diff options
author | Costa Tsaousis (ktsaou) <costa@tsaousis.gr> | 2018-01-29 22:11:22 +0200 |
---|---|---|
committer | Costa Tsaousis (ktsaou) <costa@tsaousis.gr> | 2018-01-29 22:11:22 +0200 |
commit | 2ebee50887027f4ed4a4c736d6aa5b32b571f020 (patch) | |
tree | 87ffc83d4f532bb4605015a423161e98443af730 /web | |
parent | a9eca43bcc40fa5ad7b58e3055e8a2a6a685778f (diff) |
ask for XSS protection
Diffstat (limited to 'web')
-rw-r--r-- | web/dashboard.js | 17 | ||||
-rw-r--r-- | web/index.html | 45 |
2 files changed, 58 insertions, 4 deletions
diff --git a/web/dashboard.js b/web/dashboard.js index 39e72587f6..8b950b3b3f 100644 --- a/web/dashboard.js +++ b/web/dashboard.js @@ -106,6 +106,7 @@ var NETDATA = window.NETDATA || {}; NETDATA.xss = { enabled: (typeof netdataCheckXSS === 'undefined')?false:netdataCheckXSS, + enabled_for_data: (typeof netdataCheckXSS === 'undefined')?false:netdataCheckXSS, string: function (s) { if (typeof s === 'string' || typeof s === 'number' || typeof s === 'boolean') @@ -168,15 +169,23 @@ var NETDATA = window.NETDATA || {}; checkOptional: function(name, obj, ignore_regex) { if(this.enabled === true) { - // console.log('XSS: checking "' + name + '"...'); + console.log('XSS: checking optional "' + name + '"...'); return this.object(name, obj, ignore_regex); } return obj; }, checkAlways: function(name, obj, ignore_regex) { - // console.log('XSS: checking "' + name + '"...'); + console.log('XSS: checking always "' + name + '"...'); return this.object(name, obj, ignore_regex); + }, + + checkData: function(name, obj, ignore_regex) { + if(this.enabled_for_data === true) { + console.log('XSS: checking data "' + name + '"...'); + return this.object(name, obj, ignore_regex); + } + return obj; } }; @@ -4977,7 +4986,7 @@ var NETDATA = window.NETDATA || {}; var data = this.getSnapshotData(key); if (data !== null) { ok = true; - data = NETDATA.xss.checkAlways('/api/v1/data', data, this.library.xssRegexIgnore); + data = NETDATA.xss.checkData('/api/v1/data', data, this.library.xssRegexIgnore); this.updateChartWithData(data); } else { @@ -5009,7 +5018,7 @@ var NETDATA = window.NETDATA || {}; xhrFields: { withCredentials: true } // required for the cookie }) .done(function(data) { - data = NETDATA.xss.checkOptional('/api/v1/data', data, that.library.xssRegexIgnore); + data = NETDATA.xss.checkData('/api/v1/data', data, that.library.xssRegexIgnore); that.xhr = undefined; that.retries_on_data_failures = 0; diff --git a/web/index.html b/web/index.html index d31dc57b6a..a0d894bfe8 100644 --- a/web/index.html +++ b/web/index.html @@ -3206,6 +3206,7 @@ $('#loadSnapshotImport').addClass('disabled'); if(tmpSnapshotData === null) { + loadSnapshotPreflightEmpty(); loadSnapshotModalLog('danger', 'no data have been loaded'); return; } @@ -3272,7 +3273,11 @@ urlOptions.highlight = false; } + netdataCheckXSS = false; // disable the modal - this does not affect XSS checks, since dashboard.js is already loaded + NETDATA.xss.enabled = true; // we should not do any remote requests, but if we do, check them + NETDATA.xss.enabled_for_data = true; // check also snapshot data - that have been excluded from the initial check, due to compression initializeDynamicDashboard(); + loadSnapshotPreflightEmpty(); }); }); }; @@ -4318,6 +4323,13 @@ NETDATA.globalPanAndZoom.setMaster(NETDATA.options.targets[0], netdataSnapshotData.after_ms, netdataSnapshotData.before_ms); } + if(typeof netdataCheckXSS !== 'undefined' && netdataCheckXSS === true) { + setTimeout(function() { + document.getElementById('netdataXssModalServer').innerText = netdataServer; + $('#xssModal').modal('show'); + }, 1000); + } + // var netdataEnded = performance.now(); // console.log('start up time: ' + (netdataEnded - netdataStarted).toString() + ' ms'); } @@ -4579,6 +4591,39 @@ </div> </div> + <div class="modal fade" id="xssModal" tabindex="-1" role="dialog" aria-labelledby="xssModalLabel"> + <div class="modal-dialog modal-lg" role="document"> + <div class="modal-content"> + <div class="modal-header"> + <button type="button" class="close" data-dismiss="modal" aria-label="Close"><span aria-hidden="true">×</span></button> + <h4 class="modal-title" id="xssModalLabel">XSS Protection</h4> + </div> + <div class="modal-body"> + <p> + This dashboard is now rendering data of server: + </p> + <p style="font-size: 1.25em;"> + <code id="netdataXssModalServer"></code> + </p> + <p> + To protect your privacy, the dashboard is <b>checking all data transferred</b> for cross site scripting (XSS). + This is CPU intensive, so your browser might be a bit slower. + </p> + <p> + If you <b>trust</b> the remote server, you can disable XSS protection, to speed it up. + <br/> + If you <b>don't trust</b> the remote server, you better keep it on. The dashboard will be a bit slower, + but better be safe, than sorry... + </p> + </div> + <div class="modal-footer"> + <a href="#" onclick="NETDATA.xss.enabled = true; NETDATA.xss.enabled_for_data = true; return false;" type="button" class="btn btn-success" data-dismiss="modal">Keep protecting me</a> + <a href="#" onclick="NETDATA.xss.enabled = false; NETDATA.xss.enabled_for_data = false; return false;" type="button" class="btn btn-danger" data-dismiss="modal">I don't need this, the server is mine</a> + </div> + </div> + </div> + </div> + <div class="modal fade" id="printPreflightModal" tabindex="-1" role="dialog" aria-labelledby="printPreflightModalLabel"> <div class="modal-dialog modal-lg" role="document"> <div class="modal-content"> |