Fix XSS vulnerabilities

author: Simon Brandhof <simon.brandhof@gmail.com> 2013-10-29 12:30:57 +0100
committer: Simon Brandhof <simon.brandhof@gmail.com> 2013-10-29 12:31:09 +0100
commit: ef8b36dc567f80e0a334e6fc7254a59f7e2dc9d8 (patch)
tree: 122a4de62f59eb425c6527d42aa1c8836de8ad13 /sonar-server
parent: cf529729634625ea5d235072c399aefd11380cfb (diff)
download: sonarqube-ef8b36dc567f80e0a334e6fc7254a59f7e2dc9d8.tar.gz
sonarqube-ef8b36dc567f80e0a334e6fc7254a59f7e2dc9d8.zip
13 files changed, 54 insertions, 60 deletions
diff --git a/sonar-server/src/main/webapp/WEB-INF/app/controllers/groups_controller.rb b/sonar-server/src/main/webapp/WEB-INF/app/controllers/groups_controller.rb
index 88bc9bae2ca..708c43c5745 100644
--- a/sonar-server/src/main/webapp/WEB-INF/app/controllers/groups_controller.rb
+++ b/sonar-server/src/main/webapp/WEB-INF/app/controllers/groups_controller.rb
@@ -32,22 +32,13 @@ class GroupsController < ApplicationController
   end
 
   def create_form
-    if params[:id]
-      # TODO is it used ?
-      @group = Group.find(params[:id])
-    else
-      @group = Group.new
-    end
+    @group = Group.new
     render :partial => 'groups/create_form'
   end
 
   def edit_form
-    if params[:id]
-      @group = Group.find(params[:id])
-    else
-      # TODO is it used ?
-      @group = Group.new
-    end
+    require_parameters :id
+    @group = Group.find(params[:id])
     render :partial => 'groups/edit_form'
   end
 
@@ -67,20 +58,22 @@ class GroupsController < ApplicationController
 
   def update
     verify_post_request
-    group = Group.find(params[:id])
-    if group.update_attributes(params[:group])
+    require_parameters :id
+
+    @group = Group.find(params[:id])
+    if @group.update_attributes(params[:group])
       flash[:notice] = 'Group is updated.'
       render :text => 'ok', :status => 200
     else
-      @group = group
       @errors = []
-      group.errors.full_messages.each{|msg| @errors<<msg}
+      @group.errors.full_messages.each{|msg| @errors<<msg}
       render :partial => 'groups/edit_form', :status => 400
     end
   end
 
   def delete
     verify_post_request
+    require_parameters :id
     group = Group.find(params[:id])
     if group.destroy
       flash[:notice] = 'Group is deleted.'
diff --git a/sonar-server/src/main/webapp/WEB-INF/app/views/groups/_edit_form.html.erb b/sonar-server/src/main/webapp/WEB-INF/app/views/groups/_edit_form.html.erb
index 390e741c330..cc649f85432 100644
--- a/sonar-server/src/main/webapp/WEB-INF/app/views/groups/_edit_form.html.erb
+++ b/sonar-server/src/main/webapp/WEB-INF/app/views/groups/_edit_form.html.erb
@@ -1,7 +1,7 @@
 <% form_for :group, @group, :url => { :action => 'update', :id => @group.id}, :html => { :id =>'group_form'} do |f| %>
   <fieldset>
       <div class="modal-head">
-          <h2>Edit group: <%= @group.name -%></h2>
+          <h2>Edit group: <%= h @group.name_was -%></h2>
       </div>
 
       <div class="modal-body">
@@ -31,4 +31,4 @@
 <% end %>
 <script>
   $j("#group_form").modalForm();
-</script>
-\ No newline at end of file
+</script>
diff --git a/sonar-server/src/main/webapp/WEB-INF/app/views/groups/index.html.erb b/sonar-server/src/main/webapp/WEB-INF/app/views/groups/index.html.erb
index 3038e8134ad..a239bfa11bf 100644
--- a/sonar-server/src/main/webapp/WEB-INF/app/views/groups/index.html.erb
+++ b/sonar-server/src/main/webapp/WEB-INF/app/views/groups/index.html.erb
@@ -24,20 +24,20 @@
           </tr>
         </thead>
         <tbody >
-        <% @groups.each do |group|%>
-          <tr id="group-<%= u group.name -%>">
+        <% @groups.each do |group| %>
+          <tr id="group-<%= group.name.parameterize -%>">
             <td class="left"><%= h group.name -%></td>
             <td class="left" style="word-break:break-all"><%= h group.description -%></td>
             <td class="left">
-              <span id="count-<%= u group.name -%>"><%= group.users.count -%></span>
-              (<a id="select-<%= u group.name -%>" class="link-action" href="<%= ApplicationController.root_context -%>/groups/select_user/<%= group.id -%>">select</a>)
+              <span id="count-<%= group.name.parameterize -%>"><%= group.users.count -%></span>
+              (<a id="select-<%= group.name.parameterize -%>" class="link-action" href="<%= ApplicationController.root_context -%>/groups/select_user/<%= group.id -%>">select</a>)
             </td>
             <td class="operations">
-              <a id='edit-<%= h group.name -%>' class='open-modal link-action' href="<%= ApplicationController.root_context -%>/groups/edit_form/">Edit</a>
+              <a id='edit-<%= group.name.parameterize -%>' class='open-modal link-action' href="<%= ApplicationController.root_context -%>/groups/edit_form/<%= group.id -%>">Edit</a>
               &nbsp;
               <%= link_to_action message('delete'), "#{ApplicationController.root_context}/groups/delete/#{group.id}",
                                    :class => 'link-action link-red',
-                                   :id => "delete-#{group.name}",
+                                   :id => "delete-#{group.name.parameterize}",
                                    :confirm_button => message('delete'),
                                    :confirm_title => 'Delete group: ' + group.name,
                                    :confirm_msg => 'Are you sure that you want to delete this group? Members will not be deleted.',
diff --git a/sonar-server/src/main/webapp/WEB-INF/app/views/groups/select_user.html.erb b/sonar-server/src/main/webapp/WEB-INF/app/views/groups/select_user.html.erb
index d3835282522..e0ecc2eeef5 100644
--- a/sonar-server/src/main/webapp/WEB-INF/app/views/groups/select_user.html.erb
+++ b/sonar-server/src/main/webapp/WEB-INF/app/views/groups/select_user.html.erb
@@ -1,10 +1,10 @@
 
-<div class="subtitle">&raquo; <a href="<%= url_for :action => 'index'%>">Back to user groups</a></div>
-<h1>Group: <%= @group.name %></h1>
+<div class="subtitle">&raquo; <a href="<%= url_for :action => 'index'-%>">Back to user groups</a></div>
+<h1>Group: <%= h @group.name -%></h1>
 <br/>
 <div id="main_content">
-  <form action="<%= url_for :action => 'set_users'%>" method="post">
-    <input name="id" value="<%= @group.id%>" type="hidden">
+  <form action="<%= url_for :action => 'set_users'-%>" method="post">
+    <input name="id" value="<%= @group.id -%>" type="hidden">
     <table>
       <tbody>
         <tr>
diff --git a/sonar-server/src/main/webapp/WEB-INF/app/views/groups/select_user_new.html.erb b/sonar-server/src/main/webapp/WEB-INF/app/views/groups/select_user_new.html.erb
index c06ff1bdd85..cb6f5dc9107 100644
--- a/sonar-server/src/main/webapp/WEB-INF/app/views/groups/select_user_new.html.erb
+++ b/sonar-server/src/main/webapp/WEB-INF/app/views/groups/select_user_new.html.erb
@@ -1,5 +1,5 @@
 <div class="subtitle">&raquo; <a href="<%= url_for :action => 'index'%>">Back to user groups</a></div>
-<h1>Group: <%= @group.name %></h1>
+<h1>Group: <%= h @group.name -%></h1>
 <br/>
 <div id="main_content">
     <div id="select-list-group-<%= @group.id -%>"></div>
@@ -16,8 +16,8 @@
           all: 'All'
         },
         tooltips: {
-          select: 'Click to add this user to the group <%= @group.name -%>',
-          deselect: 'Click to remove this member from the group <%= @group.name -%>'
+          select: 'Click to add this user to the group <%= h @group.name -%>',
+          deselect: 'Click to remove this member from the group <%= h @group.name -%>'
         }
       });
     </script>
diff --git a/sonar-server/src/main/webapp/WEB-INF/app/views/provisioning/_create_form.html.erb b/sonar-server/src/main/webapp/WEB-INF/app/views/provisioning/_create_form.html.erb
index 21e2ddac455..5849bdf795a 100644
--- a/sonar-server/src/main/webapp/WEB-INF/app/views/provisioning/_create_form.html.erb
+++ b/sonar-server/src/main/webapp/WEB-INF/app/views/provisioning/_create_form.html.erb
@@ -10,11 +10,11 @@
     <div class="modal-body">
       <div class="modal-field">
         <label for="key"><%= h message('key') -%> <em class="mandatory">*</em></label>
-        <input id="key" name="key" value="<%= @key -%>" type="text" size="50" maxlength="400" autofocus="autofocus"/>
+        <input id="key" name="key" value="<%= h @key -%>" type="text" size="50" maxlength="400" autofocus="autofocus"/>
       </div>
       <div class="modal-field">
         <label for="name"><%= h message('name') -%> <em class="mandatory">*</em></label>
-        <input id="name" name="name" value="<%= @name -%>" type="text" size="50" maxlength="256" value=""/>
+        <input id="name" name="name" value="<%= h @name -%>" type="text" size="50" maxlength="256" value=""/>
       </div>
     </div>
     <div class="modal-foot">
diff --git a/sonar-server/src/main/webapp/WEB-INF/app/views/provisioning/index.html.erb b/sonar-server/src/main/webapp/WEB-INF/app/views/provisioning/index.html.erb
index c167fdaa4b1..ede85b31c1a 100644
--- a/sonar-server/src/main/webapp/WEB-INF/app/views/provisioning/index.html.erb
+++ b/sonar-server/src/main/webapp/WEB-INF/app/views/provisioning/index.html.erb
@@ -25,18 +25,19 @@
     <tbody>
     <% @query_result.each_with_index do |resource, index| %>
 
-      <tr id="entry-<%= h resource.key -%>" class="<%= cycle 'even', 'odd' -%>">
+      <tr id="entry-<%= resource.key.parameterize -%>" class="<%= cycle 'even', 'odd' -%>">
         <td>
           <%= link_to h(resource.key), {:controller => :project, :id => resource.id},
-              :id => "view-#{u resource.key}" %>
+              :id => "view-#{resource.key.parameterize}" %>
         </td>
-        <td><%= resource.name %></td>
-        <td><%= format_datetime(resource.created_at) %></td>
+        <td><%= h resource.name -%></td>
+        <td><%= format_datetime(resource.created_at) -%></td>
         <td class="operations">
           <%= link_to message('edit'), {:action => :create_form, :id => resource.id, :key => resource.key, :name => resource.name},
-              {:id => "edit-#{u resource.key}", :class => 'open-modal link-action'} %>
+              {:id => "edit-#{resource.key.parameterize}", :class => 'open-modal link-action'} -%>
+          &nbsp;
           <%= link_to message('delete'), {:action => :delete_form, :id => resource.id},
-              {:id => "delete-#{u resource.key}", :class => 'open-modal link-action link-red'} %>
+              {:id => "delete-#{resource.key.parameterize}", :class => 'open-modal link-action link-red'} -%>
         </td>
       </tr>
     <% end %>
diff --git a/sonar-server/src/main/webapp/WEB-INF/app/views/users/_change_password_form.html.erb b/sonar-server/src/main/webapp/WEB-INF/app/views/users/_change_password_form.html.erb
index 222770eb8b8..0d91a35087c 100644
--- a/sonar-server/src/main/webapp/WEB-INF/app/views/users/_change_password_form.html.erb
+++ b/sonar-server/src/main/webapp/WEB-INF/app/views/users/_change_password_form.html.erb
@@ -1,7 +1,7 @@
 <% form_for :user, @user, :url => { :id => @user.id, :action => 'update_password'}, :html => { :id =>'user_form', :method => @user.id.nil? ?  :post : :put} do |f| %>
   <fieldset>
       <div class="modal-head">
-          <h2>Change password for user: <%= @user.login %></h2>
+          <h2>Change password for user: <%= h @user.login -%></h2>
       </div>
       <div class="modal-body">
         <% if @errors
@@ -18,8 +18,8 @@
               <%= f.text_field :login, :size => 30, :maxLength => 40 %>
             <% end %>
         </div>
-          <div class="modal-field"><label for="user[password]">New password</label><%= f.password_field :password, :size => 30, :maxLength => 50, :autocomplete => 'off' %></div>
-          <div class="modal-field"><label for="user[password_confirmation]">Confirm password</label><%= f.password_field :password_confirmation, :size => 30, :maxLength => 50, :autocomplete => 'off' %></div>
+          <div class="modal-field"><label for="user[password]">New password <em class="mandatory">*</em></label><%= f.password_field :password, :size => 30, :maxLength => 50, :autocomplete => 'off' %></div>
+          <div class="modal-field"><label for="user[password_confirmation]">Confirm password <em class="mandatory">*</em></label><%= f.password_field :password_confirmation, :size => 30, :maxLength => 50, :autocomplete => 'off' %></div>
 
         </div>
       <div class="modal-foot">
@@ -31,4 +31,4 @@
 
 <script>
   $j("#user_form").modalForm();
-</script>
-\ No newline at end of file
+</script>
diff --git a/sonar-server/src/main/webapp/WEB-INF/app/views/users/_create_form.html.erb b/sonar-server/src/main/webapp/WEB-INF/app/views/users/_create_form.html.erb
index 445e00d1d6d..a3243167f5a 100644
--- a/sonar-server/src/main/webapp/WEB-INF/app/views/users/_create_form.html.erb
+++ b/sonar-server/src/main/webapp/WEB-INF/app/views/users/_create_form.html.erb
@@ -11,7 +11,7 @@
       <% end
          end
       %>
-      <div class="modal-field"><label for="user[login]">Login<em class="mandatory">*</em></label>
+      <div class="modal-field"><label for="user[login]">Login <em class="mandatory">*</em></label>
         <% if @user.id %>
           <%= @user.login %>
           <%= f.hidden_field :login %>
@@ -20,13 +20,13 @@
         <% end %>
       </div>
       <div class="modal-field">
-          <label for="user[]">Name<em class="mandatory">*</em></label>
+          <label for="user[]">Name <em class="mandatory">*</em></label>
           <%= f.text_field :name, :size => 30, :maxLength => 200 %></div>
       <div class="modal-field">
           <label for="user[]">Email</label>
           <%= f.text_field :email, :size => 30, :maxLength => 100 %></div>
-      <div class="modal-field"><label for="user[password]">Password<em class="mandatory">*</em></label><%= f.password_field :password, :size => 30, :maxLength => 50, :autocomplete => 'off' %></div>
-      <div class="modal-field"><label for="user[password_confirmation]">Confirm password<em class="mandatory">*</em></label><%= f.password_field :password_confirmation, :size => 30, :maxLength => 50, :autocomplete => 'off' %></div>
+      <div class="modal-field"><label for="user[password]">Password <em class="mandatory">*</em></label><%= f.password_field :password, :size => 30, :maxLength => 50, :autocomplete => 'off' %></div>
+      <div class="modal-field"><label for="user[password_confirmation]">Confirm password <em class="mandatory">*</em></label><%= f.password_field :password_confirmation, :size => 30, :maxLength => 50, :autocomplete => 'off' %></div>
 
     </div>
       <div class="modal-foot">
@@ -38,4 +38,4 @@
 
 <script>
   $j("#user_create_form").modalForm();
-</script>
-\ No newline at end of file
+</script>
diff --git a/sonar-server/src/main/webapp/WEB-INF/app/views/users/_edit_form.html.erb b/sonar-server/src/main/webapp/WEB-INF/app/views/users/_edit_form.html.erb
index 5291f995a66..c6f408dac0d 100644
--- a/sonar-server/src/main/webapp/WEB-INF/app/views/users/_edit_form.html.erb
+++ b/sonar-server/src/main/webapp/WEB-INF/app/views/users/_edit_form.html.erb
@@ -1,7 +1,7 @@
 <% form_for :user, @user, :url => { :id => @user.id, :action => 'update'}, :html => { :id =>'user_edit_form', :method => @user.id.nil? ?  :post : :put} do |f| %>
   <fieldset>
       <div class="modal-head">
-          <h2>Edit user: <%= @user.login %></h2>
+          <h2>Edit user: <%= h @user.login -%></h2>
       </div>
       <div class="modal-body">
         <% if @errors
@@ -36,4 +36,4 @@
 
 <script>
   $j("#user_edit_form").modalForm();
-</script>
-\ No newline at end of file
+</script>
diff --git a/sonar-server/src/main/webapp/WEB-INF/app/views/users/_reactivate_form.html.erb b/sonar-server/src/main/webapp/WEB-INF/app/views/users/_reactivate_form.html.erb
index 60e05a82539..15ddfd9f6ce 100644
--- a/sonar-server/src/main/webapp/WEB-INF/app/views/users/_reactivate_form.html.erb
+++ b/sonar-server/src/main/webapp/WEB-INF/app/views/users/_reactivate_form.html.erb
@@ -7,7 +7,7 @@
       <%= f.hidden_field :login %>
 
               <p class="error">
-                  A user with login "<%= @user.login -%>" already exists in the database but is deactivated.<br/>
+                  A user with login "<%= h @user.login -%>" already exists in the database but is deactivated.<br/>
                   <br/>
                   Do you really want to reactivate this user?
               </p>
diff --git a/sonar-server/src/main/webapp/WEB-INF/app/views/users/index.html.erb b/sonar-server/src/main/webapp/WEB-INF/app/views/users/index.html.erb
index 481ab2a20d2..19cab3e7b71 100644
--- a/sonar-server/src/main/webapp/WEB-INF/app/views/users/index.html.erb
+++ b/sonar-server/src/main/webapp/WEB-INF/app/views/users/index.html.erb
@@ -24,17 +24,17 @@
         </thead>
         <tbody >
           <% @users.each do |user|%>
-            <tr id="user-<%= u user.login -%>">
-              <td class="left" valign="top"><%=user.login %></td>
-              <td class="left" valign="top"><%=user.name %></td>
-              <td class="left" valign="top"><%=user.email %></td>
+            <tr id="user-<%= user.login.parameterize -%>">
+              <td class="left" valign="top"><%=h user.login -%></td>
+              <td class="left" valign="top"><%= h user.name -%></td>
+              <td class="left" valign="top"><%= h user.email -%></td>
               <td class="left" valign="top">
-                <%= user.groups.sort.map(&:name).join(', ') %> (<%= link_to "select", {:action => 'select_group', :id => user.id}, {:id => "select-#{u user.login}", :class => 'link-action'} %>)
+                <%= h user.groups.sort.map(&:name).join(', ') %> (<%= link_to "select", {:action => 'select_group', :id => user.id}, {:id => "select-#{user.login.parameterize}", :class => 'link-action'} %>)
               </td>
               <td class="right" valign="top">
                 <a id="edit-<%= user.login -%>" class="open-modal link-action" href="<%=ApplicationController.root_context-%>/users/edit_form/<%= user.id -%>">Edit</a>
                 &nbsp;
-                <%= link_to "Change password", { :id => user.id, :action => 'change_password_form'}, {:id => "change-password-#{u user.login}", :class => 'open-modal link-action'} -%>
+                <%= link_to 'Change password', { :id => user.id, :action => 'change_password_form'}, {:id => "change-password-#{user.login.parameterize}", :class => 'open-modal link-action'} -%>
                 &nbsp;
                 <%= link_to_action message('delete'), "#{ApplicationController.root_context}/users/delete/#{user.id}",
                                    :class => 'link-action link-red',
diff --git a/sonar-server/src/main/webapp/WEB-INF/app/views/users/select_group.html.erb b/sonar-server/src/main/webapp/WEB-INF/app/views/users/select_group.html.erb
index 17bf426af4a..ba2adfe0e24 100644
--- a/sonar-server/src/main/webapp/WEB-INF/app/views/users/select_group.html.erb
+++ b/sonar-server/src/main/webapp/WEB-INF/app/views/users/select_group.html.erb
@@ -1,9 +1,9 @@
 <div class="subtitle">&raquo; <a href="<%= url_for :action => 'index'%>">Back to users</a></div>
-<h1>User: <%= @user.login %></h1>
+<h1>User: <%= h @user.login -%></h1>
 <br/>
 <div id="main_content">	  
   <form action="<%= url_for :action => 'set_groups'%>" method="post">
-    <input name="id" value="<%= @user.id%>" type="hidden">
+    <input name="id" value="<%= @user.id -%>" type="hidden">
     <table>
       <tbody>
         <tr>
@@ -11,7 +11,7 @@
             <h2>Not member of</h2>
             <select name="from" id="from" size="20" style="margin: 5px 0pt; width: 300px;" multiple="multiple">
               <% @user.available_groups.sort.each do |group| %>
-                <option value="<%= group.id -%>"><%= group.name %></option>
+                <option value="<%= group.id -%>"><%= h group.name -%></option>
               <% end %>
 
             </select>
author	Simon Brandhof <simon.brandhof@gmail.com>	2013-10-29 12:30:57 +0100
committer	Simon Brandhof <simon.brandhof@gmail.com>	2013-10-29 12:31:09 +0100
commit	ef8b36dc567f80e0a334e6fc7254a59f7e2dc9d8 (patch)
tree	122a4de62f59eb425c6527d42aa1c8836de8ad13 /sonar-server
parent	cf529729634625ea5d235072c399aefd11380cfb (diff)
download	sonarqube-ef8b36dc567f80e0a334e6fc7254a59f7e2dc9d8.tar.gz sonarqube-ef8b36dc567f80e0a334e6fc7254a59f7e2dc9d8.zip