SECURITY: XSS in routes
Co-authored-by: Guo Xiang Tan <tgx_world@hotmail.com> Co-authored-by: David Taylor <david@taylorhq.com>
This commit is contained in:
parent
463db22928
commit
13f38055ac
|
@ -54,7 +54,9 @@ export default Ember.Object.extend({
|
||||||
}
|
}
|
||||||
} else {
|
} else {
|
||||||
// It's serializable as a string if not an object
|
// It's serializable as a string if not an object
|
||||||
return `${path}/${findArgs}${extension ? extension : ""}`;
|
return `${path}/${encodeURIComponent(findArgs)}${
|
||||||
|
extension ? extension : ""
|
||||||
|
}`;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
return path;
|
return path;
|
||||||
|
|
|
@ -11,7 +11,7 @@ export default Discourse.Route.extend({
|
||||||
this.replaceWith("discovery.latest").then(e => {
|
this.replaceWith("discovery.latest").then(e => {
|
||||||
if (params.username) {
|
if (params.username) {
|
||||||
// send a message to a user
|
// send a message to a user
|
||||||
User.findByUsername(params.username)
|
User.findByUsername(encodeURIComponent(params.username))
|
||||||
.then(user => {
|
.then(user => {
|
||||||
if (user.can_send_private_message_to_user) {
|
if (user.can_send_private_message_to_user) {
|
||||||
Ember.run.next(() =>
|
Ember.run.next(() =>
|
||||||
|
|
|
@ -39,7 +39,9 @@ export default Discourse.Route.extend({
|
||||||
return this.currentUser;
|
return this.currentUser;
|
||||||
}
|
}
|
||||||
|
|
||||||
return Discourse.User.create({ username: params.username });
|
return Discourse.User.create({
|
||||||
|
username: encodeURIComponent(params.username)
|
||||||
|
});
|
||||||
},
|
},
|
||||||
|
|
||||||
afterModel() {
|
afterModel() {
|
||||||
|
|
|
@ -69,6 +69,9 @@ class UploadsController < ApplicationController
|
||||||
end
|
end
|
||||||
|
|
||||||
def show
|
def show
|
||||||
|
# do not serve uploads requested via XHR to prevent XSS
|
||||||
|
return render_404 if request.xhr?
|
||||||
|
|
||||||
return render_404 if !RailsMultisite::ConnectionManagement.has_db?(params[:site])
|
return render_404 if !RailsMultisite::ConnectionManagement.has_db?(params[:site])
|
||||||
|
|
||||||
RailsMultisite::ConnectionManagement.with_connection(params[:site]) do |db|
|
RailsMultisite::ConnectionManagement.with_connection(params[:site]) do |db|
|
||||||
|
@ -88,6 +91,9 @@ class UploadsController < ApplicationController
|
||||||
end
|
end
|
||||||
|
|
||||||
def show_short
|
def show_short
|
||||||
|
# do not serve uploads requested via XHR to prevent XSS
|
||||||
|
return render_404 if request.xhr?
|
||||||
|
|
||||||
if SiteSetting.prevent_anons_from_downloading_files && current_user.nil?
|
if SiteSetting.prevent_anons_from_downloading_files && current_user.nil?
|
||||||
return render_404
|
return render_404
|
||||||
end
|
end
|
||||||
|
|
|
@ -2,6 +2,30 @@ import { acceptance } from "helpers/qunit-helpers";
|
||||||
|
|
||||||
acceptance("User", { loggedIn: true });
|
acceptance("User", { loggedIn: true });
|
||||||
|
|
||||||
|
QUnit.test("Invalid usernames", async assert => {
|
||||||
|
// prettier-ignore
|
||||||
|
server.get("/u/eviltrout%2F..%2F..%2F.json", () => { // eslint-disable-line no-undef
|
||||||
|
return [
|
||||||
|
404,
|
||||||
|
{ "Content-Type": "application/json" },
|
||||||
|
{
|
||||||
|
errors: ["The requested URL or resource could not be found."],
|
||||||
|
error_type: "not_found"
|
||||||
|
}
|
||||||
|
];
|
||||||
|
});
|
||||||
|
|
||||||
|
await visit("/u/eviltrout%2F..%2F..%2F/summary");
|
||||||
|
|
||||||
|
assert.equal(currentPath(), "exception-unknown");
|
||||||
|
});
|
||||||
|
|
||||||
|
QUnit.test("Unicode usernames", async assert => {
|
||||||
|
