Package: graphite-web
Version: 1.1.4-3+deb10u1.1
Severity: important
Tags: patch
Dear Maintainer,
Saving and recalling user graphs doesn't work. This has been fixed upstream:
https://github.com/graphite-project/graphite-web/pull/2587
I was able to rebuild the package with the two patches in above PR to fix
locally.
-- System Information:
Distributor ID: Raspbian
Description: Raspbian GNU/Linux 10 (buster)
Release: 10
Codename: buster
Architecture: armv7l
Kernel: Linux 5.4.51-v7+ (SMP w/4 CPU cores)
Kernel taint flags: TAINT_CRAP
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8),
LANGUAGE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
Versions of packages graphite-web depends on:
ii adduser 3.118
ii python 2.7.16-1
ii python3 3.7.3-1
ii python3-cairo 1.16.2-1+b1
ii python3-cairocffi 0.7.2-2.2
ii python3-django 1:1.11.29-1~deb10u1
ii python3-django-tagging 1:0.4.5-1
ii python3-pyparsing 2.2.0+dfsg1-2
ii python3-simplejson 3.16.0-1
ii python3-six 1.12.0-1
ii python3-tz 2019.1-1
ii python3-urllib3 1.24.1-1
ii python3-whisper 1.1.4-2
graphite-web recommends no packages.
Versions of packages graphite-web suggests:
ii graphite-carbon 1.1.4-2
ii libapache2-mod-wsgi-py3 4.6.5-1
pn python3-ldap <none>
pn python3-memcache <none>
pn python3-mysqldb <none>
-- Configuration Files:
/etc/graphite/local_settings.py changed [not included]
-- no debconf information
>From 0a3e6348d25f289982ae30958375b85cdf219be3 Mon Sep 17 00:00:00 2001
From: Pierce Lopez <pierce.lo...@gmail.com>
Date: Tue, 14 Apr 2020 02:45:03 -0400
Subject: [PATCH] composer: fix user saved graphs target escaping
saved graphs targets were html-escaped in the json response
to fix an XSS vulnerability in graphite-project/graphite-web#1662
... but that was not really the right place to escape the graph targets,
it broke targets using quotes: #1801 #2334
so effectively revert the original fix, and instead html-escape the
targets just before rendering them in the GraphDataWindow Ext.ListView
also skip the `str()` around `graph.url`, it's already a string,
in both python2 and python3
---
webapp/content/js/composer_widgets.js | 9 ++++++++-
webapp/graphite/browser/views.py | 29 ++-------------------------
2 files changed, 10 insertions(+), 28 deletions(-)
diff --git a/webapp/content/js/composer_widgets.js
b/webapp/content/js/composer_widgets.js
index e1ce36c7..ac7cc3b8 100644
--- a/webapp/content/js/composer_widgets.js
+++ b/webapp/content/js/composer_widgets.js
@@ -515,7 +515,14 @@ var GraphDataWindow = {
hideHeaders: true,
width: 385,
height: 140,
- columns: [ {header: 'Graph Targets', width: 1.0, dataIndex: 'value'} ],
+ columns: [
+ {
+ header: 'Graph Targets',
+ width: 1.0,
+ dataIndex: 'value',
+ tpl: '{value:htmlEncode}'
+ }
+ ],
listeners: {
contextmenu: this.targetContextMenu,
afterrender: this.targetChanged,
diff --git a/webapp/graphite/browser/views.py b/webapp/graphite/browser/views.py
index 3bc9dc9c..223a76af 100644
--- a/webapp/graphite/browser/views.py
+++ b/webapp/graphite/browser/views.py
@@ -24,7 +24,6 @@ from graphite.user_util import getProfile,
getProfileByUsername
from graphite.util import json
from graphite.logger import log
from hashlib import md5
-from six.moves.urllib.parse import urlencode, urlparse, parse_qsl
def header(request):
@@ -138,19 +137,7 @@ def myGraphLookup(request):
else:
m = md5()
m.update(name.encode('utf-8'))
-
- # Sanitize target
- urlEscaped = str(graph.url)
- graphUrl = urlparse(urlEscaped)
- graphUrlParams = {}
- graphUrlParams['target'] = []
- for param in parse_qsl(graphUrl.query):
- if param[0] != 'target':
- graphUrlParams[param[0]] = param[1]
- else:
- graphUrlParams[param[0]].append(escape(param[1]))
- urlEscaped = graphUrl._replace(query=urlencode(graphUrlParams,
True)).geturl()
- node.update( { 'id' : str(userpath_prefix + m.hexdigest()), 'graphUrl'
: urlEscaped } )
+ node.update( { 'id' : str(userpath_prefix + m.hexdigest()), 'graphUrl'
: graph.url } )
node.update(leafNode)
nodes.append(node)
@@ -237,22 +224,10 @@ def userGraphLookup(request):
m = md5()
m.update(nodeName.encode('utf-8'))
- # Sanitize target
- urlEscaped = str(graph.url)
- graphUrl = urlparse(urlEscaped)
- graphUrlParams = {}
- graphUrlParams['target'] = []
- for param in parse_qsl(graphUrl.query):
- if param[0] != 'target':
- graphUrlParams[param[0]] = param[1]
- else:
- graphUrlParams[param[0]].append(escape(param[1]))
- urlEscaped = graphUrl._replace(query=urlencode(graphUrlParams,
True)).geturl()
-
node = {
'text' : escape(nodeName),
'id' : username + '.' + prefix + m.hexdigest(),
- 'graphUrl' : urlEscaped,
+ 'graphUrl' : graph.url,
}
node.update(leafNode)
--
2.20.1
>From e2433a314ab8718c7d16bcab7b7944c9e5ef105d Mon Sep 17 00:00:00 2001
From: Pierce Lopez <pierce.lo...@gmail.com>
Date: Mon, 20 Apr 2020 15:48:14 -0400
Subject: [PATCH] dashboard: htmlEncode graph target list content
same XSS vulnerability as the composer saved user graphs data view had
---
webapp/content/js/dashboard.js | 1 +
1 file changed, 1 insertion(+)
diff --git a/webapp/content/js/dashboard.js b/webapp/content/js/dashboard.js
index b85170bb..0b880f43 100644
--- a/webapp/content/js/dashboard.js
+++ b/webapp/content/js/dashboard.js
@@ -1915,6 +1915,7 @@ function graphClicked(graphView, graphIndex, element,
evt) {
header: 'Target',
dataIndex: 'target',
width: gridWidth - 90,
+ renderer: 'htmlEncode',
editor: {xtype: 'textfield'}
},
{
--
2.20.1
