id="myModalLabel">Update Assets</h4>
});
});


// Delete asset group modal
$("#modal-delete-asset-group").on('show.bs.modal', function (e) {
id = e.relatedTarget.getAttribute('asset-group-id');
asset_group_value = e.relatedTarget.getAttribute('asset-group-value');
$("div#delete-asset-group").attr('asset-group-id', id);
$("div#delete-asset-group").html("Asset Group Name: <b>"+asset_group_value+"</b><br/><br/>");
$("div#delete-asset-group").html("Asset Group Name: <b>"+encodeURIComponent(asset_group_value)+"</b><br/><br/>");
});
$("button.btn-delete-asset-group").on('click', function (e) {
id = $("div#delete-asset-group").attr('asset-group-id');
Expand Down
2 changes: 1 addition & 1 deletion common/utils/cpe.py
View file
Expand Up @@ -11,7 +11,7 @@ def extract_cpe(cpe_vector):
vendor = c.get_vendor()[0]
product = c.get_product()[0]
print("-->", c, vendor, product)
except Except as e:
except Exception as e:
print(e)

return vendor, product
2 changes: 1 addition & 1 deletion engines/templates/list-engine-policies.html
View file
Expand Up @@ -185,7 +185,7 @@ <h4 class="modal-title" id="myModalLabel">Delete Policy</h4>
policy_id = e.relatedTarget.getAttribute('policy-id');
policy_name = e.relatedTarget.getAttribute('policy-name');
$("div#delete-policy").attr('policy-id', policy_id);
$("div#delete-policy").html("Policy: <b>"+policy_name+"</b><br/><br/>");
$("div#delete-policy").html("Policy: <b>"+encodeURIComponent(policy_name)+"</b><br/><br/>");
});
$("button.btn-delete-policy").on('click', function (e) {
policy_id = $("div#delete-policy").attr('policy-id');
Expand Down
20 changes: 10 additions & 10 deletions engines/templates/list-scan-engines.html
View file
Expand Up @@ -196,20 +196,20 @@ <h4 class="modal-title" id="myModalLabel">Engine info</h4>
$("div#info-engine").html("Loading...");
},
success: function(data, textStatus, jqXHR){
info_data = "Engine: <strong>"+data["engine"]["name"]+"</strong><br/>";
info_data+= "API URL: <strong>"+data["engine"]["api_url"]+"</strong><br/>";
info_data = "Engine: <strong>"+encodeURIComponent(data["engine"]["name"])+"</strong><br/>";
info_data+= "API URL: <strong>"+encodeURIComponent(data["engine"]["api_url"])+"</strong><br/>";

if(data["engine_infos"]["status"] == "ERROR") {
info_data+= "Oper status: <strong>ERROR</strong><br/>";
if(data["engine_infos"]["details"]){
info_data+= "Request: <strong>"+data["engine_infos"]["details"]["request"]+"</strong></br>"
info_data+= "Reason: <strong>"+data["engine_infos"]["details"]["reason"]+"</strong></br>"
info_data+= "Request: <strong>"+encodeURIComponent(data["engine_infos"]["details"]["request"])+"</strong></br>"
info_data+= "Reason: <strong>"+encodeURIComponent(data["engine_infos"]["details"]["reason"])+"</strong></br>"
}
} else {
info_data+= "Nb scans: <strong>"+data["nb_scans"]+"</strong><br/>";
info_data+= "Oper status: <strong>"+data["engine_infos"]["engine_config"]["status"]+"</strong><br/>";
info_data+= "Version: <strong>"+data["engine_infos"]["engine_config"]["version"]+"</strong><br/>";
info_data+= "Description: <strong>"+data["engine_infos"]["engine_config"]["description"]+"</strong><br/>";
info_data+= "Nb scans: <strong>"+encodeURIComponent(data["nb_scans"])+"</strong><br/>";
info_data+= "Oper status: <strong>"+encodeURIComponent(data["engine_infos"]["engine_config"]["status"])+"</strong><br/>";
info_data+= "Version: <strong>"+encodeURIComponent(data["engine_infos"]["engine_config"]["version"])+"</strong><br/>";
info_data+= "Description: <strong>"+encodeURIComponent(data["engine_infos"]["engine_config"]["description"])+"</strong><br/>";

