fix XSS vulnerabilities in dashboard links (#11813)

fix XSS vulnerabilities in dashboard links
2025-02-25 18:55:37 -06:00 · 2018-05-08 12:28:16 +03:00
parent 7e9a10a5fb
commit 00454b32f5
3 changed files with 30 additions and 15 deletions
--- a/public/app/features/dashlinks/module.ts
+++ b/public/app/features/dashlinks/module.ts
@@ -15,7 +15,7 @@ function dashLinksContainer() {
 }

 /** @ngInject */
-function dashLink($compile, linkSrv) {
+function dashLink($compile, $sanitize, linkSrv) {
  return {
    restrict: 'E',
    link: function(scope, elem) {
@@ -49,10 +49,21 @@ function dashLink($compile, linkSrv) {
        var linkInfo = linkSrv.getAnchorInfo(link);
        span.text(linkInfo.title);
        anchor.attr('href', linkInfo.href);
-      }
+        sanitizeAnchor();

        // tooltip
-      elem.find('a').tooltip({ title: scope.link.tooltip, html: true, container: 'body' });
+        elem.find('a').tooltip({
+          title: $sanitize(scope.link.tooltip),
+          html: true,
+          container: 'body',
+        });
+      }
+
+      function sanitizeAnchor() {
+        const anchorSanitized = $sanitize(anchor.parent().html());
+        anchor.parent().html(anchorSanitized);
+      }
+
      icon.attr('class', 'fa fa-fw ' + scope.link.icon);
      anchor.attr('target', scope.link.target);

--- a/public/app/features/panel/panel_ctrl.ts
+++ b/public/app/features/panel/panel_ctrl.ts
@@ -324,6 +324,7 @@ export class PanelCtrl {
    }

    var linkSrv = this.$injector.get('linkSrv');
+    var sanitize = this.$injector.get('$sanitize');
    var templateSrv = this.$injector.get('templateSrv');
    var interpolatedMarkdown = templateSrv.replace(markdown, this.panel.scopedVars);
    var html = '<div class="markdown-html">';
@@ -346,7 +347,8 @@ export class PanelCtrl {
      html += '</ul>';
    }

-    return html + '</div>';
+    html += '</div>';
+    return sanitize(html);
  }

  openInspector() {
--- a/public/test/specs/helpers.ts
+++ b/public/test/specs/helpers.ts
@@ -9,6 +9,7 @@ export function ControllerTestContext() {

  this.datasource = {};
  this.$element = {};
+  this.$sanitize = {};
  this.annotationsSrv = {};
  this.timeSrv = new TimeSrvStub();
  this.templateSrv = new TemplateSrvStub();
@@ -30,6 +31,7 @@ export function ControllerTestContext() {
      $provide.value('timeSrv', self.timeSrv);
      $provide.value('templateSrv', self.templateSrv);
      $provide.value('$element', self.$element);
+      $provide.value('$sanitize', self.$sanitize);
      _.each(mocks, function(value, key) {
        $provide.value(key, value);
      });
@@ -60,7 +62,7 @@ export function ControllerTestContext() {
        {
          panel: self.panel,
          dashboard: self.dashboard,
-        },
+        }
      );
    });
  };
@@ -188,7 +190,7 @@ var allDeps = {
  TimeSrvStub: TimeSrvStub,
  ControllerTestContext: ControllerTestContext,
  ServiceTestContext: ServiceTestContext,
-  DashboardViewStateStub: DashboardViewStateStub
+  DashboardViewStateStub: DashboardViewStateStub,
 };

 // for legacy