WIP: XSS fixes

author: Marc Hartmayer <hello@hartmayer.com> 2020-06-07 22:58:56 +0200
committer: Marc Hartmayer <hello@hartmayer.com> 2020-06-07 23:22:04 +0200
commit: fb44df981581354bf23a6928427ad2bf73c4550f (patch)
tree: 82550bf4323dd6f7435afacbf248d16180e7de9e /client
parent: 1f85b25549b50602380f1745f19e5fe44fe36d6f (diff)
download: wekan-fb44df981581354bf23a6928427ad2bf73c4550f.tar.gz
wekan-fb44df981581354bf23a6928427ad2bf73c4550f.tar.bz2
wekan-fb44df981581354bf23a6928427ad2bf73c4550f.zip
3 files changed, 48 insertions, 38 deletions
diff --git a/client/components/activities/activities.jade b/client/components/activities/activities.jade
index c86936a0..77acd6a3 100644
--- a/client/components/activities/activities.jade
+++ b/client/components/activities/activities.jade
@@ -34,38 +34,38 @@ template(name="activity")
       //- board activity ------------------------------------------------------
       if($eq mode 'board')
         if($eq activity.activityType 'createBoard')
-          | {{_ 'activity-created' boardLabel}}.
+          | {{{_ 'activity-created' boardLabelLink}}}.
 
         if($eq activity.activityType 'importBoard')
-          | {{{_ 'activity-imported-board' boardLabel sourceLink}}}.
+          | {{{_ 'activity-imported-board' boardLabelLink sourceLink}}}.
 
         if($eq activity.activityType 'addBoardMember')
-          | {{{_ 'activity-added' memberLink boardLabel}}}.
+          | {{{_ 'activity-added' memberLink boardLabelLink}}}.
 
         if($eq activity.activityType 'removeBoardMember')
-          | {{{_ 'activity-excluded' memberLink boardLabel}}}.
+          | {{{_ 'activity-excluded' memberLink boardLabelLink}}}.
 
       //- card activity -------------------------------------------------------
       if($eq activity.activityType 'createCard')
         if($eq mode 'card')
-          | {{{_ 'activity-added' cardLabel activity.listName}}}.
+          | {{{_ 'activity-added' cardLabelLink (sanitize activity.listName)}}}.
         else
-          | {{{_ 'activity-added' cardLabel boardLabel}}}.
+          | {{{_ 'activity-added' cardLabelLink boardLabelLink}}}.
 
       if($eq activity.activityType 'importCard')
-        | {{{_ 'activity-imported' cardLink boardLabel sourceLink}}}.
+        | {{{_ 'activity-imported' cardLink boardLabelLink sourceLink}}}.
 
       if($eq activity.activityType 'moveCard')
-        | {{{_ 'activity-moved' cardLabel activity.oldList.title activity.list.title}}}.
+        | {{{_ 'activity-moved' cardLabelLink (sanitize activity.oldList.title) (sanitize activity.list.title)}}}.
 
       if($eq activity.activityType 'moveCardBoard')
-        | {{{_ 'activity-moved' cardLink activity.oldBoardName activity.boardName}}}.
+        | {{{_ 'activity-moved' cardLink (sanitize activity.oldBoardName) (sanitize activity.boardName)}}}.
 
       if($eq activity.activityType 'archivedCard')
         | {{{_ 'activity-archived' cardLink}}}.
 
       if($eq activity.activityType 'restoredCard')
-        | {{{_ 'activity-sent' cardLink boardLabel}}}.
+        | {{{_ 'activity-sent' cardLink boardLabelLink}}}.
 
       //- checklist activity --------------------------------------------------
       if($eq activity.activityType 'addChecklist')
@@ -83,25 +83,25 @@ template(name="activity")
         | {{{_ 'activity-checklist-removed' cardLink}}}.
 
       if($eq activity.activityType 'completeChecklist')
-        | {{{_ 'activity-checklist-completed' activity.checklist.title cardLink}}}.
+        | {{{_ 'activity-checklist-completed' (sanitize activity.checklist.title) cardLink}}}.
 
       if($eq activity.activityType 'uncompleteChecklist')
-        | {{{_ 'activity-checklist-uncompleted' activity.checklist.title cardLink}}}.
+        | {{{_ 'activity-checklist-uncompleted' (sanitize activity.checklist.title) cardLink}}}.
 