current_scans=data["current_scans"];
if (current_scans == null || Object.keys(current_scans).length === 0) {
Expand All @@ -219,7 +219,7 @@ <h4 class="modal-title" id="myModalLabel">Engine info</h4>
for (var scan in current_scans){
if (current_scans.hasOwnProperty(scan)) {
scan_id = Object.keys(current_scans[scan])[0];
info_data+= " * id="+scan_id+", started_at: "+new Date(current_scans[scan][scan_id]["started_at"])+", status: "+current_scans[scan][scan_id]["status"]+" <br/>";
info_data+= " * id="+scan_id+", started_at: "+new Date(current_scans[scan][scan_id]["started_at"])+", status: "+encodeURIComponent(current_scans[scan][scan_id]["status"])+" <br/>";
}
}
}
Expand All @@ -235,7 +235,7 @@ <h4 class="modal-title" id="myModalLabel">Engine info</h4>
engine_id = e.relatedTarget.getAttribute('engine-id');
engine_name = e.relatedTarget.getAttribute('engine-name');
$("div#delete-engine").attr('engine-id', engine_id);
$("div#delete-engine").html("Engine: <strong>"+engine_name+"</strong><br/><br/>");
$("div#delete-engine").html("Engine: <strong>"+encodeURIComponent(engine_name)+"</strong><br/><br/>");
});
$("button.btn-delete-engine").on('click', function (e) {
engine_id = $("div#delete-engine").attr('engine-id');
Expand Down
57 changes: 45 additions & 12 deletions events/utils.py
View file
Expand Up @@ -2,6 +2,7 @@
from findings.models import Finding
from assets.models import Asset
from rules.models import Rule
from common.utils import cpe


def _evaluate_alert_rules(finding, highest_severity="info"):
Expand Down Expand Up @@ -79,25 +80,57 @@ def generate_finding_alert(finding_id, scan_id, severity="info", action="new_fin
asset_id = asset.id
asset_type = asset.type

# Prepare alert metadata
metadata = {
"finding_id": finding.id,
"finding_title": finding.title,
"finding_description": finding.description,
"finding_tags": finding.tags,
"finding_cves": [],
"finding_cpes": [],
"scan_id": scan_id,
"scan_definition_id": finding.scan.scan_definition.id,
"asset_name": finding.asset_name,
"asset_type": asset_type,
"asset_id": asset_id,
"asset_tags": [t.value for t in finding.asset.categories.all()],
}

# Add CVE if any
if 'CVE' in finding.vuln_refs.keys():
try:
if type(finding.vuln_refs['CVE']) is list:
metadata.update({'finding_cves': finding.vuln_refs['CVE']})
else:
metadata.update({'finding_cves': [finding.vuln_refs['CVE']]})
except Exception:
pass

# Add CPE/Vendor/Product
if 'CPE' in finding.vuln_refs.keys():
try:
for c in finding.vuln_refs['CPE']:
for cc in c.split('\n'):
vendor, product = cpe.extract_cpe(cc)
metadata.update({'finding_cpes': {
'vector': cc,
'vendor': vendor,
'product': product,
}})
except Exception:
pass

# Create alert
alert = Alert.objects.create(
message=alert_message,
type=alert_type,
status='new',
severity=severity,
metadata={
"finding_id": finding.id,
"finding_title": finding.title,
"finding_description": finding.description,
"finding_tags": finding.tags,
"scan_id": scan_id,
"scan_definition_id": finding.scan.scan_definition.id,
"asset_name": finding.asset_name,
"asset_type": asset_type,
"asset_id": asset_id,
"asset_tags": [t.value for t in finding.asset.categories.all()],
},
metadata=metadata,
owner=finding.owner
)

# Update Teams
if finding.asset.teams.count() > 0:
for team in finding.asset.teams.all():
alert.teams.add(team)
Expand Down
6 changes: 3 additions & 3 deletions findings/templates/list-findings.html
View file
Expand Up @@ -715,9 +715,9 @@ <h4 class="modal-title" id="myModalLabel">Filter findings</h4>
finding_severity = e.relatedTarget.getAttribute('finding-severity');
$("div#delete-finding").attr('finding-id', finding_id);
$("div#delete-finding").html(
"Title: <b>"+finding_title+"</b><br/> \
Asset: <b>"+finding_asset+"</b><br/> \
Severity: <b>"+finding_severity+"</b><br/><br/>"
"Title: <b>"+encodeURIComponent(finding_title)+"</b><br/> \
Asset: <b>"+encodeURIComponent(finding_asset)+"</b><br/> \
Severity: <b>"+encodeURIComponent(finding_severity)+"</b><br/><br/>"
);
});
$("button.btn-delete-finding").on('click', function (e) {
Expand Down
2 changes: 1 addition & 1 deletion rules/templates/list-rules.html
View file
Expand Up @@ -372,7 +372,7 @@ <h4 class="modal-title" id="myModalLabel">Delete Rule ?</h4>
rule_id = e.relatedTarget.getAttribute('rule-id');
rule_title = e.relatedTarget.getAttribute('rule-title');
$("div#delete-rule").attr('rule-id', rule_id);
$("div#delete-rule").html("Name: <b>"+rule_title+"</b><br/>");
$("div#delete-rule").html("Name: <b>"+encodeURIComponent(rule_title)+"</b><br/>");
});
$("button.btn-delete-rule").on('click', function (e) {
delete_rule_args = {
Expand Down
13 changes: 8 additions & 5 deletions scans/templates/add-scan-definition.html
View file
Expand Up @@ -220,6 +220,9 @@
</form>
</div>

