diff options
| author | Costa Tsaousis <costa@tsaousis.gr> | 2018-09-18 13:34:27 +0300 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2018-09-18 13:34:27 +0300 |
| commit | 8e0b0bcb551ac14d2b24bbf2551ef9f6cd96e405 (patch) | |
| tree | a0d6213f38c94c967998e6059bf238bd7149974e /web | |
| parent | ed289f31f6ee62ce4f7c066b706e2e8043416285 (diff) | |
fixes identified by LGTM (#4220)
* fixes identified by LGTM
* fixed hex of quote and slash
* fixed hex of quote and slash on all files
* escape more characters
* removed test
* do not read document.location
* exclude full subpaths for LGTM
* exclude the tests path
* excluded lgtm paths in quotes
* excluded sub-paths on LGTM
* fix xss identified by LGTM
Diffstat (limited to 'web')
| -rw-r--r-- | web/dashboard.js | 2 | ||||
| -rw-r--r-- | web/goto-host-from-alarm.html | 31 | ||||
| -rw-r--r-- | web/index.html | 41 |
3 files changed, 51 insertions, 23 deletions
diff --git a/web/dashboard.js b/web/dashboard.js index 93b4861f6f..2e58aef390 100644 --- a/web/dashboard.js +++ b/web/dashboard.js @@ -118,7 +118,7 @@ var NETDATA = window.NETDATA || {}; .replace(/</g, '<') .replace(/>/g, '>') .replace(/"/g, '"') - .replace(/'/g, '#27;'); + .replace(/'/g, '''); }, object: function(name, obj, ignore_regex) { diff --git a/web/goto-host-from-alarm.html b/web/goto-host-from-alarm.html index db67033602..4800ae8028 100644 --- a/web/goto-host-from-alarm.html +++ b/web/goto-host-from-alarm.html @@ -22,11 +22,24 @@ <script type="text/javascript" src="dashboard.js?v20170724-7"></script> <script> -function escapeUserInputXss(s) { - return s.toString().replace(/</g, '<') +function escapeUserInputHTML(s) { + return s.toString() + .replace(/&/g, '&') + .replace(/</g, '<') .replace(/>/g, '>') .replace(/"/g, '"') - .replace(/'/g, '#27;'); + .replace(/#/g, '#') + .replace(/'/g, ''') + .replace(/\(/g,'(') + .replace(/\)/g,')') + .replace(/\//g,'/'); +} +function escapeUserInputJS(s) { + return s.toString() + .replace(/"/g, '"') + .replace(/'/g, ''') + .replace(/\(/g,'(') + .replace(/\)/g,')'); } var urlOptions = { @@ -94,7 +107,7 @@ function gotoServerValidateUrl(id, guid, url) { var finalURL = netdataURL(url); setTimeout(function() { - document.getElementById('gotoServerList').innerHTML += '<tr><td style="padding-left: 20px;"><a href="' + escapeUserInputXss(finalURL) + '" target="_blank">' + escapeUserInputXss(url) + '</a></td><td style="padding-left: 30px;"><code id="' + guid + '-' + id + '-status">checking...</code></td></tr>'; + document.getElementById('gotoServerList').innerHTML += '<tr><td style="padding-left: 20px;"><a href="' + escapeUserInputJS(finalURL) + '" target="_blank">' + escapeUserInputHTML(url) + '</a></td><td style="padding-left: 30px;"><code id="' + guid + '-' + id + '-status">checking...</code></td></tr>'; NETDATA.registry.hello(url, function(data) { if(typeof data !== 'undefined' && data !== null && typeof data.machine_guid === 'string' && data.machine_guid === guid) { @@ -107,11 +120,11 @@ function gotoServerValidateUrl(id, guid, url) { if(gotoServerMiddleClick) { window.open(finalURL); gotoServerMiddleClick = false; - document.getElementById('gotoServerResponse').innerHTML = '<b>Opening new window to ' + NETDATA.registry.machines[guid].name + '<br/><a href="' + escapeUserInputXss(finalURL) + '">' + escapeUserInputXss(url) + '</a></b><br/>(check your pop-up blocker if it fails)'; + document.getElementById('gotoServerResponse').innerHTML = '<b>Opening new window to ' + NETDATA.registry.machines[guid].name + '<br/><a href="' + escapeUserInputJS(finalURL) + '">' + escapeUserInputHTML(url) + '</a></b><br/>(check your pop-up blocker if it fails)'; } else { - document.getElementById('gotoServerResponse').innerHTML += 'found it! It is at:<br/><small>' + url + '</small>'; - document.location = finalURL; + document.getElementById('gotoServerResponse').innerHTML += 'found it! It is at:<br/><small>' + escapeUserInputHTML(url) + '</small>'; + document.location = escapeUserInputJS(finalURL); } } } @@ -127,7 +140,7 @@ function gotoServerValidateUrl(id, guid, url) { if(thisIsHttps === true && urlsInHttp > 0) { document.getElementById('gotoServerResponse').innerHTML += '<br/>redirecting myself to HTTP to allow checking'; - document.location = document.location.toString().replace('https://', 'http://'); + document.location = escapeUserInputJS(document.location.toString().replace('https://', 'http://')); } } } @@ -192,7 +205,7 @@ var netdataRegistryCallback = function(machines_array) { } } - document.getElementById('bodylog').innerHTML = "Sorry... your