       if($eq activity.activityType 'checkedItem')
-        | {{{_ 'activity-checked-item' checkItem activity.checklist.title cardLink}}}.
+        | {{{_ 'activity-checked-item' (sanitize checkItem) (sanitize activity.checklist.title) cardLink}}}.
 
       if($eq activity.activityType 'uncheckedItem')
-        | {{{_ 'activity-unchecked-item' checkItem activity.checklist.title cardLink}}}.
+        | {{{_ 'activity-unchecked-item' (sanitize checkItem) (sanitize activity.checklist.title) cardLink}}}.
 
       if($eq activity.activityType 'addChecklistItem')
-        | {{{_ 'activity-checklist-item-added' activity.checklist.title cardLink}}}.
+        | {{{_ 'activity-checklist-item-added' (sanitize activity.checklist.title) cardLink}}}.
         .activity-checklist(href="{{ activity.card.absoluteUrl }}")
           +viewer
             = activity.checklistItem.title
 
       if($eq activity.activityType 'removedChecklistItem')
-        | {{{_ 'activity-checklist-item-removed' activity.checklist.title cardLink}}}.
+        | {{{_ 'activity-checklist-item-removed' (sanitize activity.checklist.title) cardLink}}}.
 
       //- comment activity ----------------------------------------------------
       if($eq mode 'card')
@@ -143,31 +143,31 @@ template(name="activity")
           | {{_ 'activity-customfield-created' customField}}.
 
         if($eq activity.activityType 'setCustomField')
-          | {{{_ 'activity-set-customfield' lastCustomField lastCustomFieldValue cardLink}}}.
+          | {{{_ 'activity-set-customfield' (sanitize lastCustomField) (sanitize lastCustomFieldValue) cardLink}}}.
 
         if($eq activity.activityType 'unsetCustomField')
-          | {{{_ 'activity-unset-customfield' lastCustomField cardLink}}}.
+          | {{{_ 'activity-unset-customfield' (sanitize lastCustomField) cardLink}}}.
 
       //- label activity ------------------------------------------------------
       if($eq activity.activityType 'addedLabel')
-        | {{{_ 'activity-added-label' lastLabel cardLink}}}.
+        | {{{_ 'activity-added-label' (sanitize lastLabel) cardLink}}}.
 
       if($eq activity.activityType 'removedLabel')
-        | {{{_ 'activity-removed-label' lastLabel cardLink}}}.
+        | {{{_ 'activity-removed-label' (sanitize lastLabel) cardLink}}}.
 
       //- list activity -------------------------------------------------------
       if($neq mode 'card')
         if($eq activity.activityType 'createList')
-          | {{{_ 'activity-added' listLabel boardLabel}}}.
+          | {{{_ 'activity-added' (sanitize listLabel) boardLabelLink}}}.
 
         if($eq activity.activityType 'importList')
-          | {{{_ 'activity-imported' listLabel boardLabel sourceLink}}}.
+          | {{{_ 'activity-imported' (sanitize listLabel) boardLabelLink sourceLink}}}.
 
         if($eq activity.activityType 'removeList')
-          | {{{_ 'activity-removed' activity.title boardLabel}}}.
+          | {{{_ 'activity-removed' (sanitize activity.title) boardLabelLink}}}.
 
         if($eq activity.activityType 'archivedList')
-          | {{_ 'activity-archived' listLabel}}.
+          | {{_ 'activity-archived' (sanitize listLabel)}}.
 
       //- member activity ----------------------------------------------------
       if($eq activity.activityType 'joinMember')
@@ -185,15 +185,15 @@ template(name="activity")
       //- swimlane activity --------------------------------------------------
       if($neq mode 'card')
         if($eq activity.activityType 'createSwimlane')
-          | {{{_ 'activity-added' activity.swimlane.title boardLabel}}}.
+          | {{_ 'activity-added' (sanitize activity.swimlane.title) boardLabelLink}}.
 
         if($eq activity.activityType 'archivedSwimlane')
-          | {{_ 'activity-archived' activity.swimlane.title}}.
+          | {{_ 'activity-archived' (sanitize activity.swimlane.title)}}.
 
