SSF-7

diff --git a/sonar-server/src/main/webapp/WEB-INF/app/controllers/alerts_controller.rb b/sonar-server/src/main/webapp/WEB-INF/app/controllers/alerts_controller.rb
index e0dd6611b65d361afa50c7a9c27d2209c1052e4b..a2b076d8abed76f8080045ae99a0f6cefa47aa93 100644 (file)
--- a/sonar-server/src/main/webapp/WEB-INF/app/controllers/alerts_controller.rb
+++ b/sonar-server/src/main/webapp/WEB-INF/app/controllers/alerts_controller.rb
@@ -90,7 +90,7 @@ class AlertsController < ApplicationController
     else
       @alerts = @profile.alerts.reload
       errors = []
-      @alert.errors.full_messages.each{|msg| errors<<msg + '<br/>'}
+      @alert.errors.full_messages.each{|msg| errors<<CGI.escapeHTML(msg) + '<br/>'}
       render :text => errors, :status => 404
     end
   end
@@ -115,7 +115,7 @@ class AlertsController < ApplicationController
       render :text => 'ok', :status => 200
     else
       errors = []
-      alert.errors.full_messages.each{|msg| errors<<msg + '<br/>'}
+      alert.errors.full_messages.each{|msg| errors<<CGI.escapeHTML(msg) + '<br/>'}
       render :text => errors, :status => 404
     end
   end

diff --git a/sonar-server/src/main/webapp/WEB-INF/app/controllers/application_controller.rb b/sonar-server/src/main/webapp/WEB-INF/app/controllers/application_controller.rb
index fb7fa6d6b2be8bd77cfd10fefcfebb79dcb42938..884389660db2223a1b8d5e1d08db2387462a14bc 100644 (file)
--- a/sonar-server/src/main/webapp/WEB-INF/app/controllers/application_controller.rb
+++ b/sonar-server/src/main/webapp/WEB-INF/app/controllers/application_controller.rb
@@ -166,12 +166,12 @@ class ApplicationController < ActionController::Base
 
   def render_bad_request(error)
     message = error.respond_to?('message') ? error.message : error.to_s
-    render :text => message, :status => 400
+    render :text => CGI.escapeHTML(message), :status => 400
   end
 
   def render_server_exception(exception)
     message = (exception.getMessage ? exception.getMessage : Api::Utils.message(exception.l10nKey, :params => exception.l10nParams.to_a))
-    render :text => message, :status => exception.httpCode
+    render :text => CGI.escapeHTML(message), :status => exception.httpCode
   end
 
   def render_native_access_denied(exception)
@@ -203,7 +203,7 @@ class ApplicationController < ActionController::Base
 
     if request.xhr?
       message = error.respond_to?('message') ? error.message : error.to_s
-      render :text => message, :status => 500
+      render :text => CGI.escapeHTML(message), :status => 500
     else
       render :file => "#{Rails.public_path}/500.html", :status => 500
     end

diff --git a/sonar-server/src/main/webapp/WEB-INF/app/controllers/comparison_controller.rb b/sonar-server/src/main/webapp/WEB-INF/app/controllers/comparison_controller.rb
index 12ae2d490a262eebfb678db79ed7b984b6cc559a..9a180a0d8105881ea9831ab1b9301985cae51dec 100644 (file)
--- a/sonar-server/src/main/webapp/WEB-INF/app/controllers/comparison_controller.rb
+++ b/sonar-server/src/main/webapp/WEB-INF/app/controllers/comparison_controller.rb
@@ -28,6 +28,8 @@ class ComparisonController < ApplicationController
     if resource_key && !resource_key.blank?
       # the request comes from a project: let's select its 5 latest versions
       project = Project.by_key(resource_key)
+      return render_not_found('Project not found') unless project
+
       snapshots = project.events.select { |event| !event.snapshot_id.nil? && event.category==EventCategory::KEY_VERSION }[0..5].reverse.map {|e| e.snapshot}
       # if last snapshot is not in the list, add it at the end (=> might be the case for views or developers which do not have events)
       last_snapshot = project.last_snapshot

