From f1d904094700b513c4756904fa2b1e19d08d890e Mon Sep 17 00:00:00 2001 From: robertSt7 <104770750+robertSt7@users.noreply.github.com> Date: Tue, 18 Apr 2023 11:56:16 +0200 Subject: [PATCH] [Security] XSS in Classification Store of Data Objects module (#14933) * Fix: xss in CS * Fix: implement feedback --- .../ClassificationstoreController.php | 7 +++--- .../Resources/public/js/pimcore/helpers.js | 4 ++++ .../classificationstore/collectionsPanel.js | 7 +++--- .../object/classificationstore/groupsPanel.js | 7 +++--- .../classificationstore/propertiesPanel.js | 5 ++-- lib/Security/SecurityHelper.php | 24 +++++++++++++++++++ 6 files changed, 40 insertions(+), 14 deletions(-) create mode 100644 lib/Security/SecurityHelper.php diff --git a/bundles/AdminBundle/Controller/Admin/DataObject/ClassificationstoreController.php b/bundles/AdminBundle/Controller/Admin/DataObject/ClassificationstoreController.php index 40fba35d6f0..6d29374d8a8 100644 --- a/bundles/AdminBundle/Controller/Admin/DataObject/ClassificationstoreController.php +++ b/bundles/AdminBundle/Controller/Admin/DataObject/ClassificationstoreController.php @@ -24,6 +24,7 @@ use Pimcore\Model\Translation; use Pimcore\Model\Translation\Listing; use Pimcore\Model\User; +use Pimcore\Security\SecurityHelper; use Pimcore\Tool\Admin; use Symfony\Component\HttpFoundation\JsonResponse; use Symfony\Component\HttpFoundation\Request; @@ -127,7 +128,7 @@ public function deleteGroupAction(Request $request): JsonResponse */ public function createGroupAction(Request $request): JsonResponse { - $name = $request->get('name'); + $name = SecurityHelper::getStringWithoutControlChars($request->get('name')); $storeId = $request->get('storeId'); $config = Classificationstore\GroupConfig::getByName($name, $storeId); @@ -154,7 +155,7 @@ public function createGroupAction(Request $request): JsonResponse */ public function createStoreAction(Request $request): JsonResponse { - $name = $request->get('name'); + $name = SecurityHelper::getStringWithoutControlChars($request->get('name')); $config = Classificationstore\StoreConfig::getByName($name); @@ -180,7 +181,7 @@ public function createStoreAction(Request $request): JsonResponse */ public function createCollectionAction(Request $request): JsonResponse { - $name = $request->get('name'); + $name = SecurityHelper::getStringWithoutControlChars($request->get('name')); $storeId = $request->get('storeId'); $config = Classificationstore\CollectionConfig::getByName($name, $storeId); diff --git a/bundles/AdminBundle/Resources/public/js/pimcore/helpers.js b/bundles/AdminBundle/Resources/public/js/pimcore/helpers.js index 3c38c819a6f..63778fd39d9 100644 --- a/bundles/AdminBundle/Resources/public/js/pimcore/helpers.js +++ b/bundles/AdminBundle/Resources/public/js/pimcore/helpers.js @@ -3278,3 +3278,7 @@ pimcore.helpers.treeDragDropValidate = function (node, oldParent, newParent) { return true; }; + +pimcore.helpers.getStringWithoutControlChars = function (text) { + return text.replace(/[<>"'`!?/\\%$(){};,:|=]/gi, ''); +}; diff --git a/bundles/AdminBundle/Resources/public/js/pimcore/object/classificationstore/collectionsPanel.js b/bundles/AdminBundle/Resources/public/js/pimcore/object/classificationstore/collectionsPanel.js index 8960026226f..77a99456958 100644 --- a/bundles/AdminBundle/Resources/public/js/pimcore/object/classificationstore/collectionsPanel.js +++ b/bundles/AdminBundle/Resources/public/js/pimcore/object/classificationstore/collectionsPanel.js @@ -141,7 +141,7 @@ pimcore.object.classificationstore.collectionsPanel = Class.create({ var colId = data.data.colId; var groupId = data.data.groupId; - Ext.Msg.confirm(t('delete'), sprintf(t('delete_message_advanced'), t('classificationstore_collection_relation'), data.data.groupName), function(btn) { + Ext.Msg.confirm(t('delete'), sprintf(t('delete_message_advanced'), t('classificationstore_collection_relation'), pimcore.helpers.getStringWithoutControlChars(data.data.groupName)), function(btn) { if (btn == 'yes') { Ext.Ajax.request({ url: Routing.generate('pimcore_admin_dataobject_classificationstore_deletecollectionrelation'), @@ -315,7 +315,7 @@ pimcore.object.classificationstore.collectionsPanel = Class.create({ this.relationsGrid.hide(); this.relationsPanel.disable(); - Ext.Msg.confirm(t('delete'), sprintf(t('delete_message_advanced'), t('classificationstore_collection'), data.data.name), function(btn) { + Ext.Msg.confirm(t('delete'), sprintf(t('delete_message_advanced'), t('classificationstore_collection'), pimcore.helpers.getStringWithoutControlChars(data.data.name)), function(btn) { if (btn == 'yes') { Ext.Ajax.request({ url: Routing.generate('pimcore_admin_dataobject_classificationstore_deletecollection'), @@ -410,8 +410,7 @@ pimcore.object.classificationstore.collectionsPanel = Class.create({ }, addFieldComplete: function (button, value, object) { - - value = value.trim(); + value = pimcore.helpers.getStringWithoutControlChars(value).trim(); if (button == "ok" && value.length > 1) { Ext.Ajax.request({ url: Routing.generate('pimcore_admin_dataobject_classificationstore_createcollection'), diff --git a/bundles/AdminBundle/Resources/public/js/pimcore/object/classificationstore/groupsPanel.js b/bundles/AdminBundle/Resources/public/js/pimcore/object/classificationstore/groupsPanel.js index d04b3df6472..6650b5ed8e5 100644 --- a/bundles/AdminBundle/Resources/public/js/pimcore/object/classificationstore/groupsPanel.js +++ b/bundles/AdminBundle/Resources/public/js/pimcore/object/classificationstore/groupsPanel.js @@ -148,7 +148,7 @@ pimcore.object.classificationstore.groupsPanel = Class.create({ var keyId = data.data.keyId; var groupId = data.data.groupId; - Ext.Msg.confirm(t('delete'), sprintf(t('delete_message_advanced'), t('classificationstore_relation'), data.data.keyName), function(btn) { + Ext.Msg.confirm(t('delete'), sprintf(t('delete_message_advanced'), t('classificationstore_relation'), pimcore.helpers.getStringWithoutControlChars(data.data.keyName)), function(btn) { if (btn == 'yes') { Ext.Ajax.request({ url: Routing.generate('pimcore_admin_dataobject_classificationstore_deleterelation'), @@ -319,7 +319,7 @@ pimcore.object.classificationstore.groupsPanel = Class.create({ var data = grid.getStore().getAt(rowIndex); var id = data.data.id; - Ext.Msg.confirm(t('delete'), sprintf(t('delete_message_advanced'), t('classificationstore_group'), data.data.name), function(btn) { + Ext.Msg.confirm(t('delete'), sprintf(t('delete_message_advanced'), t('classificationstore_group'), pimcore.helpers.getStringWithoutControlChars(data.data.name)), function(btn) { if (btn == 'yes') { //necessary for aborting all pending proxy requests @@ -419,8 +419,7 @@ pimcore.object.classificationstore.groupsPanel = Class.create({ }, addFieldComplete: function (button, value, object) { - - value = value.trim(); + value = pimcore.helpers.getStringWithoutControlChars(value).trim(); if (button == "ok" && value.length > 1) { Ext.Ajax.request({ url: Routing.generate('pimcore_admin_dataobject_classificationstore_creategroup'), diff --git a/bundles/AdminBundle/Resources/public/js/pimcore/object/classificationstore/propertiesPanel.js b/bundles/AdminBundle/Resources/public/js/pimcore/object/classificationstore/propertiesPanel.js index 40a36a1b3b5..7e6386b569d 100644 --- a/bundles/AdminBundle/Resources/public/js/pimcore/object/classificationstore/propertiesPanel.js +++ b/bundles/AdminBundle/Resources/public/js/pimcore/object/classificationstore/propertiesPanel.js @@ -198,7 +198,7 @@ pimcore.object.classificationstore.propertiespanel = Class.create({ var data = grid.getStore().getAt(rowIndex); var id = data.data.id; - Ext.Msg.confirm(t('delete'), sprintf(t('delete_message_advanced'), t('classificationstore_property'), data.data.name), function(btn) { + Ext.Msg.confirm(t('delete'), sprintf(t('delete_message_advanced'), t('classificationstore_property'), pimcore.helpers.getStringWithoutControlChars(data.data.name)), function(btn) { if (btn == 'yes') { Ext.Ajax.request({ url: Routing.generate('pimcore_admin_dataobject_classificationstore_deleteproperty'), @@ -327,8 +327,7 @@ pimcore.object.classificationstore.propertiespanel = Class.create({ }, addFieldComplete: function (button, value, object) { - - value = value.trim(); + value = pimcore.helpers.getStringWithoutControlChars(value).trim(); if (button == "ok" && value.length > 1) { Ext.Ajax.request({ url: Routing.generate('pimcore_admin_dataobject_classificationstore_addproperty'), diff --git a/lib/Security/SecurityHelper.php b/lib/Security/SecurityHelper.php new file mode 100644 index 00000000000..0eda747507b --- /dev/null +++ b/lib/Security/SecurityHelper.php @@ -0,0 +1,24 @@ +"\'`!?/%$(){};,:|=]','', $text); + } +}