Опубликовано: 10 мая 2024
Источник: github
Github: Прошло ревью
CVSS4: 4.8
CVSS3: 4.8
Описание
Sylius potentially vulnerable to Cross Site Scripting via "Name" field (Taxons, Products, Options, Variants) in Admin Panel
Impact
There is a possibility to execute javascript code in the Admin panel. In order to perform an XSS attack input a script into Name field in which of the resources: Taxons, Products, Product Options or Product Variants. The code will be executed while using an autocomplete field with one of the listed entities in the Admin Panel. Also for the taxons in the category tree on the product form.
Patches
The issue is fixed in versions: 1.12.16, 1.13.1 and above.
Workarounds
- Create new file
assets/admin/sylius-lazy-choice-tree.js:
// assets/admin/sylius-lazy-choice-tree.js
function sanitizeInput(input) {
const div = document.createElement('div');
div.textContent = input;
return div.innerHTML; // Converts text content to plain HTML, stripping any scripts
}
const createRootContainer = function createRootContainer() {
return $('<div class="ui list"></div>');
};
const createLeafContainerElement = function createLeafContainerElement() {
return $('<div class="list"></div>');
};
const createLeafIconElement = function createLeafIconElement() {
return $('<i class="folder icon"></i>');
};
const createLeafTitleElement = function createLeafTitleElement() {
return $('<div class="header"></div>');
};
const createLeafTitleSpan = function createLeafTitleSpan(displayName) {
return $(`<span style="margin-right: 5px; cursor: pointer;">${displayName}</span>`);
};
const createLeafContentElement = function createLeafContentElement() {
return $('<div class="content"></div>');
};
$.fn.extend({
choiceTree(type, multiple, defaultLevel) {
const tree = this;
const loader = tree.find('.dimmer');
const loadedLeafs = [];
const $input = tree.find('input[type="hidden"]');
const createCheckboxElement = function createCheckboxElement(name, code, multi) {
const chosenNodes = $input.val().split(',');
let checked = '';
if (chosenNodes.some(chosenCode => chosenCode === code)) {
checked = 'checked="checked"';
}
if (multi) {
return $(`<div class="ui checkbox" data-value="${code}"><input ${checked} type="checkbox" name="${type}"></div>`);
}
return $(`<div class="ui radio checkbox" data-value="${code}"><input ${checked} type="radio" name="${type}"></div>`);
};
const isLeafLoaded = function isLeafLoaded(code) {
return loadedLeafs.some(leafCode => leafCode === code);
};
let createLeafFunc;
const loadLeafAction = function loadLeafAction(parentCode, expandButton, content, icon, leafContainerElement) {
icon.toggleClass('open');
if (!isLeafLoaded(parentCode)) {
expandButton.api({
on: 'now',
url: tree.data('tree-leafs-url') || tree.data('taxon-leafs-url'),
method: 'GET',
cache: false,
data: {
parentCode,
},
beforeSend(settings) {
loader.addClass('active');
return settings;
},
onSuccess(response) {
response.forEach((leafNode) => {
leafContainerElement.append((
createLeafFunc(sanitizeInput(leafNode.name), leafNode.code, leafNode.hasChildren, multiple, leafNode.level)
));
});
content.append(leafContainerElement);
loader.removeClass('active');
loadedLeafs.push(parentCode);
leafContainerElement.toggle();
},
});
}
leafContainerElement.toggle();
};
const bindExpandLeafAction = function bindExpandLeafAction(parentCode, expandButton, content, icon, level) {
const leafContainerElement = createLeafContainerElement();
if (defaultLevel > level) {
loadLeafAction(parentCode, expandButton, content, icon, leafContainerElement);
}
expandButton.click(() => {
loadLeafAction(parentCode, expandButton, content, icon, leafContainerElement);
});
};
const bindCheckboxAction = function bindCheckboxAction(checkboxElement) {
checkboxElement.checkbox({
onChecked() {
const { value } = checkboxElement[0].dataset;
const checkedValues = $input.val().split(',').filter(Boolean);
checkedValues.push(value);
$input.val(checkedValues.join());
},
onUnchecked() {
const { value } = checkboxElement[0].dataset;
const checkedValues = $input.val().split(',').filter(Boolean);
const i = checkedValues.indexOf(value);
if (i !== -1) {
checkedValues.splice(i, 1);
}
$input.val(checkedValues.join());
},
});
};
const createLeaf = function createLeaf(name, code, hasChildren, multipleChoice, level) {
const displayNameElement = createLeafTitleSpan(name);
const titleElement = createLeafTitleElement();
const iconElement = createLeafIconElement();
const checkboxElement = createCheckboxElement(name, code, multipleChoice);
bindCheckboxAction(checkboxElement);
const leafElement = $('<div class="item"></div>');
const leafContentElement = createLeafContentElement();
leafElement.append(iconElement);
titleElement.append(displayNameElement);
titleElement.append(checkboxElement);
leafContentElement.append(titleElement);
if (!hasChildren) {
iconElement.addClass('outline');
}
if (hasChildren) {
bindExpandLeafAction(code, displayNameElement, leafContentElement, iconElement, level);
}
leafElement.append(leafContentElement);
return leafElement;
};
createLeafFunc = createLeaf;
tree.api({
on: 'now',
method: 'GET',
url: tree.data('tree-root-nodes-url') || tree.data('taxon-root-nodes-url'),
cache: false,
beforeSend(settings) {
loader.addClass('active');
return settings;
},
onSuccess(response) {
