Fix reflected xss on coverage page

Helioviewer-Project · Dec 13, 2023 · 0774dac · 0774dac
1 parent a76607d
commit 0774dac
Show file tree

Hide file tree

Showing 2 changed files with 55 additions and 35 deletions.
diff --git a/docroot/coverage/coverage.js b/docroot/coverage/coverage.js
@@ -17,6 +17,20 @@ function qs(key) {
     return match && decodeURIComponent(match[1].replace(/\+/g, " "));
 }
 
+function getEndDate() {
+    if (qs('endDate') !== null) {
+        let tenativeDate = new Date(Date.parse(qs('endDate')));
+        // Invalid date in the query string.
+        if (isNaN(tenativeDate.valueOf())) {
+            return new Date();
+        } else {
+            return tenativeDate;
+        }
+    } else {
+        return new Date();
+    }
+}
+
 
 function decodeResolutionParam(resolutionParam) {
     "use strict";
@@ -119,11 +133,7 @@ function jump() {
 
     url = location.origin + location.pathname + '?';
 
-    if (qs('endDate') !== null) {
-        date = new Date(Date.parse(qs('endDate')));
-    } else {
-        date = new Date();
-    }
+    date = getEndDate();
 
 
     seconds = getPeriodInSeconds();
@@ -300,24 +310,15 @@ google.setOnLoadCallback(function () {
     "use strict";
     var yyyy, mm, dd, hr, min, sec, resolution, endDate, now = new Date();
 
-    endDate = qs('endDate');
-    if (endDate !== null) {
-        yyyy = endDate.slice(0, 4);
-        mm   = endDate.slice(5, 7);
-        dd   = endDate.slice(8, 10);
-        hr   = endDate.slice(11, 13);
-        min  = endDate.slice(14, 16);
-        sec  = endDate.slice(17, 19);
-    } else {
-        yyyy =  now.getFullYear().toString().lpad('0', 4);
-        mm   = (now.getMonth() + 1).toString().lpad('0', 2);
-        dd   =  now.getDate().toString().lpad('0', 2);
-        hr   =  now.getHours().toString().lpad('0', 2);
-        min  =  now.getMinutes().toString().lpad('0', 2);
-        sec  =  now.getSeconds().toString().lpad('0', 2);
-        endDate = yyyy + '-' + mm + '-' + dd +
-                 'T' + hr + ':' + min + ':' + sec + 'Z';
-    }
+    endDate = getEndDate();
+    yyyy =  endDate.getFullYear().toString().lpad('0', 4);
+    mm   = (endDate.getMonth() + 1).toString().lpad('0', 2);
+    dd   =  endDate.getDate().toString().lpad('0', 2);
+    hr   =  endDate.getHours().toString().lpad('0', 2);
+    min  =  endDate.getMinutes().toString().lpad('0', 2);
+    sec  =  endDate.getSeconds().toString().lpad('0', 2);
+    endDate = yyyy + '-' + mm + '-' + dd +
+                'T' + hr + ':' + min + ':' + sec + 'Z';
 
     timeOption('yyyy', now.getFullYear(), 1990, -1, 'YYYY',
         null, yyyy);

diff --git a/docroot/coverage/index.php b/docroot/coverage/index.php
@@ -1,14 +1,33 @@
 <?php
-    if ( !isset($_GET['resolution']) ) {
-        header('location: '.$_SERVER['REQUEST_URI'].'?resolution=1D');
+    // Valid resolution selectors
+    const VALID_RESOLUTIONS = ["30m", "1h", "1D", "1W", "1M", "3M", "1Y"];
+    const END_DATE_FORMAT = "Y-m-d\TH:i:s\Z";
+
+    // Verify the requested resolution is one of the known valid selectors.
+    $requestedResolution = $_GET['resolution'] ?? null;
+    // If it's not one of the valid selectors, redirect to a valid page.
+    if (!in_array($requestedResolution, VALID_RESOLUTIONS, true)) {
+        header('location: /coverage/?resolution=1D');
+        exit();
     }
 
     date_default_timezone_set("UTC");
     $utc = date("Y/m/d H:i e", time());
+    $endDate = date(END_DATE_FORMAT, time());
+
+    if (isset($_GET['endDate'])) {
+        try {
+            // Parse the requested end date as a date
+            $requestedEndDate = new DateTimeImmutable($_GET['endDate']);
+            // If parsing succeeds, update endDate with the desired endDate
+            $endDate = $requestedEndDate->format(END_DATE_FORMAT);
+        } catch (Throwable) {
+            // Pass, default endDate is used.
+        }
+    }
 
