Skip to content

Commit

Permalink
Merge pull request #9492 from uyuni-project/Uyuni-2024.10
Browse files Browse the repository at this point in the history
Uyuni 2024.10 patch - CVE-2024-49502 bsc#1231852, CVE-2024-49503 bsc#1231922, bsc#1231900
  • Loading branch information
deneb-alpha authored Nov 19, 2024
2 parents d0ab907 + 05fb929 commit b89c832
Show file tree
Hide file tree
Showing 10 changed files with 92 additions and 25 deletions.
Original file line number Diff line number Diff line change
Expand Up @@ -26,15 +26,18 @@
import com.google.gson.Gson;
import com.google.gson.GsonBuilder;

import org.apache.commons.io.input.BoundedReader;
import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;

import java.io.IOException;
import java.text.Normalizer;
import java.util.HashMap;
import java.util.Map;

import spark.Request;
import spark.Response;
import spark.Spark;

/**
* Spark controller class the FrontendLog handler.
Expand All @@ -44,6 +47,8 @@ public class FrontendLogController {
private static final Gson GSON = new GsonBuilder().create();

private static final Logger LOG = LogManager.getLogger(FrontendLogController.class);
private static final int MAX_LOG_PAYLOAD_SIZE = 1000;
private static final int MAX_USER_AGENT_LENGTH = 200;

/**
* Initialize the {@link spark.Route}s served by this controller
Expand All @@ -61,23 +66,36 @@ public void initRoutes() {
* @return JSON result of the API call
*/
public static String log(Request request, Response response, User user) {
Map<String, Object> map = GSON.fromJson(request.body(), Map.class);
String type = map.get("level").toString();

// Normalize the unicode message to canonical form to ensure no invalid characters are present
String message = Normalizer.normalize(map.get("message").toString(), Normalizer.Form.NFC);
message = StringUtil.sanitizeLogInput("[" + user.getId() + " - " + request.userAgent() + "] - " + message);

switch (type) {
case "info": LOG.info(message); break;
case "debug": LOG.debug(message); break;
case "warning": LOG.warn(message); break;
case "error": LOG.error(message); break;
default: LOG.info(message); break;
int contentLength = request.contentLength();
if (contentLength <= 0 || contentLength > MAX_LOG_PAYLOAD_SIZE) {
Spark.halt(413, "Content Too Large");
}
String userAgent = request.userAgent()
.substring(0, Math.min(request.userAgent().length(), MAX_USER_AGENT_LENGTH));

Map<String, Boolean> data = new HashMap<>();
data.put("success", true);
return GSON.toJson(data);
try {
BoundedReader in = new BoundedReader(request.raw().getReader(), MAX_LOG_PAYLOAD_SIZE);
Map<String, Object> map = GSON.fromJson(in, Map.class);
String type = map.get("level").toString();

// Normalize the unicode message to canonical form to ensure no invalid characters are present
String message = Normalizer.normalize(map.get("message").toString(), Normalizer.Form.NFC);
message = StringUtil.sanitizeLogInput("[" + user.getId() + " - " + userAgent + "] - " + message);

switch (type) {
case "info": LOG.info(message); break;
case "debug": LOG.debug(message); break;
case "warning": LOG.warn(message); break;
case "error": LOG.error(message); break;
default: LOG.info(message); break;
}

Map<String, Boolean> data = new HashMap<>();
data.put("success", true);
return GSON.toJson(data);
}
catch (IOException e) {
throw new RuntimeException(e);
}
}
}
6 changes: 6 additions & 0 deletions java/spacewalk-java.changes
Original file line number Diff line number Diff line change
@@ -1,3 +1,9 @@
-------------------------------------------------------------------
Mon Nov 18 18:32:19 CET 2024 - [email protected]

- version 5.1.2-0
* Limit frontend-log message size (bsc#1231900)

-------------------------------------------------------------------
Mon Oct 14 15:47:47 CEST 2024 - [email protected]

Expand Down
2 changes: 1 addition & 1 deletion java/spacewalk-java.spec
Original file line number Diff line number Diff line change
Expand Up @@ -57,7 +57,7 @@
%endif

