[ARVADOS] created: 1.3.0-2369-gf36dffa91

Git user git at public.arvados.org
Thu Mar 26 16:33:11 UTC 2020 

        at  f36dffa91a233b429a4ca3d4489d1cbb3baf5720 (commit)


commit f36dffa91a233b429a4ca3d4489d1cbb3baf5720
Author: Lucas Di Pentima <lucas at di-pentima.com.ar>
Date:   Mon Mar 23 18:07:56 2020 -0300

    16266: Applies monkeypatch to fix CVE-2020-5267 on workbench1.
    
    As adviced on https://github.com/advisories/GHSA-65cv-r6x7-79hv
    
    Arvados-DCO-1.1-Signed-off-by: Lucas Di Pentima <lucas at di-pentima.com.ar>

diff --git a/apps/workbench/config/initializers/actionview_xss_fix.rb b/apps/workbench/config/initializers/actionview_xss_fix.rb
new file mode 100644
index 000000000..3f5e239ef
--- /dev/null
+++ b/apps/workbench/config/initializers/actionview_xss_fix.rb
@@ -0,0 +1,32 @@
+# Copyright (C) The Arvados Authors. All rights reserved.
+#
+# SPDX-License-Identifier: AGPL-3.0
+
+# This is related to:
+# * https://github.com/advisories/GHSA-65cv-r6x7-79hv
+# * https://nvd.nist.gov/vuln/detail/CVE-2020-5267
+#
+# Until we upgrade to rails 5.2, this monkeypatch should be enough
+ActionView::Helpers::JavaScriptHelper::JS_ESCAPE_MAP.merge!(
+  {
+    "`" => "\\`",
+    "$" => "\\$"
+  }
+)
+
+module ActionView::Helpers::JavaScriptHelper
+  alias :old_ej :escape_javascript
+  alias :old_j :j
+
+  def escape_javascript(javascript)
+    javascript = javascript.to_s
+    if javascript.empty?
+      result = ""
+    else
+      result = javascript.gsub(/(\\|<\/|\r\n|\342\200\250|\342\200\251|[\n\r"']|[`]|[$])/u, JS_ESCAPE_MAP)
+    end
+    javascript.html_safe? ? result.html_safe : result
+  end
+
+  alias :j :escape_javascript
+end
\ No newline at end of file

commit ed502ed611a4ac8378886fbd930602ca803e73e8
Author: Lucas Di Pentima <lucas at di-pentima.com.ar>
Date:   Thu Mar 26 13:29:40 2020 -0300

    16266: Adds tests exposing potential XSS vulnerability on escape_javascript()
    
    Arvados-DCO-1.1-Signed-off-by: Lucas Di Pentima <lucas at di-pentima.com.ar>

diff --git a/apps/workbench/test/unit/helpers/javascript_helper_test.rb b/apps/workbench/test/unit/helpers/javascript_helper_test.rb
new file mode 100644
index 000000000..9d5a55345
--- /dev/null
+++ b/apps/workbench/test/unit/helpers/javascript_helper_test.rb
@@ -0,0 +1,17 @@
+# Copyright (C) The Arvados Authors. All rights reserved.
+#
+# SPDX-License-Identifier: AGPL-3.0
+
+require 'test_helper'
+
+# Tests XSS vulnerability monkeypatch
+# See: https://github.com/advisories/GHSA-65cv-r6x7-79hv
+class JavascriptHelperTest < ActionView::TestCase
+  def test_escape_backtick
+    assert_equal "\\`", escape_javascript("`")
+  end
+
+  def test_escape_dollar_sign
+    assert_equal "\\$", escape_javascript("$")
+  end
+end

-----------------------------------------------------------------------


hooks/post-receive
--

More information about the arvados-commits mailing list