search

TheCoder4eu / BootsFaces-OSP

BootsFaces - Open Source Project
Apache License 2.0
247 stars 102 forks source link

XSS vulnerability in DateTimePicker Component due to lack of xml escaping #1133

Closed rgdoms closed 4 years ago

rgdoms commented 4 years ago

During some security tests, we concluded that although DateTimePicker escapes XML content in value field, the same is used in the generated script, in date field, without escaping. This allows cross site scripting and unwanted code may be run by malicious actions.

Checkout the following examples. Here we forced the value (by editing the Html) with a js script. In the renderer generated code, markup code is escaped here: <input type="text" id="myform:myperiod_Input" name="myform:myperiod" class="form-control bf-required" placeholder="aaaa - mm" value="2020 - 02--&gt;&lt;/sCrIpT&gt;&lt;sCrIpT&gt;alert(51845)&lt;/sCrIpT&gt;" />

And here, it is not. </script><script>$(function () { $('#myform\\:myPeriodOuter').datetimepicker({ ignoreReadonly: false, allowInputToggle: true, collapse: true, dayViewHeaderFormat: 'MMMM YYYY', focusOnShow: true, minDate: '2020-01', maxDate: '2020-03-30', stepping: 1, toolbarPlacement: 'default', viewMode: 'days', useCurrent:false,date: moment('2020 - 02--></sCrIpT><sCrIpT>alert(51845)</sCrIpT>', 'YYYY - MM'), locale: 'pt', format: 'YYYY - MM'});});</script>

This is due to the following: In DateTimePickerRenderer the value is written via writeAttribute method of ResponseWriter class, that ensures that markup code is escaped.

https://github.com/TheCoder4eu/BootsFaces-OSP/blob/c8ca2c32fc18af0de98d6ce4297a5a45d6915479/src/main/java/net/bootsfaces/component/dateTimePicker/DateTimePickerRenderer.java#L261-L262

In the generated script, the renderer gets the value and no escaping is performed. getValueAsString calls getDateAsString, and this calls getInternalDateAsString that returns a formated date, or getAsString from a custom converter (which is our case).

https://github.com/TheCoder4eu/BootsFaces-OSP/blob/c8ca2c32fc18af0de98d6ce4297a5a45d6915479/src/main/java/net/bootsfaces/component/dateTimePicker/DateTimePickerRenderer.java#L392-L393 https://github.com/TheCoder4eu/BootsFaces-OSP/blob/c8ca2c32fc18af0de98d6ce4297a5a45d6915479/src/main/java/net/bootsfaces/component/dateTimePicker/DateTimePickerRenderer.java#L435

Thanks

stephanrauh commented 4 years ago

That doesn't sound good. I can't promise anything, but I intend to have a close look at this bug this week-end. Thanks for pointing this out and for your thorough analysis!

stephanrauh commented 4 years ago

I've just fixe. the bug by adding the OWASP HTML sanitizer. I've published a new 1.5.0-SNAPSHOT on Maven Central. Can you check if this fixes the vulnerability?

Thanks in advance, Stephan