From b78089cc4faf3019beb0fa7d54e64efedbcc5714 Mon Sep 17 00:00:00 2001 From: Roberto Rosario Date: Wed, 18 Dec 2019 00:20:34 -0400 Subject: [PATCH] Reapply fix for issue #494 Avoid exploit of cross site scripting in login view. Thanks to Lokesh (@lokesh1095) for the report and solution. GitLab issue #494. Signed-off-by: Roberto Rosario --- HISTORY.rst | 3 +++ .../templates/appearance/base_plain.html | 2 +- mayan/apps/appearance/tests/test_views.py | 26 ++++++++++++++++--- 3 files changed, 27 insertions(+), 4 deletions(-) diff --git a/HISTORY.rst b/HISTORY.rst index 337c2ff3e8..607a642426 100644 --- a/HISTORY.rst +++ b/HISTORY.rst @@ -21,6 +21,9 @@ - Add test for issue #494. - Add support for configurate test view template. - Add support for public test views. +- Reapply fix for issue #494. To avoid exploit of cross site scripting in + login view. Thanks to Lokesh (@lokesh1095) for the report and solution. + GitLab issue #494. 3.3.5 (2019-12-13) ================== diff --git a/mayan/apps/appearance/templates/appearance/base_plain.html b/mayan/apps/appearance/templates/appearance/base_plain.html index e4ea07764d..05fc42ebbb 100644 --- a/mayan/apps/appearance/templates/appearance/base_plain.html +++ b/mayan/apps/appearance/templates/appearance/base_plain.html @@ -28,7 +28,7 @@ // template. var currentHash = window.location.hash; if (currentHash.length) { - window.location = currentHash.substring(1); + window.location.pathname = currentHash.substring(1); } diff --git a/mayan/apps/appearance/tests/test_views.py b/mayan/apps/appearance/tests/test_views.py index bab97c18e5..cd169a998d 100644 --- a/mayan/apps/appearance/tests/test_views.py +++ b/mayan/apps/appearance/tests/test_views.py @@ -1,17 +1,25 @@ from __future__ import absolute_import, unicode_literals +from selenium.common.exceptions import NoAlertPresentException from selenium.webdriver.firefox.webdriver import WebDriver from django.conf import settings from django.contrib.staticfiles.testing import StaticLiveServerTestCase from django.urls import reverse +from mayan.apps.common.tests.base import GenericViewTestCase + + +class BasePlainViewTestCase(GenericViewTestCase, StaticLiveServerTestCase): + auto_add_test_view = True + test_view_url = r'^javascript:alert\("XSS"\)/$' + test_view_is_public = True + test_view_template = 'javascript_view' -class BasePlainViewTestCase(StaticLiveServerTestCase): @classmethod def setUpClass(cls): super(BasePlainViewTestCase, cls).setUpClass() - cls.selenium = WebDriver() + cls.selenium = WebDriver(log_path='/dev/null') @classmethod def tearDownClass(cls): @@ -19,9 +27,21 @@ class BasePlainViewTestCase(StaticLiveServerTestCase): super(BasePlainViewTestCase, cls).tearDownClass() def test_login_view_url_fragment_xss(self): + # Should redirect and not display an alert url = '{}{}{}'.format( self.live_server_url, reverse(viewname=settings.LOGIN_URL), '#javascript:alert("XSS")' ) self.selenium.get(url=url) - self.selenium.find_element_by_xpath(xpath='//button[@name="submit"]') + + with self.assertRaises(NoAlertPresentException): + self.selenium.switch_to_alert() + + def test_login_view_url_redirect(self): + url = '{}{}{}'.format( + self.live_server_url, reverse(viewname=settings.LOGIN_URL), + '#javascript:alert("XSS")' + ) + self.selenium.get(url=url) + + self.assertTrue(self.test_view_template in self.selenium.page_source)