Details
-
Bug
-
Status: Closed
-
Blocker
-
Resolution: Fixed
-
1.8.2, 1.9.2
-
Security Level: public (Regular issues)
-
None
-
Important
Description
In org.apache.deltaspike.jsf.impl.scope.window.strategy.ClientSideWindowStrategy#sendWindowHandlerHtml the request URL and window id is injected into a JS block and HTML attribute directly. This allows to inject any JS/HTML from the URL.
The fix would be to properly escape the URL and window id such that it can be integrated safely into a JS variable or HTML.
Assuming we add a dependency for the OWASP encoder:
<dependency>
<groupId>org.owasp.encoder</groupId>
<artifactId>encoder</artifactId>
<version>1.2.2</version>
</dependency>
The fix is to do the following replacements
windowHandlerHtml = windowHandlerHtml.replace(WINDOW_ID_REPLACE_PATTERN,
windowId);
with
windowHandlerHtml = windowHandlerHtml.replace(WINDOW_ID_REPLACE_PATTERN,
org.owasp.encoder.Encode.forJavaScriptBlock(windowId));
and
windowHandlerHtml = windowHandlerHtml.replace(REQUEST_URL_REPLACE_PATTERN,
ClientWindowHelper.constructRequestUrl(externalContext));
with
windowHandlerHtml = windowHandlerHtml.replace(REQUEST_URL_REPLACE_PATTERN,
org.owasp.encoder.Encode.forJavaScriptBlock(
ClientWindowHelper.constructRequestUrl(externalContext)));
and
windowHandlerHtml =
windowHandlerHtml.replace(NOSCRIPT_URL_REPLACE_PATTERN, getNoscriptUrl(externalContext));
with
windowHandlerHtml =
windowHandlerHtml.replace(NOSCRIPT_URL_REPLACE_PATTERN, org.owasp.encoder.Encode.forHtmlAttribute(getNoscriptUrl(externalContext)));