Details

    • Type: Task Task
    • Status: Closed
    • Priority: Major Major
    • Resolution: Fixed
    • Affects Version/s: 1.3.7, 1.4.0 (Beta)
    • Fix Version/s: 1.3.8, 1.4.1
    • Component/s: None
    • Labels:
      None

      Description

      Right now, continuum is vulnerable for cross-site scripting. See REDBACK-275 and REDBACK-276.

      1. CONTINUUM-2620.patch
        69 kB
        Efraim Lorenz Longkines

        Activity

        Hide
        Maria Catherine Tan added a comment -

        r1102231

        • added ${} for allowed characters in build definition's arguments

        r1102234

        • merge to 1.3.x branch
        Show
        Maria Catherine Tan added a comment - r1102231 added ${} for allowed characters in build definition's arguments r1102234 merge to 1.3.x branch
        Hide
        Maria Catherine Tan added a comment -

        r1101669

        • Merge changes in trunk to 1.3.x branch
        Show
        Maria Catherine Tan added a comment - r1101669 Merge changes in trunk to 1.3.x branch
        Hide
        Maria Catherine Tan added a comment -

        r1101338

        • added validation in xmlrpc
        • fixed validation of artifactid in ConfigureAppearanceAction
        • removed regex validation of build agent description
        Show
        Maria Catherine Tan added a comment - r1101338 added validation in xmlrpc fixed validation of artifactid in ConfigureAppearanceAction removed regex validation of build agent description
        Hide
        Maria Catherine Tan added a comment -

        TODO:
        add validation to prevent xss attacks in xmlrpc

        Show
        Maria Catherine Tan added a comment - TODO: add validation to prevent xss attacks in xmlrpc
        Hide
        Maria Catherine Tan added a comment -

        r1097686

        • move validation to xml files
        • remove regex validation for description and just escape xml
        Show
        Maria Catherine Tan added a comment - r1097686 move validation to xml files remove regex validation for description and just escape xml
        Hide
        Maria Catherine Tan added a comment -

        Applied patch in r1096681 with some modifications:

        • fixed validations in project group action and build definition action
        • fixed selenium scripts
        Show
        Maria Catherine Tan added a comment - Applied patch in r1096681 with some modifications: fixed validations in project group action and build definition action fixed selenium scripts
        Hide
        Efraim Lorenz Longkines added a comment - - edited

        patch added for XSS vulnerability fixes with UT and Selenium Script

        Show
        Efraim Lorenz Longkines added a comment - - edited patch added for XSS vulnerability fixes with UT and Selenium Script
        Hide
        Maria Catherine Tan added a comment -

        r1091993

        • prevent xss attacks in build agent, local repository and purge configuration
        Show
        Maria Catherine Tan added a comment - r1091993 prevent xss attacks in build agent, local repository and purge configuration
        Hide
        Maria Catherine Tan added a comment -

        removed c:out inside <input> tags in r1091990

        Show
        Maria Catherine Tan added a comment - removed c:out inside <input> tags in r1091990
        Hide
        Maria Catherine Tan added a comment -

        removed fn:escapeXml in r1091974

        Show
        Maria Catherine Tan added a comment - removed fn:escapeXml in r1091974
        Hide
        Maria Catherine Tan added a comment -

        r1091669

        • use c:out and fn:escapeXml in JSPs
        Show
        Maria Catherine Tan added a comment - r1091669 use c:out and fn:escapeXml in JSPs
        Hide
        Efraim Lorenz Longkines added a comment - - edited

        Will be adding additional validation for every action class' validation.xml and will be using regex to check if the user's input is not a possible XSS attack.

        Show
        Efraim Lorenz Longkines added a comment - - edited Will be adding additional validation for every action class' validation.xml and will be using regex to check if the user's input is not a possible XSS attack.
        Hide
        Efraim Lorenz Longkines added a comment -

        Will be revising the validation used in every actions in the continuum to prevent invalid inputs like possible XSS attacks. I will just attach my patch after I'm done.

        Show
        Efraim Lorenz Longkines added a comment - Will be revising the validation used in every actions in the continuum to prevent invalid inputs like possible XSS attacks. I will just attach my patch after I'm done.
        Hide
        Efraim Lorenz Longkines added a comment - - edited

        Initial fix for this was implemented in http://jira.codehaus.org/browse/REDBACK-275 (included in 1.2.7)

        Latest community issue in Redback for this issue http://jira.codehaus.org/browse/REDBACK-276

        Show
        Efraim Lorenz Longkines added a comment - - edited Initial fix for this was implemented in http://jira.codehaus.org/browse/REDBACK-275 (included in 1.2.7) Latest community issue in Redback for this issue http://jira.codehaus.org/browse/REDBACK-276

          People

          • Assignee:
            Maria Catherine Tan
            Reporter:
            Efraim Lorenz Longkines
          • Votes:
            0 Vote for this issue
            Watchers:
            0 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved:

              Development