Re: [error-report-web][PATCH V2] Add local.conf and auto.conf into error details


Richard Purdie
 

On Fri, 2020-02-14 at 10:42 +0800, Changqing Li wrote:
On 12/11/19 1:45 PM, Changqing Li wrote:
On 11/13/19 6:36 PM, Paul Eggleton wrote:
Hi Changqing,

Some comments below.

On Tuesday, 12 November 2019 9:32:53 PM NZDT
changqing.li@windriver.com wrote:
From: Changqing Li <changqing.li@windriver.com>

+        {% if detail.BUILD.LOCAL_CONF != "" %}
+        <dt></a>Local Conf:</dt>
+        <dd style="white-space: pre-wrap;">{{
detail.BUILD.LOCAL_CONF | safe }}</dd>
+        {% endif %}
+
+        {% if detail.BUILD.AUTO_CONF != "" %}
+        <dt></a>Auto Conf:</dt>
+        <dd style="white-space: pre-wrap;">{{
detail.BUILD.AUTO_CONF | safe }}</dd>
+        {% endif %}
We cannot use the safe filter here - doing so could open up an XSS
vulnerability, since anyone can upload anything to the error-report
application and the content could include links or other malicious
HTML data. We should allow it to be auto-escaped. Is there a
particular issue you were using this to solve?
This is for resolve a problem when there is angle brackets in
local.conf/auto.conf.

I have a patch in oe-core [OE-core] [PATCH] report-error.bbclass:
replace angle brackets with &lt; and &gt;]

when we have below content in local.conf or auto.conf:
BUILDHISTORY_COMMIT_AUTHOR ?= "Khem Raj<raj.khem@gmail.com>"
send-error-report will fail with "HTTP Error 500: OK"

error-report-web do rudimentary check on all fields that are
passed to the graphs page to avoid any XSS happening, if contains
'<', the server will return error(Invalid characters in json).
fixed by use escape of <> to replace it.

NOTE: with this change, error-report-web need to add filter 'safe'
for the string wanted to display to avoid further HTML escaping
prior to output. Below is how the content displayed on webpage:
with the filter 'safe':
BUILDHISTORY_COMMIT_AUTHOR ?= "Khem Raj<raj.khem@gmail.com>"
without the filter 'safe':
BUILDHISTORY_COMMIT_AUTHOR ?= "Khem Raj &lt;raj.khem@gmail.com&gt;"

Do you have good idea to resolve this? Thanks.
Sorry about the delay on this, we do really need to get this resolved.
I'm wondering if we should replace the angled brackets test with
https://github.com/mozilla/bleach which would then remove the need
for these workarounds.

Would you be able to update the patch for the others issues please
and then we can look at this one separately?

Thanks,

Richard

Join yocto@lists.yoctoproject.org to automatically receive all group messages.