Fix XSS vulnerability in Continuum

Details

Type: Task
Status: Closed
Priority: Major
Resolution: Fixed
Affects Version/s: 1.3.7, 1.4.0 (Beta)
Fix Version/s: 1.3.8, 1.4.1
Component/s: None
Labels:
None

Complexity:
Intermediate
Number of attachments :
1

Description

Right now, continuum is vulnerable for cross-site scripting. See ~~REDBACK-275~~ and ~~REDBACK-276~~.

Options
- Sort By Name
- Sort By Date
- Ascending
- Descending
- Download All

Attachments

CONTINUUM-2620.patch

15/Apr/11 9:03 AM

69 kB

Efraim Lorenz Longkines

Activity

Ascending order - Click to sort in descending order

Hide

Permalink

Efraim Lorenz Longkines added a comment - 05/Apr/11 4:44 AM - edited

Initial fix for this was implemented in http://jira.codehaus.org/browse/REDBACK-275 (included in 1.2.7)

Latest community issue in Redback for this issue http://jira.codehaus.org/browse/REDBACK-276

Show

Efraim Lorenz Longkines added a comment - 05/Apr/11 4:44 AM - edited Initial fix for this was implemented in http://jira.codehaus.org/browse/REDBACK-275 (included in 1.2.7) Latest community issue in Redback for this issue http://jira.codehaus.org/browse/REDBACK-276

Hide

Permalink

Efraim Lorenz Longkines added a comment - 08/Apr/11 5:06 AM

Will be revising the validation used in every actions in the continuum to prevent invalid inputs like possible XSS attacks. I will just attach my patch after I'm done.

Show

Efraim Lorenz Longkines added a comment - 08/Apr/11 5:06 AM Will be revising the validation used in every actions in the continuum to prevent invalid inputs like possible XSS attacks. I will just attach my patch after I'm done.

Hide

Permalink

Efraim Lorenz Longkines added a comment - 11/Apr/11 1:27 AM - edited

Will be adding additional validation for every action class' validation.xml and will be using regex to check if the user's input is not a possible XSS attack.

Show

Efraim Lorenz Longkines added a comment - 11/Apr/11 1:27 AM - edited Will be adding additional validation for every action class' validation.xml and will be using regex to check if the user's input is not a possible XSS attack.

Hide

Permalink

Maria Catherine Tan added a comment - 13/Apr/11 1:39 AM

r1091669

use c:out and fn:escapeXml in JSPs

Show

Maria Catherine Tan added a comment - 13/Apr/11 1:39 AM r1091669 use c:out and fn:escapeXml in JSPs

Hide

Permalink

Maria Catherine Tan added a comment - 13/Apr/11 6:32 PM

removed fn:escapeXml in r1091974

Show

Maria Catherine Tan added a comment - 13/Apr/11 6:32 PM removed fn:escapeXml in r1091974

Hide

Permalink

Maria Catherine Tan added a comment - 13/Apr/11 9:28 PM

removed c:out inside <input> tags in r1091990

Show

Maria Catherine Tan added a comment - 13/Apr/11 9:28 PM removed c:out inside <input> tags in r1091990

Hide

Permalink

Maria Catherine Tan added a comment - 13/Apr/11 10:34 PM

r1091993

prevent xss attacks in build agent, local repository and purge configuration

Show

Maria Catherine Tan added a comment - 13/Apr/11 10:34 PM r1091993 prevent xss attacks in build agent, local repository and purge configuration

Hide

Permalink

Efraim Lorenz Longkines added a comment - 15/Apr/11 9:03 AM - edited

patch added for XSS vulnerability fixes with UT and Selenium Script

Show

Efraim Lorenz Longkines added a comment - 15/Apr/11 9:03 AM - edited patch added for XSS vulnerability fixes with UT and Selenium Script

Hide

Permalink

Maria Catherine Tan added a comment - 26/Apr/11 6:30 PM

Applied patch in r1096681 with some modifications:

fixed validations in project group action and build definition action
fixed selenium scripts

Show

Maria Catherine Tan added a comment - 26/Apr/11 6:30 PM Applied patch in r1096681 with some modifications: fixed validations in project group action and build definition action fixed selenium scripts

Hide

Permalink

Maria Catherine Tan added a comment - 29/Apr/11 12:33 AM

r1097686

move validation to xml files
remove regex validation for description and just escape xml

Show

Maria Catherine Tan added a comment - 29/Apr/11 12:33 AM r1097686 move validation to xml files remove regex validation for description and just escape xml

Hide

Permalink

Maria Catherine Tan added a comment - 01/May/11 10:42 PM

TODO:
add validation to prevent xss attacks in xmlrpc

Show

Maria Catherine Tan added a comment - 01/May/11 10:42 PM TODO: add validation to prevent xss attacks in xmlrpc

Hide

Permalink

Maria Catherine Tan added a comment - 10/May/11 1:40 AM

r1101338

added validation in xmlrpc
fixed validation of artifactid in ConfigureAppearanceAction
removed regex validation of build agent description

Show

Maria Catherine Tan added a comment - 10/May/11 1:40 AM r1101338 added validation in xmlrpc fixed validation of artifactid in ConfigureAppearanceAction removed regex validation of build agent description

Hide

Permalink

Maria Catherine Tan added a comment - 10/May/11 5:52 PM

r1101669

Merge changes in trunk to 1.3.x branch

Show

Maria Catherine Tan added a comment - 10/May/11 5:52 PM r1101669 Merge changes in trunk to 1.3.x branch

Hide

Permalink

Maria Catherine Tan added a comment - 12/May/11 5:29 AM

r1102231

added ${} for allowed characters in build definition's arguments

r1102234

merge to 1.3.x branch

Show

Maria Catherine Tan added a comment - 12/May/11 5:29 AM r1102231 added ${} for allowed characters in build definition's arguments r1102234 merge to 1.3.x branch

People

Assignee:

Maria Catherine Tan

Reporter:

Efraim Lorenz Longkines

Vote (0)

Watch (0)

Dates

Created:

05/Apr/11 4:31 AM

Updated:

12/May/11 5:29 AM

Resolved:

10/May/11 5:52 PM