Skip to content

Commit

Permalink
[Security] XSS in Classification Store of Data Objects module (#14933)
Browse files Browse the repository at this point in the history 
* Fix: xss in CS

* Fix: implement feedback
  • Loading branch information
@robertSt7
robertSt7 committed Apr 18, 2023
1 parent 9fc6748 commit f1d9040
Show file tree
Hide file tree
Showing 6 changed files with 40 additions and 14 deletions.
7 changes: 4 additions & 3 deletions bundles/AdminBundle/Controller/Admin/DataObject/ClassificationstoreController.php
View file
Expand Up @@ -24,6 +24,7 @@
use Pimcore\Model\Translation;
use Pimcore\Model\Translation\Listing;
use Pimcore\Model\User;
use Pimcore\Security\SecurityHelper;
use Pimcore\Tool\Admin;
use Symfony\Component\HttpFoundation\JsonResponse;
use Symfony\Component\HttpFoundation\Request;
Expand Down Expand Up @@ -127,7 +128,7 @@ public function deleteGroupAction(Request $request): JsonResponse
*/
public function createGroupAction(Request $request): JsonResponse
{
$name = $request->get('name');
$name = SecurityHelper::getStringWithoutControlChars($request->get('name'));
$storeId = $request->get('storeId');
$config = Classificationstore\GroupConfig::getByName($name, $storeId);

Expand All @@ -154,7 +155,7 @@ public function createGroupAction(Request $request): JsonResponse
*/
public function createStoreAction(Request $request): JsonResponse
{
$name = $request->get('name');
$name = SecurityHelper::getStringWithoutControlChars($request->get('name'));

$config = Classificationstore\StoreConfig::getByName($name);

Expand All @@ -180,7 +181,7 @@ public function createStoreAction(Request $request): JsonResponse
*/
public function createCollectionAction(Request $request): JsonResponse
{
$name = $request->get('name');
$name = SecurityHelper::getStringWithoutControlChars($request->get('name'));
$storeId = $request->get('storeId');
$config = Classificationstore\CollectionConfig::getByName($name, $storeId);

Expand Down
4 changes: 4 additions & 0 deletions bundles/AdminBundle/Resources/public/js/pimcore/helpers.js
View file
Expand Up @@ -3278,3 +3278,7 @@ pimcore.helpers.treeDragDropValidate = function (node, oldParent, newParent) {

return true;
};

pimcore.helpers.getStringWithoutControlChars = function (text) {
return text.replace(/[<>"'`!?/\\%$(){};,:|=]/gi, '');
};
7 changes: 3 additions & 4 deletions ...es/AdminBundle/Resources/public/js/pimcore/object/classificationstore/collectionsPanel.js
View file
Expand Up @@ -141,7 +141,7 @@ pimcore.object.classificationstore.collectionsPanel = Class.create({
var colId = data.data.colId;
var groupId = data.data.groupId;

Ext.Msg.confirm(t('delete'), sprintf(t('delete_message_advanced'), t('classificationstore_collection_relation'), data.data.groupName), function(btn) {
Ext.Msg.confirm(t('delete'), sprintf(t('delete_message_advanced'), t('classificationstore_collection_relation'), pimcore.helpers.getStringWithoutControlChars(data.data.groupName)), function(btn) {
if (btn == 'yes') {
Ext.Ajax.request({
url: Routing.generate('pimcore_admin_dataobject_classificationstore_deletecollectionrelation'),
Expand Down Expand Up @@ -315,7 +315,7 @@ pimcore.object.classificationstore.collectionsPanel = Class.create({
this.relationsGrid.hide();
this.relationsPanel.disable();

Ext.Msg.confirm(t('delete'), sprintf(t('delete_message_advanced'), t('classificationstore_collection'), data.data.name), function(btn) {
Ext.Msg.confirm(t('delete'), sprintf(t('delete_message_advanced'), t('classificationstore_collection'), pimcore.helpers.getStringWithoutControlChars(data.data.name)), function(btn) {
if (btn == 'yes') {
Ext.Ajax.request({
url: Routing.generate('pimcore_admin_dataobject_classificationstore_deletecollection'),
Expand Down Expand Up @@ -410,8 +410,7 @@ pimcore.object.classificationstore.collectionsPanel = Class.create({
},

addFieldComplete: function (button, value, object) {

value = value.trim();
value = pimcore.helpers.getStringWithoutControlChars(value).trim();
if (button == "ok" && value.length > 1) {
Ext.Ajax.request({
url: Routing.generate('pimcore_admin_dataobject_classificationstore_createcollection'),
Expand Down
7 changes: 3 additions & 4 deletions bundles/AdminBundle/Resources/public/js/pimcore/object/classificationstore/groupsPanel.js
View file
Expand Up @@ -148,7 +148,7 @@ pimcore.object.classificationstore.groupsPanel = Class.create({
var keyId = data.data.keyId;
var groupId = data.data.groupId;