diff --git a/sonar-server/src/main/webapp/WEB-INF/app/controllers/dashboards_controller.rb b/sonar-server/src/main/webapp/WEB-INF/app/controllers/dashboards_controller.rb
index 12a7b35dced13076b69c5146ae23968357345960..39a000cc5d764e0b5292c356c5ca5235d4cd9027 100644 (file)
--- a/sonar-server/src/main/webapp/WEB-INF/app/controllers/dashboards_controller.rb
+++ b/sonar-server/src/main/webapp/WEB-INF/app/controllers/dashboards_controller.rb
@@ -66,7 +66,7 @@ class DashboardsController < ApplicationController
       add_default_dashboards_if_first_user_dashboard(@dashboard.global?)
       last_index=current_user.active_dashboards.max_by(&:order_index).order_index
       current_user.active_dashboards.create(:dashboard => @dashboard, :user => current_user, :order_index => (last_index+1))
-      render :text => params[:resource], :highlight => @dashboard.id, :status => 200
+      render :text => CGI.escapeHTML(params[:resource]), :highlight => @dashboard.id, :status => 200
     else
       render :partial => 'dashboards/create_form', :status => 400, :resource => params[:resource]
     end
@@ -88,7 +88,7 @@ class DashboardsController < ApplicationController
     if @dashboard.editable_by?(current_user)
       load_dashboard_from_params(@dashboard)
       if @dashboard.save
-        render :text => params[:resource], :status => 200
+        render :text => CGI.escapeHTML(params[:resource]), :status => 200
       else
         @dashboard.user = dashboard_owner
         render :partial => 'dashboards/edit_form', :status => 400, :resource => params[:resource]
@@ -115,7 +115,7 @@ class DashboardsController < ApplicationController
 
     if @dashboard.destroy
       flash[:warning]=Api::Utils.message('dashboard.default_restored') if ActiveDashboard.count(:conditions => {:user_id => current_user.id})==0
-      render :text => params[:resource], :status => 200
+      render :text => CGI.escapeHTML(params[:resource]), :status => 200
     else
       @dashboard.errors.add(message('dashboard.error_delete_default'), ' ')
       render :partial => 'dashboards/delete_form', :status => 400, :resource => params[:resource]

diff --git a/sonar-server/src/main/webapp/WEB-INF/app/controllers/measures_controller.rb b/sonar-server/src/main/webapp/WEB-INF/app/controllers/measures_controller.rb
index 5b0ee79b592f6943364d269bc9c70e6e7ce5b768..1a46f57c90fb5b24eed6ba782c56238f037a548b 100644 (file)
--- a/sonar-server/src/main/webapp/WEB-INF/app/controllers/measures_controller.rb
+++ b/sonar-server/src/main/webapp/WEB-INF/app/controllers/measures_controller.rb
@@ -239,7 +239,7 @@ class MeasuresController < ApplicationController
 
   def render_measures_error(filter)
     errors = []
-    filter.errors.full_messages.each{|msg| errors<<msg + '<br/>'}
+    filter.errors.full_messages.each{|msg| errors<<CGI.escapeHTML(msg) + '<br/>'}
     render :text => errors, :status => 400
   end
 end

diff --git a/sonar-server/src/main/webapp/WEB-INF/app/views/issues/_bulk_change_form.html.erb b/sonar-server/src/main/webapp/WEB-INF/app/views/issues/_bulk_change_form.html.erb
index 28dbe20342c79015214e2b80a667cff84ce35a26..6571bf8d22efe217478876d81d57bf80ef214518 100644 (file)
--- a/sonar-server/src/main/webapp/WEB-INF/app/views/issues/_bulk_change_form.html.erb
+++ b/sonar-server/src/main/webapp/WEB-INF/app/views/issues/_bulk_change_form.html.erb
@@ -113,7 +113,7 @@
 <script>
   $j("#bulk-change-form").modalForm({
     success: function () {
-      onBulkIssues(<%= params.to_json -%>);
+      onBulkIssues(<%= json_escape(params.to_json) -%>);
     }
   });
 

diff --git a/sonar-server/src/main/webapp/WEB-INF/app/views/issues/_list.html.erb b/sonar-server/src/main/webapp/WEB-INF/app/views/issues/_list.html.erb
index 41c89469d56d8eb20b0b8b16a36291005afb49de..bdcb82de8b1350e62c529d191311960ab2d381dc 100644 (file)
--- a/sonar-server/src/main/webapp/WEB-INF/app/views/issues/_list.html.erb
+++ b/sonar-server/src/main/webapp/WEB-INF/app/views/issues/_list.html.erb
@@ -99,7 +99,7 @@
 %>
 
