OPENCMS-1019: XSS vulnerability testing flagged a parameter in clipboard admin #66
Conversation
…cripts within parameters
|
https://jiraagile.bip.uk.fid-intl.com/browse/OPENCMS-1019 Djangocms versioning filer clipboard admin was flagged by security. I have added a test to prove the response mentioned (monkeypatch/admin/clipboardadmin.py line 195) does not contain a script passed to the method. |
tests/test_views.py
Outdated
| with self.login_user_context(self.superuser): | ||
| response = self.client.post( | ||
| reverse('admin:filer-ajax_upload', kwargs={'folder_id': self.folder.id}), | ||
| data={'file': file, 'script': '<script>alert("Attack!")</script>'}, |
There was a problem hiding this comment.
I'm not sure that this test is doing anything, I don't think that this endpoint ever looks for "data". I don't think that the response would have the word alert in it anywhere too. The issue is that path is brought in un sanitised and then used later: https://github.com/divio/djangocms-versioning-filer/blob/master/djangocms_versioning_filer/monkeypatch/admin/clipboardadmin.py#L30
tests/test_views.py
Outdated
| data={'path': '<script>alert("attack!")</script>'} | ||
| ) | ||
|
|
||
| self.assertFalse('<script>alert("attack!")</script>' in response.request.values()) |
There was a problem hiding this comment.
What's actually in response.request.values()? Does it have the values url encoded?
There was a problem hiding this comment.
Request here is a dictionary representation of what was in the request. It strips that value and passes on the valid path value to the file being used.
Added test to ensure response from clipboard admin does not pass on scripts within parameters