const rootContainer = createRootContainer();
response.forEach((rootNode) => {
rootContainer.append((
createLeaf(sanitizeInput(rootNode.name), rootNode.code, rootNode.hasChildren, multiple, rootNode.level)
));
});
tree.append(rootContainer);
loader.removeClass('active');
},
});
},
});
- Create new file
assets/admin/sylius-auto-complete.js:
// assets/admin/sylius-auto-complete.js
function sanitizeInput(input) {
const div = document.createElement('div');
div.textContent = input;
return div.innerHTML; // Converts text content to plain HTML, stripping any scripts
}
$.fn.extend({
autoComplete() {
this.each((idx, el) => {
const element = $(el);
const criteriaName = element.data('criteria-name');
const choiceName = element.data('choice-name');
const choiceValue = element.data('choice-value');
const autocompleteValue = element.find('input.autocomplete').val();
const loadForEditUrl = element.data('load-edit-url');
element.dropdown({
delay: {
search: 250,
},
forceSelection: false,
saveRemoteData: false,
verbose: true,
apiSettings: {
dataType: 'JSON',
cache: false,
beforeSend(settings) {
/* eslint-disable-next-line no-param-reassign */
settings.data[criteriaName] = settings.urlData.query;
return settings;
},
onResponse(response) {
let results = response.map(item => ({
name: sanitizeInput(item[choiceName]),
value: sanitizeInput(item[choiceValue]),
}));
if (!element.hasClass('multiple')) {
results.unshift({
name: ' ',
value: '',
});
}
return {
success: true,
results: results,
};
},
},
});
if (autocompleteValue.split(',').filter(String).length > 0) {
const menuElement = element.find('div.menu');
menuElement.api({
on: 'now',
method: 'GET',
url: loadForEditUrl,
beforeSend(settings) {
/* eslint-disable-next-line no-param-reassign */
settings.data[choiceValue] = autocompleteValue.split(',').filter(String);
return settings;
},
onSuccess(response) {
response.forEach((item) => {
menuElement.append((
$(`<div class="item" data-value="${item[choiceValue]}">${item[choiceName]}</div>`)
));
});
element.dropdown('refresh');
element.dropdown('set selected', element.find('input.autocomplete').val().split(',').filter(String));
},
});
}
});
},
});
- Create new file
assets/admin/sylius-product-auto-complete.js:
// assets/admin/sylius-product-auto-complete.js
function sanitizeInput(input) {
const div = document.createElement('div');
div.textContent = input;
return div.innerHTML; // Converts text content to plain HTML, stripping any scripts
}
$.fn.extend({
productAutoComplete() {
this.each((index, element) => {
const $element = $(element);
$element.dropdown('set selected', $element.find('input[name*="[associations]"]').val().split(',').filter(String));
});
this.dropdown({
delay: {
search: 250,
},
forceSelection: false,
apiSettings: {
dataType: 'JSON',
cache: false,
data: {
criteria: { search: { type: 'contains', value: '' } },
},
beforeSend(settings) {
/* eslint-disable-next-line no-param-reassign */
settings.data.criteria.search.value = settings.urlData.query;
return settings;
},
onResponse(response) {
return {
success: true,
results: response._embedded.items.map(item => ({
name: sanitizeInput(item.name),
value: sanitizeInput(item.code),
})),
};
},
},
onAdd(addedValue, addedText, $addedChoice) {
const inputAssociation = $addedChoice.parents('.product-select').find('input[name*="[associations]"]');
const associatedProductCodes = inputAssociation.val().length > 0 ? inputAssociation.val().split(',').filter(String) : [];
associatedProductCodes.push(addedValue);
$.unique(associatedProductCodes.sort());
inputAssociation.attr('value', associatedProductCodes.join());
},
onRemove(removedValue, removedText, $removedChoice) {
const inputAssociation = $removedChoice.parents('.product-select').find('input[name*="[associations]"]');
const associatedProductCodes = inputAssociation.val().length > 0 ? inputAssociation.val().split(',').filter(String) : [];
associatedProductCodes.splice($.inArray(removedValue, associatedProductCodes), 1);
inputAssociation.attr('value', associatedProductCodes.join());
},
});
},
});
- Add new import in
assets/admin/entry.js:
// assets/admin/entry.js
// ...
import './sylius-lazy-choice-tree';
import './sylius-auto-complete';
import './sylius-product-auto-complete';
- Rebuild your assets:
yarn build
Acknowledgements
This security issue has been reported by Checkmarx Research Group, thank you!
For more information
If you have any questions or comments about this advisory:
- Open an issue in Sylius issues
- Email us at security@sylius.com
Пакеты
Наименование
sylius/sylius
composer
Затронутые версииВерсия исправления
>= 1.12.0-alpha.1, < 1.12.16
1.12.16
Наименование
sylius/sylius
composer
Затронутые версииВерсия исправления
>= 1.13.0-alpha.1, < 1.13.1
1.13.1
Связанные уязвимости
CVSS3: 4.8
nvd
больше 1 года назад
Sylius is an open source eCommerce platform. Prior to 1.12.16 and 1.13.1, there is a possibility to execute javascript code in the Admin panel. In order to perform an XSS attack input a script into Name field in which of the resources: Taxons, Products, Product Options or Product Variants. The code will be executed while using an autocomplete field with one of the listed entities in the Admin Panel. Also for the taxons in the category tree on the product form.The issue is fixed in versions: 1.12.16, 1.13.1.