search

ncbo / bioportal-project

Serves to consolidate (in Zenhub) all public issues in BioPortal
BSD 2-Clause "Simplified" License
7 stars 5 forks source link

add user input validation #279

Open alexskr opened 1 year ago

alexskr commented 1 year ago

Add necessary user input validation for various properties/fields in user, ontology, notes, projects, etc, in order to mitigate Cross-Site Scripting vulnerabilities.

here is an example of Persistent XSS vulnerability which will run a malicious Java script in the user's browser when they access ontoportal: 

{
    "administeredBy": [
        "https://test.example.org:8443/users/haxor"
    ],
    "acronym": "BADDY",
    "name": "<input type=\"text\" value=\"jaVasCript:/*-/*`/*\\`/*'/*\"/**/(/* */oNcliCk=alert(1) )//%0D%0A%0d%0a//</stYle/</titLe/</teXtarEa/</scRipt/--!>\\x3csVg/<sVg/oNloAd=alert(2)//>\\x3e\"></input>",
    "summaryOnly": null,
    "flat": null,
    "ontologyType": "https://test.example.org:8443/ontology_types/ONTOLOGY",
    "@id": "https://test.example.org:8443/ontologies/BADDY",
    "@type": "http://data.bioontology.org/metadata/Ontology",

Most of the fields should be restricted to alphanumeric characters plus perhaps space, underscore, and dash in names/descriptions/etc of ontologies/users/notes/projects.

syphax-bouazzouni commented 1 year ago

Yeah totally agree on this, I think it should be implemented at the level of Goo, where each of our attribute getters always call html_escape if string.