[ofbiz-framework] 02/02: Fixed: Stored XSS in webappPath parameter from content/control/EditWebSite (OFBIZ-12584)

Sun, 27 Feb 2022 04:41:04 -0800 

This is an automated email from the ASF dual-hosted git repository.

jleroux pushed a commit to branch release18.12
in repository https://gitbox.apache.org/repos/asf/ofbiz-framework.git

commit 247b8713ba2e37b8dd6a8afb60425005e32e0bef
Author: Jacques Le Roux <jacques.le.r...@les7arts.com>
AuthorDate: Sun Feb 27 13:35:48 2022 +0100

    Fixed: Stored XSS in webappPath parameter from content/control/EditWebSite 
(OFBIZ-12584)
    
    A user with rights to modify and/or create websites may insert malicious 
HTML
    elements in the “webappPath” parameter from content/control/EditWebSite
    resulting in XSS.
    
    In order to trigger the XSS a victim needs to navigate to main page of the
    modified website (eg webpos or ecommerce) and interact with the malicious
    HTML elements (eg trigger the “onmouseover” event by navigating with the 
mouse
    over the “form” and/or “a” tags).
    
    Thanks to Matei "Mal" Badanoiu for reporting this post-auth vulnerabily
    
    Conflicts handled by hand in EntityAutoEngine.java
---
 .../ofbiz/service/engine/EntityAutoEngine.java     | 25 +++++++++++++++++++++-
 1 file changed, 24 insertions(+), 1 deletion(-)

diff --git 
a/framework/service/src/main/java/org/apache/ofbiz/service/engine/EntityAutoEngine.java
 
b/framework/service/src/main/java/org/apache/ofbiz/service/engine/EntityAutoEngine.java
index 208ea7a..cff8d9e 100644
--- 
a/framework/service/src/main/java/org/apache/ofbiz/service/engine/EntityAutoEngine.java
+++ 
b/framework/service/src/main/java/org/apache/ofbiz/service/engine/EntityAutoEngine.java
@@ -18,6 +18,8 @@
  */
 package org.apache.ofbiz.service.engine;
 
+import java.io.IOException;
+import java.util.Collections;
 import java.util.HashMap;
 import java.util.Iterator;
 import java.util.LinkedList;
@@ -36,6 +38,7 @@ import org.apache.ofbiz.entity.finder.PrimaryKeyFinder;
 import org.apache.ofbiz.entity.model.ModelEntity;
 import org.apache.ofbiz.entity.model.ModelField;
 import org.apache.ofbiz.entity.util.EntityQuery;
+import org.apache.ofbiz.security.SecuredUpload;
 import org.apache.ofbiz.service.DispatchContext;
 import org.apache.ofbiz.service.GenericServiceException;
 import org.apache.ofbiz.service.ModelParam;
@@ -70,7 +73,10 @@ public final class EntityAutoEngine extends 
GenericAsyncEngine {
     @Override
     public Map<String, Object> runSync(String localName, ModelService 
modelService, Map<String, Object> parameters) throws GenericServiceException {
         // static java service methods should be: public Map<String, Object> 
methodName(DispatchContext dctx, Map<String, Object> context)
-        DispatchContext dctx = dispatcher.getLocalContext(localName);
+        if (!isValidText(parameters)) {
+            return ServiceUtil.returnError("Not saved for security reason!");
+        }
+        DispatchContext dctx = getDispatcher().getLocalContext(localName);
         Locale locale = (Locale) parameters.get("locale");
         Map<String, Object> result = ServiceUtil.returnSuccess();
 
@@ -578,4 +584,21 @@ public final class EntityAutoEngine extends 
GenericAsyncEngine {
         Map<String, Object> result = 
ServiceUtil.returnSuccess(UtilProperties.getMessage("ServiceUiLabels", 
"EntityExpiredSuccessfully", UtilMisc.toMap("label", modelEntity.getTitle()), 
locale));
         return result;
     }
+
+    private static boolean isValidText(Map<String, Object> parameters) {
+        // TODO maybe more parameters will be needed in future...
+        String parameter = (String) parameters.get("webappPath");
+        if (parameter != null) {
+            try {
+                if (!SecuredUpload.isValidText(parameter, 
Collections.emptyList())) {
+                    Debug.logError("================== Not saved for security 
reason ==================", MODULE);
+                    return false;
+                }
+            } catch (IOException e) {
+                Debug.logError("================== Not saved for security 
reason ==================", MODULE);
+                return false;
+            }
+        }
+        return true;
+    }
 }

Reply via email to