Name: spacewalk-java
Version: 5.1.1
Version: 5.1.2
Release: 0
Summary: Java web application files for Spacewalk
License: GPL-2.0-only
Expand Down
2 changes: 1 addition & 1 deletion rel-eng/packages/spacewalk-java
Original file line number Diff line number Diff line change
@@ -1 +1 @@
5.1.1-0 java/
5.1.2-0 java/
2 changes: 1 addition & 1 deletion rel-eng/packages/spacewalk-web
Original file line number Diff line number Diff line change
@@ -1 +1 @@
5.1.1-0 web/
5.1.2-0 web/
29 changes: 29 additions & 0 deletions web/html/javascript/spacewalk-essentials.js
Original file line number Diff line number Diff line change
Expand Up @@ -225,6 +225,35 @@ function showFatalError(message, exception) {
}
}

/**
* Checks if the provided string is a valid URL.
*
* @param {string} url - The URL string to validate.
* @returns {boolean} - `true` if the string is a valid URL, otherwise `false`.
*/
function isValidUrl(url) {
try {
new URL(url);
return true;
} catch (_) {
return false;
}
}

/**
* Escapes special HTML characters in a string.
* @param {string} original - The string that may contain special HTML characters.
* @returns {string} - A new string with special HTML characters replaced with their entities.
*/
function escapeHtml(original) {
return original
.replace(/&/g, '&amp;')
.replace(/</g, '&lt;')
.replace(/>/g, '&gt;')
.replace(/"/g, '&quot;')
.replace(/'/g, '&#39;')
.replace(/\//g, '&#x2F;');
}

// Extension to Twitter Bootstrap.
// Gives you a col-XX-auto class like Bootstrap
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -53,7 +53,7 @@ function saveCredentials() {

if (validated) {
console.log("Saving credentials: " + editId);
var user = jQuery('#edit-user').val();
var user = escapeHtml(jQuery('#edit-user').val());
var password = jQuery('#edit-password').val();
showSpinner("edit-credentials-spinner");

Expand Down
13 changes: 9 additions & 4 deletions web/html/javascript/susemanager-setup-wizard-proxy-settings.js
Original file line number Diff line number Diff line change
@@ -1,12 +1,17 @@
// Save and verifiy the proxy settings
function saveProxySettings() {
hostname = jQuery('#http-proxy-input-hostname').val();
username = escapeHtml(jQuery('#http-proxy-input-username').val());
password = jQuery('#http-proxy-input-password').val();

if (hostname.trim() !== "" && !isValidUrl(hostname)) {
alert("Proxy Hostname is not a valid URL.");
return;
}

showSpinner('http-proxy-verify');
jQuery('#http-proxy-verify').show(0);
jQuery('#http-proxy-save').attr('disabled', true);

hostname = jQuery('#http-proxy-input-hostname').val();
username = jQuery('#http-proxy-input-username').val();
password = jQuery('#http-proxy-input-password').val();

function onSuccess(settings) {
jQuery('#http-proxy-save').prop('disabled', false);
Expand Down
9 changes: 9 additions & 0 deletions web/spacewalk-web.changes
Original file line number Diff line number Diff line change
@@ -1,3 +1,12 @@
-------------------------------------------------------------------
Mon Nov 18 18:33:44 CET 2024 - [email protected]

- version 5.1.2-0
* CVE-2024-49502: Validate proxy hostname format and escape proxy
username to mitigate XSS vulnerabilities (bsc#1231852)
* CVE-2024-49503: Escape organization credentials username to
mitigate XSS vulnerability (bsc#1231922)

-------------------------------------------------------------------
Mon Oct 14 15:57:04 CEST 2024 - [email protected]

Expand Down
2 changes: 1 addition & 1 deletion web/spacewalk-web.spec
Original file line number Diff line number Diff line change
Expand Up @@ -31,7 +31,7 @@
%{!?nodejs_sitelib:%define nodejs_sitelib %{_prefix}/lib/node_modules}

Name: spacewalk-web
Version: 5.1.1
Version: 5.1.2
Release: 0
Summary: Spacewalk Web site - Perl modules
License: GPL-2.0-only
Expand Down

0 comments on commit b89c832

Please sign in to comment.