Security. Fix path traversal, XSS, and information exposure vulnerabilities#474
Security. Fix path traversal, XSS, and information exposure vulnerabilities#474maximmasiutin wants to merge 2 commits intokeepers-team:masterfrom
Conversation
…lities detected by Snyk
There was a problem hiding this comment.
Pull request overview
This pull request addresses critical security vulnerabilities including path traversal, XSS (Cross-Site Scripting), and information exposure issues in the Web-TLO application. The changes include input sanitization, output encoding, and improved error handling to prevent sensitive information leakage.
Key changes:
- Added path traversal protection using
basename()and regex validation for log file access - Implemented HTML escaping for user-facing outputs to prevent XSS attacks
- Replaced detailed exception messages with generic error messages to prevent information disclosure
- Added server-side error logging for debugging while hiding details from end users
Reviewed changes
Copilot reviewed 16 out of 16 changed files in this pull request and generated 6 comments.
Show a summary per file
| File | Description |
|---|---|
| src/scripts/jquery.common.js | Added HTML escaping function and applied escaping to version update notification display |
| src/php/actions/tor_client_is_online.php | Added htmlspecialchars to escape client comment parameter |
| src/php/actions/get_torrent_files.php | Replaced detailed exception message with generic error and added error logging |
| src/php/actions/get_statistics.php | Replaced detailed exception message with generic error and added error logging |
| src/php/actions/get_reports_hashes.php | Replaced detailed exception message with generic error and added error logging |
| src/php/actions/get_reports.php | Replaced detailed exception message with generic error and added error logging |
| src/php/actions/get_log_content.php | Added path traversal protection using basename and regex validation |
| src/php/actions/get_list_subsections.php | Replaced detailed exception message with generic error and added error logging |
| src/php/actions/get_filtered_list_topics.php | Replaced detailed exception message with generic error and added error logging |
| src/php/actions/exec_actions_topics.php | Replaced detailed exception message with generic error and added error logging |
| src/php/actions/exclude_topics.php | Replaced direct exception message output with fallback error message |
| src/php/actions/clear_log_content.php | Added path traversal protection using basename and regex validation |
| src/php/actions/add_topics_to_client.php | Replaced detailed exception message with generic error and added error logging |
| src/index.php | Added htmlspecialchars escaping to version display and wiki link, replaced detailed DB error with generic message |
| src/back/WebTLO.php | Added htmlspecialchars escaping to various output methods and fixed HTML tag bug |
| src/back/Legacy/Log.php | Changed formatRows call to include replace: true parameter for HTML escaping |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
|
|
||
| function showNewVersion(newVersionNumber, newVersionLink, whatsNew) { | ||
| var safeVersion = escapeHtml(newVersionNumber); | ||
| var safeLink = encodeURI(newVersionLink); |
There was a problem hiding this comment.
The encodeURI function is not sufficient for safely inserting URLs into HTML attributes. It does not encode quotes, which means if newVersionLink contains a double quote, it could break out of the href attribute and potentially lead to XSS. Use encodeURIComponent for the path and query string parts, or consider using textContent to set the link dynamically instead of string concatenation.
| var safeLink = encodeURI(newVersionLink); | |
| var safeLink = escapeHtml(newVersionLink); |
src/scripts/jquery.common.js
Outdated
| $("#new_version_description") | ||
| .attr("title", whatsNew) | ||
| .append(`(Доступно обновление: <a id="new_version_link" target="_blank" href="${newVersionLink}">v${newVersionNumber}</a>)`); | ||
| .attr("title", safeWhatsNew) | ||
| .append('(Dostupno obnovlenie: <a id="new_version_link" target="_blank" href="' + safeLink + '">v' + safeVersion + '</a>)'); |
There was a problem hiding this comment.
While the version number and whatsNew text are properly escaped, constructing HTML via string concatenation and then using .append() can still be risky. Consider using jQuery's DOM manipulation methods to create elements safely instead. For example: create the anchor element with .attr('href', safeLink) and .text(safeVersion), then append it to the parent element.
| echo 'Обновление "чёрного списка" раздач успешно завершено'; | ||
| } catch (Exception $e) { | ||
| echo $e->getMessage(); | ||
| echo $result ?? 'Error occurred'; |
There was a problem hiding this comment.
The variable $result may not be defined in the exception handler if the exception is thrown before line 10 (e.g., if an exception occurs during autoloading or in App::create()). This would cause a PHP warning about an undefined variable. Consider always initializing $result at the beginning of the try block or using an explicit error message: echo 'Error occurred'; without the null coalescing operator.
| $log->error($result); | ||
| $log->error($e->getMessage()); | ||
| } else { | ||
| Log::append($result); |
There was a problem hiding this comment.
In the exception handler, Log::append($result) is called with the generic error message instead of the actual exception message. This loses important debugging information in the log. Consider calling Log::append($e->getMessage()) or a more detailed error description to ensure the log contains useful troubleshooting information.
| Log::append($result); | |
| Log::append($e->getMessage()); |
| $result = $e->getMessage(); | ||
| error_log('get_torrent_files error: ' . $e->getMessage()); | ||
| $result = 'An error occurred while downloading torrent files'; | ||
| Log::append($result); |
There was a problem hiding this comment.
In the exception handler, Log::append($result) is called with the generic error message instead of the actual exception message. This loses important debugging information in the log. Consider calling Log::append($e->getMessage()) or a more detailed error description to ensure the log contains useful troubleshooting information.
| Log::append($result); | |
| Log::append($result . ': ' . $e->getMessage()); |
| $result = $e->getMessage(); | ||
| error_log('add_topics_to_client error: ' . $e->getMessage()); | ||
| $result = 'An error occurred while adding topics'; | ||
| Log::append($result); |
There was a problem hiding this comment.
In the exception handler, Log::append($result) is called with the generic error message instead of the actual exception message. This loses important debugging information in the log. Consider calling Log::append($e->getMessage()) or a more detailed error description to ensure the log contains useful troubleshooting information.
| Log::append($result); | |
| Log::append('add_topics_to_client error: ' . $e->getMessage()); |
No description provided.