From 47c10491d81bf77a3c6fe2d5ccbb7458b6a30320 Mon Sep 17 00:00:00 2001
From: Gary Allan <github@gallan.co.uk>
Date: Fri, 1 Apr 2022 21:43:55 +0000
Subject: [PATCH] Bugfix: Use HTTPS for ripe/arin queries.

Prevent reflected XSS in ripe/arin data in low probability scenario
an attacker can proxy and modify Internet RIPE/ARIN requests.
---
 app/admin/subnets/ripe-query.php    | 6 ++++--
 functions/classes/class.Subnets.php | 4 ++--
 misc/CHANGELOG                      | 1 +
 3 files changed, 7 insertions(+), 4 deletions(-)

diff --git a/app/admin/subnets/ripe-query.php b/app/admin/subnets/ripe-query.php
index 0ece3e2d1..644c46ecd 100755
--- a/app/admin/subnets/ripe-query.php
+++ b/app/admin/subnets/ripe-query.php
@@ -22,14 +22,14 @@
 ?>
 
 <!-- header -->
-<div class="pHeader"><?php print _(ucwords($res['result'])); ?></div>
+<div class="pHeader"><?php print _(ucwords(escape_input($res['result']))); ?></div>
 
 <!-- content -->
 <div class="pContent">
 	<?php
 	// error ?
 	if ($res['result']=="error") {
-		$Result->show("danger", _(ucwords($res['error'])), false);
+		$Result->show("danger", _(ucwords(escape_input($res['error']))), false);
 	}
 	// ok, print field matching
 	else {
@@ -53,6 +53,8 @@
 		// loop
 		if (isset($res['data'])) {
 			foreach ($res['data'] as $k=>$d) {
+				$d = escape_input($d);
+
 				print "<tr>";
 				print "<td>";
 				print "	<span class='text-muted'>$k</span>:  $d";
diff --git a/functions/classes/class.Subnets.php b/functions/classes/class.Subnets.php
index 2695b655f..021afcd32 100644
--- a/functions/classes/class.Subnets.php
+++ b/functions/classes/class.Subnets.php
@@ -3524,7 +3524,7 @@ public function resolve_ripe_arin ($subnet) {
 	 * Queries ripe for subnet information
 	 *
 	 *	Example:
-	 *		curl -X GET -H "Accept: application/json" "http://rest.db.ripe.net/ripe/inetnum/185.72.140.0/24"
+	 *		curl -X GET -H "Accept: application/json" "https://rest.db.ripe.net/ripe/inetnum/185.72.140.0/24"
 	 *
 	 * @access private
 	 * @param mixed $subnet
@@ -3620,7 +3620,7 @@ private function query_arin ($subnet) {
 	 */
 	private function ripe_arin_fetch ($network, $type, $subnet) {
 		// set url
-		$url = $network=="ripe" ? "http://rest.db.ripe.net/ripe/$type/$subnet" : "http://whois.arin.net/rest/nets;q=$subnet?showDetails=true&showARIN=false&showNonArinTopLevelNet=false&ext=netref2";
+		$url = $network=="ripe" ? "https://rest.db.ripe.net/ripe/$type/$subnet" : "https://whois.arin.net/rest/nets;q=$subnet?showDetails=true&showARIN=false&showNonArinTopLevelNet=false&ext=netref2";
 
 		$result = $this->curl_fetch_url($url, ["Accept: application/json"]);
 
diff --git a/misc/CHANGELOG b/misc/CHANGELOG
index 9893a6a36..e35aba805 100755
--- a/misc/CHANGELOG
+++ b/misc/CHANGELOG
@@ -91,6 +91,7 @@
     + XSS while uploading CVS files;
     + XSS (reflected) in 'find subnets';
     + Incorrect privilege assignments (#3506);
+    + XXS (reflected) in ripe-arin-query;
 
     Translations:
     ----------------------------