 
       //- I don't understand this part ----------------------------------------
       if(currentData.timeKey)
-        | {{{_ activity.activityType }}}
+        | {{_ activity.activityType }}
         = ' '
         i(title=currentData.timeValue).activity-meta {{ moment currentData.timeValue 'LLL' }}
         if (currentData.timeOldValue)
@@ -203,6 +203,6 @@ template(name="activity")
             i(title=currentData.timeOldValue).activity-meta {{ moment currentData.timeOldValue 'LLL' }}
         = ' @'
       else if(currentData.timeValue)
-        | {{{_ activity.activityType currentData.timeValue}}}
+        | {{_ activity.activityType currentData.timeValue}}
 
       span(title=activity.createdAt).activity-meta {{ moment activity.createdAt }}
diff --git a/client/components/activities/activities.js b/client/components/activities/activities.js
index 5d356f6e..b6635da1 100644
--- a/client/components/activities/activities.js
+++ b/client/components/activities/activities.js
@@ -1,3 +1,5 @@
+import sanitizeXss from 'xss';
+
 const activitiesPerPage = 20;
 
 BlazeComponent.extendComponent({
@@ -57,7 +59,7 @@ BlazeComponent.extendComponent({
     return checkItem && checkItem.title;
   },
 
-  boardLabel() {
+  boardLabelLink() {
     const data = this.currentData();
     if (data.mode !== 'board') {
       return createBoardLink(data.activity.board(), data.activity.listName);
@@ -65,10 +67,10 @@ BlazeComponent.extendComponent({
     return TAPi18n.__('this-board');
   },
 
-  cardLabel() {
+  cardLabelLink() {
     const data = this.currentData();
     if (data.mode !== 'card') {
-      return createCardLink(this.currentData().activity.card());
+      return createCardLink(data.activity.card());
     }
     return TAPi18n.__('this-card');
   },
@@ -134,11 +136,11 @@ BlazeComponent.extendComponent({
             {
               href: source.url,
             },
-            source.system,
+            sanitizeXss(source.system),
           ),
         );
       } else {
-        return source.system;
+        return sanitizeXss(source.system);
       }
     }
     return null;
@@ -162,10 +164,10 @@ BlazeComponent.extendComponent({
               href: attachment.url({ download: true }),
               target: '_blank',
             },
-            attachment.name(),
+            sanitizeXss(attachment.name()),
           ),
         )) ||
-      this.currentData().activity.attachmentName
+      sanitizeXss(this.currentData().activity.attachmentName)
     );
   },
 
@@ -202,7 +204,15 @@ BlazeComponent.extendComponent({
   },
 }).register('activity');
 
+Template.activity.helpers({
+  sanitize(value) {
+    return sanitizeXss(value);
+  },
+});
+
 function createCardLink(card) {
+    if (!card)
+        return '';
   return (
     card &&
     Blaze.toHTML(
@@ -211,7 +221,7 @@ function createCardLink(card) {
           href: card.absoluteUrl(),
           class: 'action-card',
         },
-        card.title,
+        sanitizeXss(card.title),
       ),
     )
   );
@@ -228,7 +238,7 @@ function createBoardLink(board, list) {
           href: board.absoluteUrl(),
           class: 'action-board',
         },
-        text,
+        sanitizeXss(text),
       ),
     )
   );
diff --git a/client/components/rules/actions/cardActions.jade b/client/components/rules/actions/cardActions.jade
index c10c4b2b..469c1c50 100644
--- a/client/components/rules/actions/cardActions.jade
+++ b/client/components/rules/actions/cardActions.jade
@@ -75,7 +75,7 @@ template(name="cardActions")
         button.trigger-button.trigger-button-color.js-show-color-palette(
           id="color-action"
           class="card-details-{{cardColorButton}}")
-          | {{{_ cardColorButtonText }}}
+          | {{{_ cardColorButtonText }}} // XSS?!
     div.trigger-button.js-set-color-action.js-goto-rules
       i.fa.fa-plus
author	Marc Hartmayer <hello@hartmayer.com>	2020-06-07 22:58:56 +0200
committer	Marc Hartmayer <hello@hartmayer.com>	2020-06-07 23:22:04 +0200
commit	fb44df981581354bf23a6928427ad2bf73c4550f (patch)
tree	82550bf4323dd6f7435afacbf248d16180e7de9e /client
parent	1f85b25549b50602380f1745f19e5fe44fe36d6f (diff)
download	wekan-fb44df981581354bf23a6928427ad2bf73c4550f.tar.gz wekan-fb44df981581354bf23a6928427ad2bf73c4550f.tar.bz2 wekan-fb44df981581354bf23a6928427ad2bf73c4550f.zip