await visit("/u/%E3%83%A9%E3%82%A4%E3%82%AA%E3%83%B3/summary");
|
||||||
|
|
||||||
|
assert.equal(currentPath(), "user.summary");
|
||||||
|
});
|
||||||
|
|
||||||
QUnit.test("Invites", async assert => {
|
QUnit.test("Invites", async assert => {
|
||||||
await visit("/u/eviltrout/invited/pending");
|
await visit("/u/eviltrout/invited/pending");
|
||||||
assert.ok($("body.user-invites-page").length, "has the body class");
|
assert.ok($("body.user-invites-page").length, "has the body class");
|
||||||
|
|
|
@ -2601,5 +2601,205 @@ export default {
|
||||||
],
|
],
|
||||||
top_categories: []
|
top_categories: []
|
||||||
}
|
}
|
||||||
|
},
|
||||||
|
"/u/%E3%83%A9%E3%82%A4%E3%82%AA%E3%83%B3.json": {
|
||||||
|
user_badges: [],
|
||||||
|
user: {
|
||||||
|
id: 2,
|
||||||
|
username: "ライオン",
|
||||||
|
name: null,
|
||||||
|
avatar_template:
|
||||||
|
"/letter_avatar_proxy/v4/letter/%E3%83%A9/d9b06d/{size}.png",
|
||||||
|
email: "lion@example.com",
|
||||||
|
last_posted_at: null,
|
||||||
|
last_seen_at: "2019-06-26T09:29:56.044Z",
|
||||||
|
bio_raw: "this is my bio",
|
||||||
|
bio_cooked: "\u003cp\u003ethis is my bio\u003c/p\u003e",
|
||||||
|
created_at: "2019-06-26T08:40:40.964Z",
|
||||||
|
can_edit: true,
|
||||||
|
can_edit_username: true,
|
||||||
|
can_edit_email: true,
|
||||||
|
can_edit_name: true,
|
||||||
|
ignored: false,
|
||||||
|
muted: false,
|
||||||
|
can_ignore_user: false,
|
||||||
|
can_mute_user: false,
|
||||||
|
can_send_private_messages: true,
|
||||||
|
can_send_private_message_to_user: false,
|
||||||
|
bio_excerpt: "this is my bio",
|
||||||
|
trust_level: 1,
|
||||||
|
moderator: false,
|
||||||
|
admin: false,
|
||||||
|
title: null,
|
||||||
|
uploaded_avatar_id: null,
|
||||||
|
badge_count: 0,
|
||||||
|
has_title_badges: false,
|
||||||
|
custom_fields: {},
|
||||||
|
pending_count: 0,
|
||||||
|
profile_view_count: 1,
|
||||||
|
time_read: 0,
|
||||||
|
recent_time_read: 0,
|
||||||
|
primary_group_name: null,
|
||||||
|
primary_group_flair_url: null,
|
||||||
|
primary_group_flair_bg_color: null,
|
||||||
|
primary_group_flair_color: null,
|
||||||
|
second_factor_enabled: false,
|
||||||
|
second_factor_backup_enabled: false,
|
||||||
|
associated_accounts: [],
|
||||||
|
locale: "en_US",
|
||||||
|
muted_category_ids: [],
|
||||||
|
watched_tags: [],
|
||||||
|
watching_first_post_tags: [],
|
||||||
|
tracked_tags: [],
|
||||||
|
muted_tags: [],
|
||||||
|
tracked_category_ids: [],
|
||||||
|
watched_category_ids: [],
|
||||||
|
watched_first_post_category_ids: [],
|
||||||
|
system_avatar_upload_id: null,
|
||||||
|
system_avatar_template:
|
||||||
|
"/letter_avatar_proxy/v4/letter/%E3%83%A9/d9b06d/{size}.png",
|
||||||
|
muted_usernames: [],
|
||||||
|
ignored_usernames: [],
|
||||||
|
mailing_list_posts_per_day: 0,
|
||||||
|
can_change_bio: true,
|
||||||
|
user_api_keys: null,
|
||||||
|
user_auth_tokens: [
|
||||||
|
{
|
||||||
|
id: 2,
|
||||||
|
client_ip: "127.0.0.1",
|
||||||
|
location: "unknown",
|
||||||
|
browser: "Google Chrome",
|
||||||
|
device: "GNU/Linux Computer",
|
||||||
|
os: "Linux",
|
||||||
|
icon: "fab-linux",
|
||||||
|
created_at: "2019-06-26T08:41:18.436Z",
|
||||||
|
seen_at: "2019-06-26T09:24:24.683Z",
|
||||||
|
is_active: true
|
||||||
|
}
|
||||||
|
],
|
||||||
|
user_auth_token_logs: [
|
||||||
|
{
|
||||||
|
id: 4,
|
||||||
|
client_ip: "127.0.0.1",
|
||||||
|
location: "unknown",
|
||||||
|
browser: "Google Chrome",
|
||||||
|
device: "GNU/Linux Computer",
|
||||||
|
os: "Linux",
|
||||||
|
icon: "fab-linux",
|
||||||
|
created_at: "2019-06-26T08:41:18.448Z",
|
||||||
|
action: "Log In"
|
||||||
|
}
|
||||||
|
