Fix security vulnerability in file manager allowing XSS attack

2019-06-21 21:04:42 -07:00 · 2019-06-21 21:04:42 -07:00 · 06ff76e2e9
commit 06ff76e2e9
parent cd7ec731dc
7 changed files with 25 additions and 10 deletions
--- a/public/themes/pterodactyl/js/frontend/files/filemanager.min.js
+++ b/public/themes/pterodactyl/js/frontend/files/filemanager.min.js
--- a/public/themes/pterodactyl/js/frontend/files/filemanager.min.js.map
+++ b/public/themes/pterodactyl/js/frontend/files/filemanager.min.js.map
--- a/public/themes/pterodactyl/js/frontend/files/src/actions.js
+++ b/public/themes/pterodactyl/js/frontend/files/src/actions.js
@ -29,6 +29,10 @@ class ActionsClass {
        this.element = undefined;
    }

+    sanitizedString(value) {
+        return $('<div>').text(value).html();
+    }
+
    folder(path) {
        let inputValue
        if (path) {
@ -296,7 +300,7 @@ class ActionsClass {
        swal({
            type: 'warning',
            title: '',
-            text: 'Are you sure you want to delete <code>' + delName + '</code>?',
+            text: 'Are you sure you want to delete <code>' + this.sanitizedString(delName) + '</code>?',
            html: true,
            showCancelButton: true,
            showConfirmButton: true,
@ -394,7 +398,7 @@ class ActionsClass {
            let formattedItems = "";
            let i = 0;
            $.each(selectedItems, function(key, value) {
-                formattedItems += ("<code>" + value + "</code>, ");
+                formattedItems += ("<code>" + this.sanitizedString(value) + "</code>, ");
                i++;
                return i < 5;
            });
@ -407,7 +411,7 @@ class ActionsClass {
            swal({
                type: 'warning',
                title: '',
-                text: 'Are you sure you want to delete the following files: ' + formattedItems + '?',
+                text: 'Are you sure you want to delete the following files: ' + this.sanitizedString(formattedItems) + '?',
                html: true,
                showCancelButton: true,
                showConfirmButton: true,
@ -536,7 +540,7 @@ class ActionsClass {
                type: 'error',
                title: 'Whoops!',
                html: true,
-                text: error
+                text: this.sanitizedString(error)
            });
        });
    }
--- a/public/themes/pterodactyl/js/frontend/files/src/contextmenu.js
+++ b/public/themes/pterodactyl/js/frontend/files/src/contextmenu.js
@ -62,7 +62,7 @@ class ContextMenuClass {

        if (Pterodactyl.permissions.createFiles) {
            buildMenu += '<li class="divider"></li> \
-                          <li data-action="file"><a href="/server/'+ Pterodactyl.server.uuidShort +'/files/add/?dir=' + newFilePath + '" class="text-muted"><i class="fa fa-fw fa-plus"></i> New File</a></li> \
+                          <li data-action="file"><a href="/server/'+ Pterodactyl.server.uuidShort +'/files/add/?dir=' + $('<div>').text(newFilePath).html() + '" class="text-muted"><i class="fa fa-fw fa-plus"></i> New File</a></li> \
                          <li data-action="folder"><a tabindex="-1" href="#"><i class="fa fa-fw fa-folder"></i> New Folder</a></li>';
        }