{{ scan_policies_json|json_script:"scan_policies_json_script" }}
{{ engine_list|json_script:"engine_list_script" }}

<script>

_selected_assets = [];
Expand Down Expand Up @@ -409,23 +412,23 @@
_selected_assets.push(datum["value"]);
_id_asset += 1;
$('div.cbx_assets').append("<label for='id_assets_list_"+_id_asset+"' class='custom-control-label'>\
<input id='id_assets_list_"+_id_asset+"' class='custom-control-input' name='assets_list' type='checkbox' value='"+datum["id"]+"' asset-type='"+datum["type"]+"'checked/> "+e.target.value+"</label><br/>");
<input id='id_assets_list_"+_id_asset+"' class='custom-control-input' name='assets_list' type='checkbox' value='"+datum["id"]+"' asset-type='"+datum["type"]+"'checked/> "+encodeURIComponent(e.target.value)+"</label><br/>");
} else if (datum["format"] == "taggroup") {
_selected_assets.push(datum["value"]);
_id_asset += 1;
$('div.cbx_assets').append("<label for='id_taggroups_list_"+_id_asset+"' class='custom-control-label'>\
<input id='id_taggroups_list_"+_id_asset+"' class='custom-control-input' name='taggroups_list' type='checkbox' value='"+datum["id"]+"' checked/> "+e.target.value+" (tag)</label><br/>");
<input id='id_taggroups_list_"+_id_asset+"' class='custom-control-input' name='taggroups_list' type='checkbox' value='"+datum["id"]+"' checked/> "+encodeURIComponent(e.target.value)+" (tag)</label><br/>");
} else {
_selected_assets.push(datum["value"]);
_id_asset += 1;
$('div.cbx_assets').append("<label for='id_assetgroups_list_"+_id_asset+"' class='custom-control-label'>\
<input id='id_assetgroups_list_"+_id_asset+"' class='custom-control-input' name='assetgroups_list' type='checkbox' value='"+datum["id"]+"' checked/> "+e.target.value+" (group)</label><br/>");
<input id='id_assetgroups_list_"+_id_asset+"' class='custom-control-input' name='assetgroups_list' type='checkbox' value='"+datum["id"]+"' checked/> "+encodeURIComponent(e.target.value)+" (group)</label><br/>");
}
}
});

// Filter scan policy by engines & categories
var policies_list = {{ scan_policies_json | safe }};
var policies_list = JSON.parse(document.getElementById('scan_policies_json_script').textContent);
var hidden_policies_by_cat = [];
var hidden_policies_by_engine = [];
$('#category-buttons').bind('change', function(e){
Expand Down Expand Up @@ -502,7 +505,7 @@
});

// List appropriate engine instances depending on scan policy
engine_list = {{scan_engines_json|safe}}
engine_list = JSON.parse(document.getElementById('engine_list_script').textContent);
$("[name='engine_policy']").change(function(e){
engine_name = e.currentTarget.getAttribute('engine-name');
$('select#id_engine').empty();
Expand Down
4 changes: 2 additions & 2 deletions scans/templates/details-scan-def.html
View file
Expand Up @@ -581,7 +581,7 @@ <h4 class="modal-title" id="myModalLabel">Delete Scan</h4>
// Run direct scan now Event
$("#modal-run-scan").on('show.bs.modal', function (e) {
scan_title = e.relatedTarget.getAttribute('scan-title');
$("div#run-scan").html("Scan started: <b>"+scan_title+"</b><br/><br/>");
$("div#run-scan").html("Scan started: <b>"+encodeURIComponent(scan_title)+"</b><br/><br/>");

