search

graphite-project / graphite-web

A highly scalable real-time graphing system
http://graphite.readthedocs.org/
Apache License 2.0
5.88k stars 1.26k forks source link

[BUG] Self-XSS in "Absolute Time Range" #2746

Open takyoni opened 2 years ago

takyoni commented 2 years ago

Describe the bug It's possible to execute JS on application context by modifying the "Absolute Time Range"

To Reproduce Access to a new dashboard in graphite-web instance (i.e. http://localhost/dashboard). Use the "Absolute Time Range" Write in Start Date: <img src=1 onerror=alert()> Write in EndDate: <img src=1 onerror=alert()> Hover the mouse over these fields Expected behavior This can be solved by removing or ignoring requests containing the characters "<" ">" and/or other escaping/scripting characters. -> Sanitize the value before using it.

Screenshots Снимок экрана (2046) Снимок экрана (2047)

Environment (please complete the following information):

deniszh commented 1 year ago

Looks like not fixed in #2785 :( /cc @msaf1980

msaf1980 commented 1 year ago

@deniszh I already update our staging (and production today). Now I can't reproduce a issue (and can before update). No alert window in web front and dangerous symbols are escaped.

msaf1980 commented 1 year ago

As I think, bug in ExtJS DateField.