Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Issue #316 Fixing issues in XSSInImgTagAttribute Vulnerability #366

Merged
merged 11 commits into from
Apr 20, 2022
Merged

Issue #316 Fixing issues in XSSInImgTagAttribute Vulnerability #366

merged 11 commits into from
Apr 20, 2022

Conversation

jpralle
Copy link
Contributor

@jpralle jpralle commented Mar 25, 2022

Renamed class and reworked secure implementation to actually validate the input and not just use a simple allow list. Also added a unit test for the secure implementation.

This is our first open source contribution, we hope we did it in the right manner. If not, please provide some help.

@jpralle jpralle mentioned this pull request Mar 25, 2022
Closed
preetkaran20
preetkaran20 requested changes Mar 26, 2022
View reviewed changes
Copy link
Member

@preetkaran20 preetkaran20 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hi @jpralle,

Added few comments. Please have a look.

thanks,
Karan

@t0bel1x
Issue SasanLabs#316 fixed code remarks
656ca2b 
- renamed class and test
- corrected levels
- removed path traversal
- changed RequestParam from map to single param
- added input validation to level 7
preetkaran20
preetkaran20 reviewed Apr 3, 2022
View reviewed changes
Copy link
Member

@preetkaran20 preetkaran20 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Overall, it LGTM, just few small questions.

@preetkaran20
Copy link
Member

#366 (comment)

@jpralle
Copy link
Contributor Author

jpralle commented Apr 20, 2022

We should be all done now with your comments. Thanks for the review and all the hints and tipps :)

preetkaran20
preetkaran20 reviewed Apr 20, 2022
View reviewed changes
src/main/java/org/sasanlabs/service/vulnerability/xss/reflected/XSSInImgTagAttribute.java
}
if ((imageLocation.startsWith(IMAGE_RESOURCE_PATH)
&& imageLocation.endsWith(FILE_EXTENSION))
|| allowedValues.contains(imageLocation)) {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more. 

|| allowedValues.contains(imageLocation)

this check is also not required. and also please run ./gradlew spotlessApply

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

But before you explicitly asked me to add that part. I guess, you lost me a bit, sorry.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

aah no, i think there is a confusion, i asked for level6 not level7 as level7 is added by you.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

you can even left this condition as well. please run ./gradlew spotlessApply and we can merge this PR. thanks

preetkaran20
preetkaran20 approved these changes Apr 20, 2022
View reviewed changes
Copy link
Member

@preetkaran20 preetkaran20 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more. 

|| allowedValues.contains(imageLocation)

this check is also not required. and also please run ./gradlew spotlessApply

@jpralle
Copy link
Contributor Author

jpralle commented Apr 20, 2022 

|| allowedValues.contains(imageLocation)

this check is also not required. and also please run ./gradlew spotlessApply

Did so. Sorry, your code style differs a bit from what I'm used to.

@preetkaran20
Copy link
Member

Hi @jpralle and other,

Thanks a lot for the changes and for persistently looking into the comments. LGTM, merging it.

thanks,
Karan

@preetkaran20 preetkaran20 merged commit 0d3e0f3 into SasanLabs:master Apr 20, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@preetkaran20 preetkaran20 preetkaran20 approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@jpralle @preetkaran20 @t0bel1x