//Hide the modal 3 seconds later
var myModal = $(this);
Expand Down Expand Up @@ -682,7 +682,7 @@ <h4 class="modal-title" id="myModalLabel">Delete Scan</h4>
id = e.relatedTarget.getAttribute('scan-id');
scan_title = e.relatedTarget.getAttribute('scan-title');
$("div#delete-scan").attr('scan-id', id);
$("div#delete-scan").html("ID: <b>"+id+"</b><br/>Title: <b>"+scan_title+"</b><br/><br/>");
$("div#delete-scan").html("ID: <b>"+id+"</b><br/>Title: <b>"+encodeURIComponent(scan_title)+"</b><br/><br/>");
});
$("button.btn-delete-scan").on('click', function (e) {
id = $("div#delete-scan").attr('scan-id');
Expand Down
2 changes: 1 addition & 1 deletion scans/templates/details-scan.html
View file
Expand Up @@ -848,7 +848,7 @@ <h4 class="modal-title" id="myModalLabel">Retest a finding</h4>
$("div#retest-finding").append('\
<div class="alert alert-dismissible alert-danger">\
<button type="button" class="close" data-dismiss="alert">&times;</button>\
<strong>Error:</strong> Unable to retest finding: '+data.reason+'.\
<strong>Error:</strong> Unable to retest finding: '+encodeURIComponent(data.reason)+'.\
</div>');
setTimeout(function(){
$("div#retest-finding div.alert-danger").remove();
Expand Down
24 changes: 14 additions & 10 deletions scans/templates/edit-scan-definition.html
View file
Expand Up @@ -218,6 +218,10 @@
</form>
</div>

{{ scan_policies_json|json_script:"scan_policies_json_script" }}
{{ engine_list|json_script:"engine_list_script" }}


<script>

_selected_team = '';
Expand Down Expand Up @@ -322,20 +326,20 @@
$("input:radio[name='engine_policy'][value='{{scan_def.engine_policy.id}}']").attr("checked", "checked");

// - Engine
engine_list = {{scan_engines_json|safe}}
engine_list = JSON.parse(document.getElementById('engine_list_script').textContent);
$('select#id_engine').append("<option value='-1' selected>---- random (by default) ----</option>");
for (i = 0; i< engine_list.length; i++){
if(engine_list[i]["engine__name"] == "{{scan_def.engine_type.name}}"){
$('select#id_engine').append($('<option>', {
value: engine_list[i]['id'],
text: engine_list[i]['name']
text: encodeURIComponent(engine_list[i]['name'])
})
);
}

}
if("{{scan_def.engine}}" != "None"){
$("select#id_engine option[value='{{scan_def.engine.id}}']").attr('selected','selected');
$("select#id_engine option[value='{{scan_def.engine.id}}']").attr('selected', 'selected');
}

}
Expand Down Expand Up @@ -480,15 +484,15 @@
// append the asset to the list
if (_selected_assets.indexOf(datum["value"]) == -1){
if (datum["format"] == "asset") {
_selected_assets.push(datum["value"]);
_selected_assets.push(encodeURIComponent(datum["value"]));
_id_asset += 1;
$('div.cbx_assets').append("<label for='id_assets_list_"+_id_asset+"' class='custom-control-label'>\
<input id='id_assets_list_"+_id_asset+"' class='custom-control-input' name='assets_list' type='checkbox' value='"+datum["id"]+"' asset-type='"+datum["type"]+"' checked/> "+e.target.value+"</label><br/>");
<input id='id_assets_list_"+_id_asset+"' class='custom-control-input' name='assets_list' type='checkbox' value='"+datum["id"]+"' asset-type='"+datum["type"]+"' checked/> "+encodeURIComponent(e.target.value)+"</label><br/>");
} else {
_selected_assets.push(datum["value"]);
_selected_assets.push(encodeURIComponent(datum["value"]));
_id_asset += 1;
$('div.cbx_assets').append("<label for='id_assetgroups_list_"+_id_asset+"' class='custom-control-label'>\
<input id='id_assetgroups_list_"+_id_asset+"' class='custom-control-input' name='assetgroups_list' type='checkbox' value='"+datum["id"]+"' checked/> "+e.target.value+" (group)</label><br/>");
<input id='id_assetgroups_list_"+_id_asset+"' class='custom-control-input' name='assetgroups_list' type='checkbox' value='"+datum["id"]+"' checked/> "+encodeURIComponent(e.target.value)+" (group)</label><br/>");
}
}
});
Expand Down Expand Up @@ -542,7 +546,7 @@
// });

// List appropriate engine instances depending on scan policy
engine_list = {{scan_engines_json|safe}}
engine_list = JSON.parse(document.getElementById('engine_list_script').textContent);
$("[name='engine_policy']").change(function(e){
engine_name = e.currentTarget.getAttribute('engine-name');
$('select#id_engine').empty();
Expand All @@ -551,7 +555,7 @@
if(engine_list[i]["engine__name"] == engine_name){
$('select#id_engine').append($('<option>', {
value: engine_list[i]['id'],
text: engine_list[i]['name']
text: encodeURIComponent(engine_list[i]['name'])
})
);
}
Expand Down Expand Up @@ -591,7 +595,7 @@
}

// global variables
var policies_list = {{ scan_policies_json | safe }};
var policies_list = JSON.parse(document.getElementById('scan_policies_json_script').textContent);
var hidden_policies_by_cat = [];
var hidden_policies_by_engine = [];

Expand Down

0 comments on commit 8526f8f

Please sign in to comment.