Creating a new directory whose name includes HTML tags results in unintended behavior - Githubissues

OSC / ood-fileexplorer

[MOVED] The Open OnDemand File Explorer

https://osc.github.io/Open-OnDemand/

MIT License

4 stars 1 forks source link

Creating a new directory whose name includes HTML tags results in unintended behavior #198

Closed ericfranz closed 5 years ago

ericfranz commented 5 years ago

Entering invalid characters into the File Explorer’s prompt for creating a new directory results in unintended directory structure changes.

screen 2019-03-13 at 4 33 36 PM

screen 2019-03-13 at 4 33 51 PM

MorganRodgers commented 5 years ago

I am unable to duplicate this behavior. When I enter the string <script>window.alert("hacked");</script> an error is logged by nginx, and that is it. An error should be shown to the user. Emoji are not treated as valid directory names even though they are supported by nfs4; they result in the same silent error.

Wondering if this was a more general UTF8 problem, I confirmed that Chinese characters are treated as valid input, as are accented Latin characters.

MorganRodgers commented 5 years ago

After a second look, I am able to duplicate with the string <script>window.alert('hacked');</script>; note the single quotes.

MorganRodgers commented 5 years ago

It appears that all the New File|Directory|Rename|Copy controls are fragile and do not permit same range of file names that the underlying file system does.

A quick fix would prevent creation of new file/directory names containing double quotes, or XML special characters.

MorganRodgers commented 5 years ago

I think that we decided on wontfix for this?

ericfranz commented 5 years ago

Possible problematic characters here (a simple test is to do mkdir foo(bar or foo<bar or foo>bar etc. and then cd into the directory to see the bad behavior):

<
>
'
( or ) results in client side JavaScript error on page because DOM.getCurrentDirName() that returns the current directory with ( or ) is passed as an argument directly to getParentDirPath function, which is using a bad approach to resolve the parent directory string:
```
> path = "/path/to/dir/name"
'/path/to/dir/name'
> dirName = "name"
'name'
> RegExp
[Function: RegExp]
> path.replace(RegExp(dirName + '$'), '');
'/path/to/dir/'
```
- instead we want essentially https://nodejs.org/api/path.html#path_path_dirname_path for client side use; or maybe just something ultra simple like: path.split("/").slice(0, -1).join("/") + "/"
/ is allowed because you can do mkdir foo/bar and it will create foo/ and then create foo/bar/

MorganRodgers commented 5 years ago

Wontfix.

ericfranz commented 4 years ago

This is fixed in 1.8.12, 1.7.16 and 1.6.23