Ext.Msg.confirm(t('delete'), sprintf(t('delete_message_advanced'), t('classificationstore_relation'), data.data.keyName), function(btn) {
Ext.Msg.confirm(t('delete'), sprintf(t('delete_message_advanced'), t('classificationstore_relation'), pimcore.helpers.getStringWithoutControlChars(data.data.keyName)), function(btn) {
if (btn == 'yes') {
Ext.Ajax.request({
url: Routing.generate('pimcore_admin_dataobject_classificationstore_deleterelation'),
Expand Down Expand Up @@ -319,7 +319,7 @@ pimcore.object.classificationstore.groupsPanel = Class.create({
var data = grid.getStore().getAt(rowIndex);
var id = data.data.id;

Ext.Msg.confirm(t('delete'), sprintf(t('delete_message_advanced'), t('classificationstore_group'), data.data.name), function(btn) {
Ext.Msg.confirm(t('delete'), sprintf(t('delete_message_advanced'), t('classificationstore_group'), pimcore.helpers.getStringWithoutControlChars(data.data.name)), function(btn) {
if (btn == 'yes') {

//necessary for aborting all pending proxy requests
Expand Down Expand Up @@ -419,8 +419,7 @@ pimcore.object.classificationstore.groupsPanel = Class.create({
},

addFieldComplete: function (button, value, object) {

value = value.trim();
value = pimcore.helpers.getStringWithoutControlChars(value).trim();
if (button == "ok" && value.length > 1) {
Ext.Ajax.request({
url: Routing.generate('pimcore_admin_dataobject_classificationstore_creategroup'),
Expand Down
5 changes: 2 additions & 3 deletions ...les/AdminBundle/Resources/public/js/pimcore/object/classificationstore/propertiesPanel.js
View file
Expand Up @@ -198,7 +198,7 @@ pimcore.object.classificationstore.propertiespanel = Class.create({
var data = grid.getStore().getAt(rowIndex);
var id = data.data.id;

Ext.Msg.confirm(t('delete'), sprintf(t('delete_message_advanced'), t('classificationstore_property'), data.data.name), function(btn) {
Ext.Msg.confirm(t('delete'), sprintf(t('delete_message_advanced'), t('classificationstore_property'), pimcore.helpers.getStringWithoutControlChars(data.data.name)), function(btn) {
if (btn == 'yes') {
Ext.Ajax.request({
url: Routing.generate('pimcore_admin_dataobject_classificationstore_deleteproperty'),
Expand Down Expand Up @@ -327,8 +327,7 @@ pimcore.object.classificationstore.propertiespanel = Class.create({
},

addFieldComplete: function (button, value, object) {

value = value.trim();
value = pimcore.helpers.getStringWithoutControlChars(value).trim();
if (button == "ok" && value.length > 1) {
Ext.Ajax.request({
url: Routing.generate('pimcore_admin_dataobject_classificationstore_addproperty'),
Expand Down
24 changes: 24 additions & 0 deletions lib/Security/SecurityHelper.php
View file
@@ -0,0 +1,24 @@
<?php

/**
* Pimcore
*
* This source file is available under two different licenses:
* - GNU General Public License version 3 (GPLv3)
* - Pimcore Commercial License (PCL)
* Full copyright and license information is available in
* LICENSE.md which is distributed with this source code.
*
* @copyright Copyright (c) Pimcore GmbH (http://www.pimcore.org)
* @license http://www.pimcore.org/license GPLv3 and PCL
*/

namespace Pimcore\Security;

class SecurityHelper
{
public static function getStringWithoutControlChars(string $text): string
{
return preg_replace('[\\\\<>"\'`!?/%$(){};,:|=]','', $text);
}
}

0 comments on commit f1d9040

Please sign in to comment.