This repository has been archived by the owner on Dec 13, 2022. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 240
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
enh(poller): Fix the XSS vulnerability on poller resource (#6982)
Fix the XSS vulnerability for the poller resource list page.
- Loading branch information
Showing
7 changed files
with
591 additions
and
148 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,12 @@ | ||
| Feature: Check XSS vulnerability on poller resource | ||
| As a Centreon user | ||
| I want to add a new poller resource | ||
| To check XSS vulnerability on the poller resource list page | ||
|
|
||
| Background: | ||
| Given I am logged in a Centreon server | ||
|
|
||
| @critical | ||
| Scenario: Check XSS vulnerability on the pollers resources list page | ||
| When I add a poller resource | ||
| Then The html is not interpreted on the pollers resources list page |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,90 @@ | ||
| <?php | ||
| /** | ||
| * Copyright 2005-2018 Centreon | ||
| * | ||
| * Licensed under the Apache License, Version 2.0 (the "License"); | ||
| * you may not use this file except in compliance with the License. | ||
| * You may obtain a copy of the License at | ||
| * | ||
| * http://www.apache.org/licenses/LICENSE-2.0 | ||
| * | ||
| * Unless required by applicable law or agreed to in writing, software | ||
| * distributed under the License is distributed on an "AS IS" BASIS, | ||
| * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | ||
| * See the License for the specific language governing permissions and | ||
| * limitations under the License. | ||
| */ | ||
|
|
||
| use Centreon\Test\Behat\CentreonContext; | ||
| use Centreon\Test\Behat\Configuration\PollerResourceConfigurationPage; | ||
| use Centreon\Test\Behat\Configuration\PollerResourceConfigurationListingPage; | ||
| use Centreon\Test\Behat\Exception\ClosureException; | ||
|
|
||
| class PollerResourceConfigurationContext extends CentreonContext | ||
| { | ||
|
|
||
| const POLLER_RESOURCE_NAME = 'pollername'; | ||
|
|
||
| /** | ||
| * @var array Data used to create a new poller resource | ||
| */ | ||
| protected $pollerResourceProperties = array( | ||
| 'resource_name' => '<button>%NAME%</button>', | ||
| 'resource_line' => '<button>macro</button>', | ||
| 'instance_id' => 'Central', | ||
| 'resource_activate' => '1', | ||
| 'resource_comment' => '<button>comments</button>' | ||
| ); | ||
|
|
||
|
|
||
| public function __construct(array $parameters = array()) | ||
| { | ||
| parent::__construct($parameters); | ||
| $this->pollerResourceProperties['resource_name'] = | ||
| str_replace( | ||
| '%NAME%', | ||
| self::POLLER_RESOURCE_NAME, | ||
| $this->pollerResourceProperties['resource_name'] | ||
| ); | ||
| } | ||
|
|
||
| /** | ||
| * @When I add a poller resource | ||
| */ | ||
| public function iAddAPollerResource() | ||
| { | ||
| $currentPage = new PollerResourceConfigurationPage($this); | ||
| $currentPage->setProperties($this->pollerResourceProperties); | ||
| $currentPage->save(); | ||
| } | ||
|
|
||
| /** | ||
| * @Then The html is not interpreted on the pollers resources list page | ||
| */ | ||
| public function theHtmlIsNotInterpretedOnThePollersResourcesListPage() | ||
| { | ||
| $currentPage = new PollerResourceConfigurationListingPage($this); | ||
| $this->spin( | ||
| function ($context) use ($currentPage) { | ||
| $pollersResources = $currentPage->getEntries(); | ||
| if (!empty($pollersResources)) { | ||
| foreach ($pollersResources as $pollerResourceName => $pollerResource) { | ||
| if (strpos($pollerResourceName, self::POLLER_RESOURCE_NAME) !== false) { | ||
| if ($pollerResource['resource_name'] !== $this->pollerResourceProperties['resource_name']) { | ||
| throw new ClosureException('XSS vulnerability detected on poller resource name'); | ||
| } | ||
| if ($pollerResource['resource_line'] !== $this->pollerResourceProperties['resource_line']) { | ||
| throw new ClosureException('XSS vulnerability detected on macro'); | ||
| } | ||
| if ($pollerResource['resource_comment'] !== $this->pollerResourceProperties['resource_comment']) { | ||
| throw new ClosureException('XSS vulnerability detected on comment'); | ||
| } | ||
| return true; | ||
| } | ||
| } | ||
| } | ||
| return false; | ||
| } | ||
| ); | ||
| } | ||
| } |
Oops, something went wrong.