Skip to content
This repository has been archived by the owner on Dec 13, 2022. It is now read-only.

Fix(security): Sanitize queries in the list of trap groups #12022

Open
wants to merge 1 commit into
base: develop
Choose a base branch
from

Conversation

emabassi-ext
Copy link
Contributor

@emabassi-ext emabassi-ext commented Oct 20, 2022

Description

Fix XSS security vulnerabilities
Fixes # MON-15375

Type of change

  • Patch fixing an issue (non-breaking change)
  • New functionality (non-breaking change)
  • Breaking change (patch or feature) that might cause side effects breaking part of the Software

Target serie

  • 21.04.x
  • 21.10.x
  • 22.04.x
  • 22.10.x (master)

How this pull request can be tested ?

  1. Configure LDAP authentication
  2. Click on “Import users” (Configuration > Users > contact / Users)
  3. Click on “Search”

You must still see results

Checklist

Community contributors & Centreon team

  • I have followed the coding style guidelines provided by Centreon
  • I have commented my code, especially new classes, functions or any legacy code modified. (docblock)
  • I have commented my code, especially hard-to-understand areas of the PR.
  • I have rebased my development branch on the base branch (master, maintenance).

@emabassi-ext emabassi-ext requested a review from a team October 20, 2022 11:07
@emabassi-ext emabassi-ext self-assigned this Oct 20, 2022
@sonarqube-decoration
Copy link

SonarQube Quality Gate

Quality Gate passed

Bug E 1 Bug
Vulnerability A 0 Vulnerabilities
Security Hotspot A 0 Security Hotspots
Code Smell C 1 Code Smell

No Coverage information No Coverage information
0.0% 0.0% Duplication

@emabassi-ext emabassi-ext changed the title Fix: XSS security vulnerabilities in ajaxLdapSearch.js Fix: security Oct 21, 2022
@@ -96,7 +96,7 @@ function LdapSearch() {
// defining what we should do when we got a reply
xhrM.onreadystatechange = function () {
// doing nothing until we got everything and a status 200
document.getElementById('ldap_search_result_output').innerHTML = xhrM.responseText;
document.getElementById('ldap_search_result_output').innerHTML = DOMPurify.sanitize(xhrM.responseText);
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You must not include a new library without prior agreement

@emabassi-ext emabassi-ext changed the title Fix: security Fix(security): Sanitize queries in the list of trap groups Oct 27, 2022
@kduret
Copy link
Contributor

kduret commented Nov 8, 2022

migrated to centreon/centreon#138

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants