SECURITY: XSS issue on Admin users list

2025-02-25 18:55:32 -06:00 · 2016-08-05 12:01:16 -04:00
parent 429f27ec96
commit 3d62e5dd98
8 changed files with 75 additions and 10 deletions
--- a/test/javascripts/acceptance/admin-users-list-test.js.es6
+++ b/test/javascripts/acceptance/admin-users-list-test.js.es6
@@ -0,0 +1,11 @@
+import { acceptance } from "helpers/qunit-helpers";
+
+acceptance("Admin - Users List", { loggedIn: true });
+
+test("lists users", () => {
+  visit("/admin/users/list/active");
+  andThen(() => {
+    ok(exists('.users-list .user'));
+    ok(!exists('.user:eq(0) .email small'), 'escapes email');
+  });
+});
--- a/test/javascripts/acceptance/sign-in-test.js.es6
+++ b/test/javascripts/acceptance/sign-in-test.js.es6
@@ -13,7 +13,7 @@ test("sign in", () => {
  fillIn('#login-account-password', 'incorrect');
  click('.modal-footer .btn-primary');
  andThen(() => {
-    ok(exists('#modal-alert:visible', 'it displays the login error'));
+    ok(exists('#modal-alert:visible'), 'it displays the login error');
    not(exists('.modal-footer .btn-primary:disabled'), "enables the login button");
  });

@@ -25,6 +25,33 @@ test("sign in", () => {
  });
 });

+test("sign in - not activated", () => {
+  visit("/");
+  andThen(() => {
+    click("header .login-button");
+    andThen(() => {
+      ok(exists('.login-modal'), "it shows the login modal");
+    });
+
+    fillIn('#login-account-name', 'eviltrout');
+    fillIn('#login-account-password', 'not-activated');
+    click('.modal-footer .btn-primary');
+    andThen(() => {
+      equal(find('.modal-body b').text(), '<small>eviltrout@example.com</small>');
+      ok(!exists('.modal-body small'), 'it escapes the email address');
+    });
+
+    click('.modal-body .resend-link');
+    andThen(() => {
+      equal(find('.modal-body b').text(), '<small>current@example.com</small>');
+      ok(!exists('.modal-body small'), 'it escapes the email address');
+    });
+
+
+  });
+});
+
+
 test("create account", () => {
  visit("/");
  click("header .sign-up-button");
@@ -55,5 +82,4 @@ test("create account", () => {
  andThen(() => {
    ok(exists('.modal-footer .btn-primary:disabled'), "create account is disabled");
  });
-
 });
--- a/test/javascripts/helpers/create-pretender.js.es6
+++ b/test/javascripts/helpers/create-pretender.js.es6
@@ -149,9 +149,19 @@ export default function() {
      if (data.password === 'correct') {
        return response({username: 'eviltrout'});
      }
+
+      if (data.password === 'not-activated') {
+        return response({ error: "not active",
+                          reason: "not_activated",
+                          sent_to_email: '<small>eviltrout@example.com</small>',
+                          current_email: '<small>current@example.com</small>' });
+      }
+
      return response(400, {error: 'invalid login'});
    });

+    this.post('/users/action/send_activation_email', success);
+
    this.get('/users/hp.json', function() {
      return response({"value":"32faff1b1ef1ac3","challenge":"61a3de0ccf086fb9604b76e884d75801"});
    });
@@ -242,6 +252,13 @@ export default function() {

    const siteText = {id: 'site.test', value: 'Test McTest'};
    const overridden = {id: 'site.overridden', value: 'Overridden', overridden: true };
+
+    this.get('/admin/users/list/active.json', () => {
+      return response(200, [
+        {id: 1, username: 'eviltrout', email: '<small>eviltrout@example.com</small>'}
+      ]);
+    });
+
    this.get('/admin/customize/site_texts', request => {

      if (request.queryParams.overridden) {