],
|
||||||
|
invited_by: null,
|
||||||
|
groups: [
|
||||||
|
{
|
||||||
|
id: 10,
|
||||||
|
automatic: true,
|
||||||
|
name: "trust_level_0",
|
||||||
|
display_name: "trust_level_0",
|
||||||
|
user_count: 2,
|
||||||
|
mentionable_level: 0,
|
||||||
|
messageable_level: 0,
|
||||||
|
visibility_level: 0,
|
||||||
|
primary_group: false,
|
||||||
|
title: null,
|
||||||
|
grant_trust_level: null,
|
||||||
|
has_messages: false,
|
||||||
|
flair_url: null,
|
||||||
|
flair_bg_color: null,
|
||||||
|
flair_color: null,
|
||||||
|
bio_cooked: null,
|
||||||
|
bio_excerpt: null,
|
||||||
|
public_admission: false,
|
||||||
|
public_exit: false,
|
||||||
|
allow_membership_requests: false,
|
||||||
|
full_name: null,
|
||||||
|
default_notification_level: 3,
|
||||||
|
membership_request_template: null
|
||||||
|
},
|
||||||
|
{
|
||||||
|
id: 11,
|
||||||
|
automatic: true,
|
||||||
|
name: "trust_level_1",
|
||||||
|
display_name: "trust_level_1",
|
||||||
|
user_count: 2,
|
||||||
|
mentionable_level: 0,
|
||||||
|
messageable_level: 0,
|
||||||
|
visibility_level: 0,
|
||||||
|
primary_group: false,
|
||||||
|
title: null,
|
||||||
|
grant_trust_level: null,
|
||||||
|
has_messages: false,
|
||||||
|
flair_url: null,
|
||||||
|
flair_bg_color: null,
|
||||||
|
flair_color: null,
|
||||||
|
bio_cooked: null,
|
||||||
|
bio_excerpt: null,
|
||||||
|
public_admission: false,
|
||||||
|
public_exit: false,
|
||||||
|
allow_membership_requests: false,
|
||||||
|
full_name: null,
|
||||||
|
default_notification_level: 3,
|
||||||
|
membership_request_template: null
|
||||||
|
}
|
||||||
|
],
|
||||||
|
group_users: [
|
||||||
|
{ group_id: 10, user_id: 2, notification_level: 3, owner: false },
|
||||||
|
{ group_id: 11, user_id: 2, notification_level: 3, owner: false }
|
||||||
|
],
|
||||||
|
featured_user_badge_ids: [],
|
||||||
|
user_option: {
|
||||||
|
user_id: 2,
|
||||||
|
mailing_list_mode: false,
|
||||||
|
mailing_list_mode_frequency: 1,
|
||||||
|
email_digests: true,
|
||||||
|
email_level: 1,
|
||||||
|
email_messages_level: 0,
|
||||||
|
external_links_in_new_tab: false,
|
||||||
|
dynamic_favicon: false,
|
||||||
|
enable_quoting: true,
|
||||||
|
enable_defer: false,
|
||||||
|
digest_after_minutes: 1440,
|
||||||
|
automatically_unpin_topics: true,
|
||||||
|
auto_track_topics_after_msecs: 240000,
|
||||||
|
notification_level_when_replying: 2,
|
||||||
|
new_topic_duration_minutes: 2880,
|
||||||
|
email_previous_replies: 2,
|
||||||
|
email_in_reply_to: true,
|
||||||
|
like_notification_frequency: 1,
|
||||||
|
include_tl0_in_digests: false,
|
||||||
|
theme_ids: [2],
|
||||||
|
theme_key_seq: 0,
|
||||||
|
allow_private_messages: true,
|
||||||
|
homepage_id: null,
|
||||||
|
hide_profile_and_presence: false,
|
||||||
|
text_size: "normal",
|
||||||
|
text_size_seq: 0,
|
||||||
|
title_count_mode: "notifications"
|
||||||
|
}
|
||||||
|
}
|
||||||
|
},
|
||||||
|
"/u/%E3%83%A9%E3%82%A4%E3%82%AA%E3%83%B3/summary.json": {
|
||||||
|
topics: [],
|
||||||
|
user_summary: {
|
||||||
|
likes_given: 0,
|
||||||
|
likes_received: 0,
|
||||||
|
topics_entered: 0,
|
||||||
|
posts_read_count: 0,
|
||||||
|
days_visited: 1,
|
||||||
|
topic_count: 0,
|
||||||
|
post_count: 0,
|
||||||
|
time_read: 0,
|
||||||
|
recent_time_read: 0,
|
||||||
|
bookmark_count: 0,
|
||||||
|
topic_ids: [],
|
||||||
|
replies: [],
|
||||||
|
links: [],
|
||||||
|
most_liked_by_users: [],
|
||||||
|
most_liked_users: [],
|
||||||
|
most_replied_to_users: [],
|
||||||
|
badges: [],
|
||||||
|
top_categories: []
|
||||||
|
}
|
||||||
}
|
}
|
||||||
};
|
};
|
||||||
|
|
Loading…
Reference in New Issue