Fixed a XSS bug (exploitable only by admins) for tasks with script ta…

…gs in their name, thanks for reporting it Michael Carlson. Also fixed a spelling mistake in the Python Analyzer reported by Kevin Hock. Thanks!
Netflix-Skunkworks · Nov 30, 2016 · 5c9120f · 5c9120f
1 parent 7c1caff
commit 5c9120f
Show file tree

Hide file tree

Showing 4 changed files with 5 additions and 5 deletions.
diff --git a/app/views/results/metadata/_vulnerability.html.erb b/app/views/results/metadata/_vulnerability.html.erb
@@ -300,7 +300,7 @@
           <td><%= vect["method"] %></td>
           <td>
             <% if vect["note"].present? %>
-              <span data-tooltip aria-haspopup="true" class="has-tip tip-left" title="<%= vect["note"]%>"><i class="fi-info"></i></span></td>
+              <span data-tooltip aria-haspopup="true" class="has-tip tip-left" title="<%= h(vect["note"])%>"><i class="fi-info"></i></span></td>
           <% end %>
         </tr>
       <% end %>

diff --git a/app/views/task_types/_options_fields.html.erb b/app/views/task_types/_options_fields.html.erb
@@ -4,7 +4,7 @@
     <%= label_tag do %>
     <%= value[:name] + (value[:required] == true ? "*" : "") %>
       <% if value[:description].present? %>
-        <span data-tooltip aria-haspopup="true" class="has-tip tip-right" title="<%= value[:description] %>"><i class="fi-info"></i></span>
+        <span data-tooltip aria-haspopup="true" class="has-tip tip-right" title="<%= h(value[:description]) %>"><i class="fi-info"></i></span>
       <% end %>
     <% end %>
 

diff --git a/app/views/tasks/index.html.erb b/app/views/tasks/index.html.erb
@@ -42,7 +42,7 @@ $(function(){
           <% status_class = "classification-" + status_class if status_class.present? %>
           <% if task.metadata.try(:[], "_last_status") %>
             <% message = task.metadata.try(:[], "_last_status").to_s %>
-            <% message +=  "<br/>" + task.metadata.try(:[], "_last_status_message").to_s if task.metadata.try(:[], "_last_status_message")%>
+            <% message +=  "<br/>" + h(task.metadata.try(:[], "_last_status_message").to_s) if task.metadata.try(:[], "_last_status_message") %>
             <% message += "<br/>" + link_to("Event #{task.metadata.try(:[], "_last_status_event")}", event_path(task.metadata.try(:[], "_last_status_event"))) if task.metadata.try(:[], "_last_status_event") %>
             <% message +=  "<br/>Last run: " + time_ago_in_words(DateTime.parse(task.metadata.try(:[], "_last_run").to_s)) + " ago" if task.metadata.try(:[], "_last_run")%>
             <% message +=  "<br/>Last success: " + time_ago_in_words(DateTime.parse(task.metadata.try(:[], "_last_successful_run").to_s)) + " ago" if task.metadata.try(:[], "_last_successful_run")%>

diff --git a/lib/scumblr_tasks/security/python_analyzer.rb b/lib/scumblr_tasks/security/python_analyzer.rb
@@ -45,8 +45,8 @@ def self.options
                             default: :High,
                             choices: [:High, :Medium, :Low]
                             },
-      :severity_level => {name: "Confidence Level",
-                          description: "Confidence level to include in results",
+      :severity_level => {name: "Severity Level",
+                          description: "Severity level to include in results",
                           required: false,
                           type: :choice,
                           default: :High,