Protecting HTML UI from XSS injection.

Nelson Araujo · Nelson Araujo · commit fad0b75172f8 · 2017-09-29T11:32:29.000-07:00
diff --git a/lib/puppet_forge_server/app/frontend.rb b/lib/puppet_forge_server/app/frontend.rb
@@ -45,12 +45,18 @@ def initialize(root, http_client = PuppetForgeServer::Http::HttpClient.new)
 
     get '/modules' do
       query = params[:query]
+      halt(400, haml(:security, :locals => {:query => query})) \
+        unless safe_input? query
+
       modules = get("#{request.base_url}/v3/modules?query=#{query}")['results']
       haml :modules, :locals => {:query => query, :modules => modules}
     end
 
     get '/module' do
       module_v3_name = params[:name].gsub(/\//, '-')
+      halt(400, haml(:security, :locals => {:query => module_v3_name})) \
+        unless safe_input? module_v3_name
+
       releases = get("#{request.base_url}/v3/modules/#{module_v3_name}")['releases']
       if params.has_key? 'version'
         module_uri = releases.find {|r| r['version'] == params['version']}['uri']
@@ -63,7 +69,10 @@ def initialize(root, http_client = PuppetForgeServer::Http::HttpClient.new)
       rescue
         readme_markdown = ''
       end
-      haml :module, :locals => { :module_metadata => module_metadata, :base_url => request.base_url, :readme_markdown => readme_markdown, :releases => releases }
+      haml :module, :locals => { :module_metadata => module_metadata,
+                                 :base_url => request.base_url,
+                                 :readme_markdown => readme_markdown,
+                                 :releases => releases }
     end
 
     get '/upload' do
@@ -84,5 +93,10 @@ def get(relative_url)
         {'results' => []}
       end
     end
+
+    def safe_input?(query)
+      unsafe_query = CGI::unescape(query)
+      %w[< javascript:].none? { |q| unsafe_query.include?(q) }
+    end
   end
 end
diff --git a/lib/puppet_forge_server/app/views/security.haml b/lib/puppet_forge_server/app/views/security.haml
@@ -0,0 +1,20 @@
+-# -*- encoding: utf-8 -*-
+-#
+-# Copyright 2014 North Development AB
+-#
+-# Licensed under the Apache License, Version 2.0 (the "License");
+-# you may not use this file except in compliance with the License.
+-# You may obtain a copy of the License at
+-#
+-# http://www.apache.org/licenses/LICENSE-2.0
+-#
+-# Unless required by applicable law or agreed to in writing, software
+-# distributed under the License is distributed on an "AS IS" BASIS,
+-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+-# See the License for the specific language governing permissions and
+-# limitations under the License.
+
+%h3.search-results-title Security violation
+
+%h4 The query provided contains illegal or dangerous characters.
+Please clean them up and try again.
