Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fix(User): Fix XSS vulnerability for revoke token endpoint #2751

Open
wants to merge 1 commit into
base: main
Choose a base branch
from

Conversation

hoangnt2
Copy link
Contributor

Fix XSS vulnerability for revoke token endpoint

CodeQL warning: https://github.com/eclipse-sw360/sw360/security/code-scanning/87

Signed-off-by: hoangnt2 <hoang2.nguyenthai@toshiba.co.jp>
@hoangnt2 hoangnt2 force-pushed the release/fix-xss-error branch from 35c87f8 to 6054165 Compare November 26, 2024 08:28
Copy link
Contributor

@heliocastro heliocastro left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@hoangnt2 I started a branch deprecating commons-lang to commons-lang3.
This method you used moved to commons-text

import org.apache.commons.lang.StringEscapeUtils;
import org.apache.thrift.TException;
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Change for org.apache.commons.text.StringEscapeUtils

@@ -368,7 +367,7 @@ public ResponseEntity<String> revokeUserRestApiToken(
User sw360User = restControllerHelper.getSw360UserFromAuthentication();

if (!userService.isTokenNameExisted(sw360User, tokenName)) {
return new ResponseEntity<>("Token not found: " + StringEscapeUtils.escapeHtml(tokenName), HttpStatus.NOT_FOUND);
return new ResponseEntity<>("Token not found", HttpStatus.NOT_FOUND);
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Change for escapeHtml4

@hoangnt2
Copy link
Contributor Author

hoangnt2 commented Nov 26, 2024

@hoangnt2 I started a branch deprecating commons-lang to commons-lang3. This method you used moved to commons-text

@heliocastro Escape HTML cannot resolve XSS problem, CodeQL still warns so I decided to remove tokenName from response. I also want to know, is there a way to run this check locally. I want to know if my fix can solve the problem before creating a PR

@heliocastro
Copy link
Contributor

@hoangnt2 I started a branch deprecating commons-lang to commons-lang3. This method you used moved to commons-text

@heliocastro Escape HTML cannot resolve XSS problem, CodeQL still warns so I decided to remove tokenName from response. I also want to know, is there a way to run this check locally. I want to know if my fix can solve the problem before creating a PR

Ok, for that part is fine, agreed. But remove the function unfortunately solve a small portion. We have this pervasive on the code.
We need think in a sanitizer library

@hoangnt2
Copy link
Contributor Author

@heliocastro OK, I will try again with escapeHtml4. Hopefully, it can solve the problem.

@GMishx GMishx added this to the Release - 20.0.0 milestone Nov 27, 2024
@GMishx
Copy link
Member

GMishx commented Dec 23, 2024

Since #2750 is merged, this PR can be updated as well.

@GMishx GMishx added the has merge conflicts The PR has merge conflicts label Dec 23, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
do not merge - нет! has merge conflicts The PR has merge conflicts WIP work in progress
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants