Re: [yocto] [error-report-web][PATCH V2] Add local.conf and auto.conf into error details

From: "Richard Purdie" <richard.purdie@linuxfoundation.org>
To: Changqing Li <changqing.li@windriver.com>,
	Paul Eggleton <paul.eggleton@linux.microsoft.com>
Cc: yocto@lists.yoctoproject.org
Subject: Re: [yocto] [error-report-web][PATCH V2] Add local.conf and auto.conf into error details
Date: Mon, 22 Mar 2021 15:32:55 +0000	[thread overview]
Message-ID: <70bfa1727257beadb87350d443821463c38d923c.camel@linuxfoundation.org> (raw)
In-Reply-To: <2ac16c10-de9d-1777-20da-4766af5e53f3@windriver.com>

On Fri, 2020-02-14 at 10:42 +0800, Changqing Li wrote:
> On 12/11/19 1:45 PM, Changqing Li wrote:
> > On 11/13/19 6:36 PM, Paul Eggleton wrote:
> > > Hi Changqing,
> > > 
> > > Some comments below.
> > > 
> > > On Tuesday, 12 November 2019 9:32:53 PM NZDT 
> > > changqing.li@windriver.com wrote:
> > > > From: Changqing Li <changqing.li@windriver.com>
> > > 
> > > 
> > > > +        {% if detail.BUILD.LOCAL_CONF != "" %}
> > > > +        <dt></a>Local Conf:</dt>
> > > > +        <dd style="white-space: pre-wrap;">{{ 
> > > > detail.BUILD.LOCAL_CONF | safe }}</dd>
> > > > +        {% endif %}
> > > > +
> > > > +        {% if detail.BUILD.AUTO_CONF != "" %}
> > > > +        <dt></a>Auto Conf:</dt>
> > > > +        <dd style="white-space: pre-wrap;">{{ 
> > > > detail.BUILD.AUTO_CONF | safe }}</dd>
> > > > +        {% endif %}
> > > We cannot use the safe filter here - doing so could open up an XSS 
> > > vulnerability, since anyone can upload anything to the error-report 
> > > application and the content could include links or other malicious 
> > > HTML data. We should allow it to be auto-escaped. Is there a 
> > > particular issue you were using this to solve?
> > 
> > This is for resolve a problem when there is angle brackets in 
> > local.conf/auto.conf.
> > 
> > I have a patch in oe-core [OE-core] [PATCH] report-error.bbclass: 
> > replace angle brackets with &lt; and &gt;]
> > 
> > when we have below content in local.conf or auto.conf:
> > BUILDHISTORY_COMMIT_AUTHOR ?= "Khem Raj<raj.khem@gmail.com>"
> > send-error-report will fail with "HTTP Error 500: OK"
> > 
> > error-report-web do rudimentary check on all fields that are
> > passed to the graphs page to avoid any XSS happening, if contains
> > '<', the server will return error(Invalid characters in json).
> > fixed by use escape of <> to replace it.
> > 
> > NOTE: with this change, error-report-web need to add filter 'safe'
> > for the string wanted to display to avoid further HTML escaping
> > prior to output. Below is how the content displayed on webpage:
> > with the filter 'safe':
> > BUILDHISTORY_COMMIT_AUTHOR ?= "Khem Raj<raj.khem@gmail.com>"
> > without the filter 'safe':
> > BUILDHISTORY_COMMIT_AUTHOR ?= "Khem Raj &lt;raj.khem@gmail.com&gt;"
> > 
> > Do you have good idea to resolve this? Thanks.

Sorry about the delay on this, we do really need to get this resolved.
I'm wondering if we should replace the angled brackets test with
https://github.com/mozilla/bleach which would then remove the need
for these workarounds.

Would you be able to update the patch for the others issues please
and then we can look at this one separately?

Thanks,

Richard