 <script type="text/javascript">
-  var filterCriteria = <%= @issues_query_params.to_json -%>;
+  var filterCriteria = <%= json_escape(@issues_query_params.to_json) -%>;
 
   function refreshList(sort, asc, page) {
     $j('#issue-filter-foot_pages').hide();

diff --git a/sonar-server/src/main/webapp/WEB-INF/app/views/measures/_display_list.html.erb b/sonar-server/src/main/webapp/WEB-INF/app/views/measures/_display_list.html.erb
index 1f03eef00ba4991de90d8356515e6a63511b1eb7..06b9971f8792688abdb4454cc8b4c5b48fcce2a2 100644 (file)
--- a/sonar-server/src/main/webapp/WEB-INF/app/views/measures/_display_list.html.erb
+++ b/sonar-server/src/main/webapp/WEB-INF/app/views/measures/_display_list.html.erb
@@ -1,7 +1,7 @@
 <div id="measure_filter_list<%= widget_id -%>">
 <% content_for :script do %>
   <script>
-    var filterCriteria<%= widget_id -%> = <%= filter.criteria.to_json -%>;
+    var filterCriteria<%= widget_id -%> = <%= json_escape(filter.criteria.to_json) -%>;
 
     function refreshList<%= widget_id -%>(sort, asc, page) {
       $j('#measure_filter_foot<%= widget_id -%>_pages').hide();
@@ -231,4 +231,4 @@
     } -%>
   <% end %>
 </table>
-</div>
\ No newline at end of file
+</div>

diff --git a/sonar-server/src/main/webapp/WEB-INF/app/views/measures/_display_treemap.html.erb b/sonar-server/src/main/webapp/WEB-INF/app/views/measures/_display_treemap.html.erb
index 9296acc6c89c9ac5c1037f2aae7b4b0d4094db58..f308a3e83971aed89014df09dfc03980859b1b30 100644 (file)
--- a/sonar-server/src/main/webapp/WEB-INF/app/views/measures/_display_treemap.html.erb
+++ b/sonar-server/src/main/webapp/WEB-INF/app/views/measures/_display_treemap.html.erb
@@ -1,5 +1,5 @@
 <script>
-  var filterCriteria<%= widget_id -%> = <%= filter.criteria.to_json -%>;
+  var filterCriteria<%= widget_id -%> = <%= json_escape(filter.criteria.to_json) -%>;
 </script>
 <%
    treemap_id = widget_id.nil? ? 1 : widget_id

diff --git a/sonar-server/src/main/webapp/WEB-INF/config/environment.rb b/sonar-server/src/main/webapp/WEB-INF/config/environment.rb
index 764e1ed7c802da19d6c97a866186dcd1d9d3eb14..3d6ea3cf3d15a9b080a3d6365ce4d8a6d5c210ea 100644 (file)
--- a/sonar-server/src/main/webapp/WEB-INF/config/environment.rb
+++ b/sonar-server/src/main/webapp/WEB-INF/config/environment.rb
@@ -183,6 +183,20 @@ module ActiveSupport
   end
 end
 
+class ActionView::Base
+
+  # Fix XSS - embed secure JSON in HTML
+  # http://jfire.io/blog/2012/04/30/how-to-securely-bootstrap-json-in-a-rails-view/
+  # Default implmentation of json_escape also removes double quote (") characters. It is documented to return invalid JSON !
+  def json_escape(s)
+    result = s.to_s.gsub('/', '\/')
+    s.html_safe? ? result.html_safe : result
+  end
+
+  alias j json_escape
+end
+
+
 #
 # other patches :
 # - activerecord : fix Oracle bug when more than 1000 elements in IN clause. See lib/active_record/association_preload.rb