Enabled XSS vuln in search

iriusrisk · Jun 17, 2017 · 4952476 · 4952476
1 parent 7df3137
commit 4952476
Show file tree

Hide file tree

Showing 7 changed files with 13 additions and 38 deletions.
diff --git a/.idea/checkstyle-idea.xml b/.idea/checkstyle-idea.xml
diff --git a/application.properties b/application.properties
@@ -2,4 +2,4 @@
 #Tue Mar 17 15:23:07 CET 2015
 app.grails.version=2.4.4
 app.name=ropeytasks
-app.version=0.1
+app.version=0.2
diff --git a/grails-app/conf/Config.groovy b/grails-app/conf/Config.groovy
@@ -35,7 +35,7 @@ grails.mime.types = [ // the first one is the default format
 //grails.urlmapping.cache.maxsize = 1000
 
 // Legacy setting for codec used to encode data with ${}
-grails.views.default.codec = "html"
+grails.views.default.codec = "none"
 
 // The default scope for controllers. May be prototype, session or singleton.
 // If unspecified, controllers are prototype scoped.
@@ -46,10 +46,9 @@ grails {
     views {
         gsp {
             encoding = 'UTF-8'
-            htmlcodec = 'xml' // use xml escaping instead of HTML4 escaping
             codecs {
-                expression = 'html' // escapes values inside ${}
-                scriptlet = 'html' // escapes output from scriptlets in GSPs
+                expression = 'none' // escapes values inside ${}
+                scriptlet = 'none' // escapes output from scriptlets in GSPs
                 taglib = 'none' // escapes output from taglibs
                 staticparts = 'none' // escapes output from static template parts
             }

diff --git a/grails-app/controllers/net/continuumsecurity/ropeytasks/UserController.groovy b/grails-app/controllers/net/continuumsecurity/ropeytasks/UserController.groovy
@@ -7,8 +7,6 @@ import com.sun.xml.internal.rngom.parse.xml.SchemaParser.ParamState;
 class UserController {
 
     static allowedMethods = [save: "POST", update: "POST", delete: "POST"]
-
-	def recaptchaService
 
 	def edit() {
 		//def userInstance = User.get(session.user.id)
@@ -68,13 +66,6 @@ class UserController {
 			render(view: 'recover')
 			return
 		}
-		if (!recaptchaService.verifyAnswer(session, request.getRemoteAddr(), params)) {
-			flash.message = "CAPTCHA failed"
-			render(view: "recover")
-			return
-		} else {
-			recaptchaService.cleanUp(session)
-		}
 		def users = User.executeQuery("from User u where u.email='${params.email}'")
 		if (users != null && users.size() > 0) {
 			flash.message = 'Email with login details sent!'
@@ -92,17 +83,6 @@ class UserController {
 			if (users != null && users.size() > 0) {
 				user = users[0]
 				session['failedLogins'] = user.failedLogins
-				if (session['failedLogins'] >= 3) {
-					if (!recaptchaService.verifyAnswer(session, request.getRemoteAddr(), params)) {
-						flash.message = "CAPTCHA failed"
-						log.debug("CAPTCHA failed, returning user: "+user.username)
-						render(view: "login",model: [user: user])
-						return
-					} else {
-						recaptchaService.cleanUp(session)
-						flash.message = ""
-					}
-				}
 
 				if (user.password.equalsIgnoreCase(params.password)) {
 					user.failedLogins = 0

diff --git a/grails-app/views/task/list.gsp b/grails-app/views/task/list.gsp
@@ -17,10 +17,10 @@
 		</div>
 		<div id="list-task" class="content scaffold-list" role="main">
 			<g:form name="search" method="GET" action="search">
-				<table><tr><td><g:textField name="q"/></td><td><g:submitButton name="search" value="Search" /></td></tr></table>
+				<table><tr><td><g:textField name="q"/></td><td><g:submitButton name="search-button" value="Search" /></td></tr></table>
 			</g:form>
 			<g:if test="${query?.length() > 0}">
-				Results for: ${query}
+				Results for: ${raw(query)}
 			</g:if>
 
 			<h1><g:message code="default.list.label" args="[entityName]" /></h1>

diff --git a/ropeytasks-grailsPlugins.iml b/ropeytasks-grailsPlugins.iml
@@ -1,11 +1,14 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <module type="JAVA_MODULE" version="4">
   <component name="FacetManager">
+    <facet type="Spring" name="Spring">
+      <configuration />
+    </facet>
     <facet type="web" name="GrailsWeb">
       <configuration>
         <webroots>
-          <root url="file://$MODULE_DIR$/target/work/plugins/jquery-1.11.1/web-app" relative="/" />
           <root url="file://$MODULE_DIR$/target/work/plugins/database-migration-1.4.0/grails-app/views" relative="/" />
+          <root url="file://$MODULE_DIR$/target/work/plugins/jquery-1.11.1/web-app" relative="/" />
         </webroots>
         <sourceRoots />
       </configuration>
@@ -47,6 +50,9 @@
       <sourceFolder url="file://$MODULE_DIR$/target/work/plugins/scaffolding-2.1.2/src/java" isTestSource="false" />
       <sourceFolder url="file://$MODULE_DIR$/target/work/plugins/scaffolding-2.1.2/src/groovy" isTestSource="false" />
     </content>
+    <content url="file://$MODULE_DIR$/target/work/plugins/standalone-1.3">
+      <sourceFolder url="file://$MODULE_DIR$/target/work/plugins/standalone-1.3/src/java" isTestSource="false" />
+    </content>
     <content url="file://$MODULE_DIR$/target/work/plugins/tomcat-7.0.55">
       <sourceFolder url="file://$MODULE_DIR$/target/work/plugins/tomcat-7.0.55/src/java" isTestSource="false" />
       <sourceFolder url="file://$MODULE_DIR$/target/work/plugins/tomcat-7.0.55/src/groovy" isTestSource="false" />

diff --git a/ropeytasks.jar b/ropeytasks.jar