This is an automated email from the ASF dual-hosted git repository.
jleroux pushed a commit to branch release22.01
in repository https://gitbox.apache.org/repos/asf/ofbiz-framework.git
commit 169e370a60a77a235c333c8f32658b46d9c45bb2
Author: Jacques Le Roux <jacques.le.r...@les7arts.com>
AuthorDate: Sun Feb 27 13:35:48 2022 +0100
Fixed: Stored XSS in webappPath parameter from content/control/EditWebSite
(OFBIZ-12584)
A user with rights to modify and/or create websites may insert malicious
HTML
elements in the “webappPath” parameter from content/control/EditWebSite
resulting in XSS.
In order to trigger the XSS a victim needs to navigate to main page of the
modified website (eg webpos or ecommerce) and interact with the malicious
HTML elements (eg trigger the “onmouseover” event by navigating with the
mouse
over the “form” and/or “a” tags).
Thanks to Matei "Mal" Badanoiu for reporting this post-auth vulnerabily
---
.../ofbiz/service/engine/EntityAutoEngine.java | 23 ++++++++++++++++++++++
1 file changed, 23 insertions(+)
diff --git
a/framework/service/src/main/java/org/apache/ofbiz/service/engine/EntityAutoEngine.java
b/framework/service/src/main/java/org/apache/ofbiz/service/engine/EntityAutoEngine.java
index 19736b7..1445a49 100644
---
a/framework/service/src/main/java/org/apache/ofbiz/service/engine/EntityAutoEngine.java
+++
b/framework/service/src/main/java/org/apache/ofbiz/service/engine/EntityAutoEngine.java
@@ -18,6 +18,8 @@
*/
package org.apache.ofbiz.service.engine;
+import java.io.IOException;
+import java.util.Collections;
import java.util.HashMap;
import java.util.Iterator;
import java.util.LinkedList;
@@ -37,6 +39,7 @@ import org.apache.ofbiz.entity.model.ModelEntity;
import org.apache.ofbiz.entity.model.ModelField;
import org.apache.ofbiz.entity.model.ModelUtil;
import org.apache.ofbiz.entity.util.EntityQuery;
+import org.apache.ofbiz.security.SecuredUpload;
import org.apache.ofbiz.service.DispatchContext;
import org.apache.ofbiz.service.GenericServiceException;
import org.apache.ofbiz.service.ModelParam;
@@ -71,6 +74,9 @@ public final class EntityAutoEngine extends
GenericAsyncEngine {
@Override
public Map<String, Object> runSync(String localName, ModelService
modelService, Map<String, Object> parameters) throws GenericServiceException {
// static java service methods should be: public Map<String, Object>
methodName(DispatchContext dctx, Map<String, Object> context)
+ if (!isValidText(parameters)) {
+ return ServiceUtil.returnError("Not saved for security reason!");
+ }
DispatchContext dctx = getDispatcher().getLocalContext(localName);
Locale locale = (Locale) parameters.get("locale");
Map<String, Object> result = ServiceUtil.returnSuccess();
@@ -614,4 +620,21 @@ public final class EntityAutoEngine extends
GenericAsyncEngine {
UtilMisc.toMap("label", modelEntity.getTitle()), locale));
return result;
}
+
+ private static boolean isValidText(Map<String, Object> parameters) {
+ // TODO maybe more parameters will be needed in future...
+ String parameter = (String) parameters.get("webappPath");
+ if (parameter != null) {
+ try {
+ if (!SecuredUpload.isValidText(parameter,
Collections.emptyList())) {
+ Debug.logError("================== Not saved for security
reason ==================", MODULE);
+ return false;
+ }
+ } catch (IOException e) {
+ Debug.logError("================== Not saved for security
reason ==================", MODULE);
+ return false;
+ }
+ }
+ return true;
+ }
}
