Skip to content

Commit

Permalink
Browse files Browse the repository at this point in the history
[Security] Stored cross site scripting vulnerability in operator any …
…getter in pimcore grid configuration (#14984)

* Fix: xss in anyGetter

* Fix: xss for predefined asset metadata
  • Loading branch information
robertSt7 committed Apr 21, 2023
1 parent 498cade commit 6946f8a
Show file tree
Hide file tree
Showing 7 changed files with 38 additions and 14 deletions.
Expand Up @@ -33,6 +33,7 @@
use Pimcore\Model\GridConfigShare;
use Pimcore\Model\Metadata;
use Pimcore\Model\User;
use Pimcore\Security\SecurityHelper;
use Pimcore\Tool;
use Pimcore\Tool\Storage;
use Pimcore\Version;
Expand Down Expand Up @@ -963,9 +964,10 @@ public function getMetadataForColumnConfigAction(Request $request)
if (!in_array($uniqueKey, $tmp) && !in_array($item->getName(), $defaultMetadataNames)) {
$tmp[] = $uniqueKey;
$item->expand();
$name = SecurityHelper::convertHtmlSpecialChars($item->getName());
$metadataItems[] = [
'title' => $item->getName(),
'name' => $item->getName(),
'title' => $name,
'name' => $name,
'subtype' => $item->getTargetSubtype(),
'datatype' => 'data',
'fieldtype' => $item->getType(),
Expand Down
Expand Up @@ -32,6 +32,7 @@
use Pimcore\Model\GridConfigFavourite;
use Pimcore\Model\GridConfigShare;
use Pimcore\Model\User;
use Pimcore\Security\SecurityHelper;
use Pimcore\Tool;
use Pimcore\Tool\Storage;
use Pimcore\Version;
Expand Down Expand Up @@ -355,6 +356,13 @@ public function doGetGridColumnConfig(Request $request, Config $config, $isDelet
$gridConfigDescription = $savedGridConfig->getDescription();
$sharedGlobally = $savedGridConfig->isShareGlobally();
$setAsFavourite = $savedGridConfig->isSetAsFavourite();

foreach($gridConfig['columns'] as &$column) {
if (array_key_exists('isOperator', $column) && $column['isOperator']) {
$colAttributes = &$column['fieldConfig']['attributes'];
SecurityHelper::convertHtmlSpecialCharsArrayKeys($colAttributes, ['label', 'attribute', 'param1']);
}
}
}
}

Expand Down
Expand Up @@ -83,22 +83,25 @@ pimcore.object.gridcolumn.operator.anygetter = Class.create(pimcore.object.gridc
fieldLabel: t('label'),
length: 255,
width: 200,
value: this.node.data.configAttributes.label
value: this.node.data.configAttributes.label,
listeners: {'change': pimcore.helpers.htmlEncodeTextField }
});

this.attributeField = new Ext.form.TextField({
fieldLabel: t('attribute'),
length: 255,
width: 200,
value: this.node.data.configAttributes.attribute
value: this.node.data.configAttributes.attribute,
listeners: {'change': pimcore.helpers.htmlEncodeTextField }
});

this.param1Field = new Ext.form.TextField({
fieldLabel: t('parameter'),
length: 255,
width: 200,
value: this.node.data.configAttributes.param1
});
value: this.node.data.configAttributes.param1,
listeners: {'change': pimcore.helpers.htmlEncodeTextField }
});

this.returnLastResultField = new Ext.form.Checkbox({
fieldLabel: t('return_last_result'),
Expand Down Expand Up @@ -183,7 +186,7 @@ pimcore.object.gridcolumn.operator.anygetter = Class.create(pimcore.object.gridc
if (configAttributes.param1) {
attr += " " + configAttributes.param1;
}
nodeLabel += '<span class="pimcore_gridnode_hint"> (' + attr + ')</span>';
nodeLabel += '<span class="pimcore_gridnode_hint"> (' + Ext.util.Format.htmlEncode(attr) + ')</span>';
}

return nodeLabel;
Expand Down
Expand Up @@ -138,7 +138,7 @@ pimcore.settings.metadata.predefined = Class.create({
sortable: true
},
{text: t("name"), width: 200, sortable: true, dataIndex: 'name',
getEditor: function() { return new Ext.form.TextField({}); }
getEditor: function() { return new Ext.form.TextField({ listeners: {'change': pimcore.helpers.htmlEncodeTextField } }); }
},
{text: t("group"), width: 200, sortable: true, dataIndex: 'group',
getEditor: function() { return new Ext.form.TextField({}); }
Expand Down
5 changes: 3 additions & 2 deletions lib/DataObject/GridColumnConfig/Operator/AbstractOperator.php
Expand Up @@ -16,6 +16,7 @@
namespace Pimcore\DataObject\GridColumnConfig\Operator;

use Pimcore\DataObject\GridColumnConfig\ConfigElementInterface;
use Pimcore\Security\SecurityHelper;
use Pimcore\Tool;

abstract class AbstractOperator implements OperatorInterface
Expand All @@ -41,7 +42,7 @@ abstract class AbstractOperator implements OperatorInterface
*/
public function __construct(\stdClass $config, array $context = [])
{
$this->label = $config->label;
$this->label = SecurityHelper::convertHtmlSpecialChars($config->label);
$this->childs = $config->childs;
$this->context = $context;
}
Expand Down Expand Up @@ -91,7 +92,7 @@ public function getLabel()
*/
public function setLabel($label)
{
$this->label = $label;
$this->label = SecurityHelper::convertHtmlSpecialChars($label);
}

/**
Expand Down
9 changes: 5 additions & 4 deletions lib/DataObject/GridColumnConfig/Operator/AnyGetter.php
Expand Up @@ -16,6 +16,7 @@
namespace Pimcore\DataObject\GridColumnConfig\Operator;

use Pimcore\Model\AbstractModel;
use Pimcore\Security\SecurityHelper;
use Pimcore\Tool\Admin;

/**
Expand Down Expand Up @@ -64,8 +65,8 @@ public function __construct(\stdClass $config, $context = null)

parent::__construct($config, $context);

$this->attribute = $config->attribute ?? '';
$this->param1 = $config->param1 ?? '';
$this->attribute = SecurityHelper::convertHtmlSpecialChars($config->attribute ?? '');
$this->param1 = SecurityHelper::convertHtmlSpecialChars($config->param1 ?? '');
$this->isArrayType = $config->isArrayType ?? false;

$this->forwardAttribute = $config->forwardAttribute ?? '';
Expand Down Expand Up @@ -182,7 +183,7 @@ public function getAttribute()
*/
public function setAttribute($attribute)
{
$this->attribute = $attribute;
$this->attribute = SecurityHelper::convertHtmlSpecialChars($attribute);
}

/**
Expand All @@ -198,7 +199,7 @@ public function getParam1()
*/
public function setParam1($param1)
{
$this->param1 = $param1;
$this->param1 = SecurityHelper::convertHtmlSpecialChars($param1);
}

/**
Expand Down
9 changes: 9 additions & 0 deletions lib/Security/SecurityHelper.php
Expand Up @@ -25,4 +25,13 @@ public static function convertHtmlSpecialChars(?string $text): ?string

return null;
}

public static function convertHtmlSpecialCharsArrayKeys(array &$array, array $keys): void
{
foreach ($keys as $key) {
if (array_key_exists($key, $array)) {
$array[$key] = self::convertHtmlSpecialChars($array[$key]);
}
}
}
}

0 comments on commit 6946f8a

Please sign in to comment.