account is not linked to a netdata server named: <b>" + escapeUserInputXss(urlOptions.host) + '</b>'; + document.getElementById('bodylog').innerHTML = "Sorry... your account is not linked to a netdata server named: <b>" + escapeUserInputHTML(urlOptions.host) + '</b>'; }; netdataQueryParse(); diff --git a/web/index.html b/web/index.html index 24d821ef6c..5f6d929234 100644 --- a/web/index.html +++ b/web/index.html @@ -580,11 +580,24 @@ // control the welcome modal and analytics var this_is_demo = null; - function escapeUserInputXss(s) { - return s.toString().replace(/</g, '<') + function escapeUserInputHTML(s) { + return s.toString() + .replace(/&/g, '&') + .replace(/</g, '<') .replace(/>/g, '>') .replace(/"/g, '"') - .replace(/'/g, '#27;'); + .replace(/#/g, '#') + .replace(/'/g, ''') + .replace(/\(/g,'(') + .replace(/\)/g,')') + .replace(/\//g,'/'); + } + function escapeUserInputJS(s) { + return s.toString() + .replace(/"/g, '"') + .replace(/'/g, ''') + .replace(/\(/g,'(') + .replace(/\)/g,')'); } // -------------------------------------------------------------------- @@ -1102,7 +1115,8 @@ document.location.hostname.endsWith('.mynetdata.io') || document.location.hostname.endsWith('.netdata.rocks') || document.location.hostname.endsWith('.firehol.org') || - document.location.hostname.endsWith('.netdata.online')) + document.location.hostname.endsWith('.netdata.online') || + document.location.hostname.endsWith('.netdata.cloud')) this_is_demo = true; } } @@ -1112,7 +1126,8 @@ function netdataURL(url, forReload) { if(typeof url === 'undefined') - url = document.location.toString(); + // url = document.location.toString(); + url = ''; if(url.indexOf('#') !== -1) url = url.substring(0, url.indexOf('#')); @@ -1121,7 +1136,7 @@ // console.log('netdataURL: ' + url + hash); - return escapeUserInputXss(url + hash); + return url + hash; } function netdataReload(url) { @@ -1141,13 +1156,13 @@ var gotoServerMiddleClick = false; var gotoServerStop = false; function gotoServerValidateUrl(id, guid, url) { - var penaldy = 0; + var penalty = 0; var error = 'failed'; if(document.location.toString().startsWith('http://') && url.toString().startsWith('https://')) // we penalize https only if the current url is http // to allow the user walk through all its servers. - penaldy = 500; + penalty = 500; else if(document.location.toString().startsWith('https://') && url.toString().startsWith('http://')) error = 'can\'t check'; @@ -1155,7 +1170,7 @@ var finalURL = netdataURL(url); setTimeout(function() { - document.getElementById('gotoServerList').innerHTML += '<tr><td style="padding-left: 20px;"><a href="' + finalURL + '" target="_blank">' + url + '</a></td><td style="padding-left: 30px;"><code id="' + guid + '-' + id + '-status">checking...</code></td></tr>'; + document.getElementById('gotoServerList').innerHTML += '<tr><td style="padding-left: 20px;"><a href="' + escapeUserInputJS(finalURL) + '" target="_blank">' + escapeUserInputHTML(url) + '</a></td><td style="padding-left: 30px;"><code id="' + guid + '-' + id + '-status">checking...</code></td></tr>'; NETDATA.registry.hello(url, function(data) { if(typeof data !== 'undefined' && data !== null && typeof data.machine_guid === 'string' && data.machine_guid === guid) { @@ -1168,10 +1183,10 @@ if(gotoServerMiddleClick) { window.open(finalURL, '_blank'); gotoServerMiddleClick = false; - document.getElementById('gotoServerResponse').innerHTML = '<b>Opening new window to ' + NETDATA.registry.machines[guid].name + '<br/><a href="' + finalURL + '">' + url + '</a></b><br/>(check your pop-up blocker if it fails)'; + document.getElementById('gotoServerResponse').innerHTML = '<b>Opening new window to ' + NETDATA.registry.machines[guid].name + '<br/><a href="' + escapeUserInputJS(finalURL) + '">' + escapeUserInputHTML(url) + '</a></b><br/>(check your pop-up blocker if it fails)'; } else { - document.getElementById('gotoServerResponse').innerHTML += 'found it! It is at:<br/><small>' + url + '</small>'; + document.getElementById('gotoServerResponse').innerHTML += 'found it! It is at:<br/><small>' + escapeUserInputHTML(url) + '</small>'; document.location = finalURL; } } @@ -1188,7 +1203,7 @@ } } }); - }, (id * 50) + penaldy); + }, (id * 50) + penalty); } function gotoServerModalHandler(guid) { @@ -5740,6 +5755,6 @@ </div> </div> <div id="hiddenDownloadLinks" style="display: none;" hidden></div> - <script type="text/javascript" src="dashboard.js?v20180917-1"></script> + <script type="text/javascript" src="dashboard.js?v20180918-1"></script> </body> </html> |