tsai
/
thingsboard
mirror of https://github.com/thingsboard/thingsboard.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
Browse Source

Merge pull request #15302 from dashevchenko/alarmTypeXss 

Fixed XSS vulnerability for alarm type field
pull/15399/head
Viacheslav Klimov 2 months ago
committed by GitHub
parent
036cb08784 5deeb2ab22
commit
10c510fe3b
No known key found for this signature in database GPG Key ID: B5690EEEBB952194
2 changed files with 26 additions and 0 deletions
Whitespace
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Split View
Diff Options
Show Stats Download Patch File Download Diff File
  1. 1
      common/data/src/main/java/org/thingsboard/server/common/data/alarm/AlarmCreateOrUpdateActiveRequest.java
  2. 25
      dao/src/test/java/org/thingsboard/server/dao/service/AlarmServiceTest.java

1
common/data/src/main/java/org/thingsboard/server/common/data/alarm/AlarmCreateOrUpdateActiveRequest.java
View File

@ -39,6 +39,7 @@ public class AlarmCreateOrUpdateActiveRequest implements AlarmModificationReques
private TenantId tenantId;
@Schema(description = "JSON object with Customer Id", accessMode = Schema.AccessMode.READ_ONLY)
private CustomerId customerId;
@NoXss
@NotNull
@Schema(requiredMode = Schema.RequiredMode.REQUIRED, description = "representing type of the Alarm", example = "High Temperature Alarm")
@Length(fieldName = "type")

25
dao/src/test/java/org/thingsboard/server/dao/service/AlarmServiceTest.java
View File

@ -18,6 +18,7 @@ package org.thingsboard.server.dao.service;
import com.datastax.oss.driver.api.core.uuid.Uuids;
import org.junit.Assert;
import org.junit.Test;
import org.junit.jupiter.api.Assertions;
import org.springframework.beans.factory.annotation.Autowired;
import org.thingsboard.common.util.JacksonUtil;
import org.thingsboard.server.common.data.Customer;
@ -57,6 +58,7 @@ import org.thingsboard.server.dao.alarm.AlarmService;
import org.thingsboard.server.dao.asset.AssetService;
import org.thingsboard.server.dao.customer.CustomerService;
import org.thingsboard.server.dao.device.DeviceService;
import org.thingsboard.server.dao.exception.DataValidationException;
import org.thingsboard.server.dao.relation.RelationService;
import org.thingsboard.server.dao.user.UserService;
@ -64,6 +66,8 @@ import java.util.Collections;
import java.util.List;
import java.util.concurrent.ExecutionException;
import static org.assertj.core.api.Assertions.assertThat;
@DaoSqlTest
public class AlarmServiceTest extends AbstractServiceTest {
@ -987,4 +991,25 @@ public class AlarmServiceTest extends AbstractServiceTest {
Assert.assertEquals(1, alarmsCount);
}
@Test
public void testShouldFailToCreateAlarmWithBadType() {
AssetId originatorId = new AssetId(Uuids.timeBased());
long ts = System.currentTimeMillis();
AlarmCreateOrUpdateActiveRequest request = AlarmCreateOrUpdateActiveRequest.builder()
.tenantId(tenantId)
.originator(originatorId)
.type("<img src=1 onerror=alert()>")
.severity(AlarmSeverity.CRITICAL)
.startTs(ts).build();
Assertions.assertThrows(DataValidationException.class, () -> {
alarmService.createAlarm(request);
});
request.setType(TEST_ALARM);
AlarmApiCallResult result = alarmService.createAlarm(request);
assertThat(result.getAlarm().getId()).isNotNull();
}
}

Write Preview
Loading…
Cancel
Save