-    $now = $_SERVER['SCRIPT_URI']
-         . '?resolution=' . $_GET['resolution']
-         . '&endDate=' . date("Y-m-d\TH:i:s\Z", time());
+    $now = '/coverage/?resolution=' . $requestedResolution
+         . '&endDate=' . $endDate;
 ?>
 <!DOCTYPE html>
 <html lang="en">
@@ -26,13 +45,13 @@
             <a href="<?php echo $now; ?>"><img src="../resources/images/logos/hvlogo1s_transparent_logo.png" alt="Helioviewer logo" /></a>
             <div id='headerText'>The Helioviewer Project - Data Coverage</div>
             <div class="resolutions">
-                <a href="?resolution=30m<?php if ( isset($_GET['endDate']) ) { echo '&endDate='.$_GET['endDate']; } ?>"<?php if ($_GET['resolution']=='30m') { echo ' class="selected"'; } ?>>30 min</a>
-                <a href="?resolution=1h<?php if ( isset($_GET['endDate']) ) { echo '&endDate='.$_GET['endDate']; } ?>"<?php if ($_GET['resolution']=='1h') { echo ' class="selected"'; } ?>>1 hour</a>
-                <a href="?resolution=1D<?php if ( isset($_GET['endDate']) ) { echo '&endDate='.$_GET['endDate']; } ?>"<?php if ($_GET['resolution']=='1D') { echo ' class="selected"'; } ?>>1 day</a>
-                <a href="?resolution=1W<?php if ( isset($_GET['endDate']) ) { echo '&endDate='.$_GET['endDate']; } ?>"<?php if ($_GET['resolution']=='1W') { echo ' class="selected"'; } ?>>1 week</a>
-                <a href="?resolution=1M<?php if ( isset($_GET['endDate']) ) { echo '&endDate='.$_GET['endDate']; } ?>"<?php if ($_GET['resolution']=='1M') { echo ' class="selected"'; } ?>>1 month</a>
-                <a href="?resolution=3M<?php if ( isset($_GET['endDate']) ) { echo '&endDate='.$_GET['endDate']; } ?>"<?php if ($_GET['resolution']=='3M') { echo ' class="selected"'; } ?>>3 months</a>
-                <a href="?resolution=1Y<?php if ( isset($_GET['endDate']) ) { echo '&endDate='.$_GET['endDate']; } ?>"<?php if ($_GET['resolution']=='1Y') { echo ' class="selected"'; } ?>>1 year</a>
+                <a href="?resolution=30m<?php echo '&endDate='.$endDate;?>"<?php if ($_GET['resolution']=='30m') { echo ' class="selected"'; } ?>>30 min</a>
+                <a  href="?resolution=1h<?php echo '&endDate='.$endDate;?>"<?php if ($_GET['resolution']=='1h') { echo ' class="selected"'; } ?>>1 hour</a>
+                <a  href="?resolution=1D<?php echo '&endDate='.$endDate;?>"<?php if ($_GET['resolution']=='1D') { echo ' class="selected"'; } ?>>1 day</a>
+                <a  href="?resolution=1W<?php echo '&endDate='.$endDate;?>"<?php if ($_GET['resolution']=='1W') { echo ' class="selected"'; } ?>>1 week</a>
+                <a  href="?resolution=1M<?php echo '&endDate='.$endDate;?>"<?php if ($_GET['resolution']=='1M') { echo ' class="selected"'; } ?>>1 month</a>
+                <a  href="?resolution=3M<?php echo '&endDate='.$endDate;?>"<?php if ($_GET['resolution']=='3M') { echo ' class="selected"'; } ?>>3 months</a>
+                <a  href="?resolution=1Y<?php echo '&endDate='.$endDate;?>"<?php if ($_GET['resolution']=='1Y') { echo ' class="selected"'; } ?>>1 year</a>
             </div>
         </div>
 		<div id="datePicker">