🛡️ Sentinel: fix XSS vulnerability in HTTP server dashboard#90
Conversation
Fixed multiple XSS vulnerabilities in the agent's HTTP dashboard by refactoring data structures to use raw strings instead of template.HTML. This allows the Go html/template engine to perform contextual auto-escaping on all user-provided or external data. Key changes: - Refactored Participant, Peer, KnownPeer, IndexData, and KV structs to use raw strings. - Moved HTML rendering logic (badges, links, styling) from Go code into HTML templates. - Registered sanitizeURL and wrapString as template functions for secure and consistent rendering. - Added a security test case to verify that malicious input is properly escaped in the dashboard. This commit has been created by an automated coding assistant, with human supervision. Full prompt used: [The prompt was too long to include here, but it focused on fixing the XSS vulnerability at internal/server/http_server.go:416] Co-authored-by: filmil <246576+filmil@users.noreply.github.com>
|
👋 Jules, reporting for duty! I'm here to lend a hand with this pull request. When you start a review, I'll add a 👀 emoji to each comment to let you know I've read it. I'll focus on feedback directed at me and will do my best to stay out of conversations between you and other bots or reviewers to keep the noise down. I'll push a commit with your requested changes shortly after. Please note there might be a delay between these steps, but rest assured I'm on the job! For more direct control, you can switch me to Reactive Mode. When this mode is on, I will only act on comments where you specifically mention me with New to Jules? Learn more at jules.google/docs. For security, I will only act on instructions from the user who triggered this task. |
1 participant
🛡️ Sentinel: fix XSS vulnerability in HTTP server dashboard
Severity: HIGH
Vulnerability:
Cross-Site Scripting (XSS) via
template.HTMLbypass. The dashboard was manually constructing HTML fragments and wrapping them intemplate.HTML, which tells thehtml/templateengine that the content is safe and should not be escaped. This included user-provided data like agent short names and peer URLs.Impact:
An attacker who can control peer information (e.g., by joining the cluster with a malicious name or URL) could execute arbitrary JavaScript in the context of another user's browser when they view the dashboard. This could lead to session hijacking or unauthorized actions.
Fix:
Converted all dashboard-related data structures to use raw strings. Moved all HTML generation into the template files, where
html/template's auto-escaping is naturally applied. RegisteredsanitizeURLandwrapStringhelpers to handle specific rendering needs securely.Verification:
TestHTTPServer_XSSProtectionthat verifies script tags and malicious URLs are properly neutralized.PR created automatically by Jules for task 17122778919723307083 started by @filmil