Merge pull request from GHSA-r3vv-c788-9fph

fix(sec): filter tags in presentation name
This commit is contained in:
Anton Georgiev 2024-01-11 16:07:18 -05:00 committed by GitHub
commit 59cdb136ad
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
3 changed files with 8 additions and 1 deletions

View File

@ -21,6 +21,10 @@ public class ParamsUtil {
return text.replaceAll("\\p{Cc}", "").trim(); return text.replaceAll("\\p{Cc}", "").trim();
} }
public static String stripTags(String text) {
return text.replaceAll("<[^>]*>", "");
}
public static String escapeHTMLTags(String value) { public static String escapeHTMLTags(String value) {
return StringEscapeUtils.escapeHtml4(value); return StringEscapeUtils.escapeHtml4(value);
} }

View File

@ -346,13 +346,14 @@ const removePackagedClassAttribute = (classnames, attribute) => {
}; };
const getExportedPresentationString = (fileURI, filename, intl, fileStateType) => { const getExportedPresentationString = (fileURI, filename, intl, fileStateType) => {
const sanitizedFilename = stripTags(filename);
const intlFileStateType = fileStateType === 'Original' ? intlMessages.original : intlMessages.withWhiteboardAnnotations; const intlFileStateType = fileStateType === 'Original' ? intlMessages.original : intlMessages.withWhiteboardAnnotations;
const href = `${APP.bbbWebBase}/${fileURI}`; const href = `${APP.bbbWebBase}/${fileURI}`;
const warningIcon = '<i class="icon-bbb-warning"></i>'; const warningIcon = '<i class="icon-bbb-warning"></i>';
const label = `<span>${intl.formatMessage(intlMessages.download)}</span>`; const label = `<span>${intl.formatMessage(intlMessages.download)}</span>`;
const notAccessibleWarning = `<span title="${intl.formatMessage(intlMessages.notAccessibleWarning)}">${warningIcon}</span>`; const notAccessibleWarning = `<span title="${intl.formatMessage(intlMessages.notAccessibleWarning)}">${warningIcon}</span>`;
const link = `<a aria-label="${intl.formatMessage(intlMessages.notAccessibleWarning)}" href=${href} type="application/pdf" target="_blank" rel="noopener, noreferrer" download>${label}&nbsp;${notAccessibleWarning}</a>`; const link = `<a aria-label="${intl.formatMessage(intlMessages.notAccessibleWarning)}" href=${href} type="application/pdf" target="_blank" rel="noopener, noreferrer" download>${label}&nbsp;${notAccessibleWarning}</a>`;
const name = `<span>${filename} (${intl.formatMessage(intlFileStateType)})</span>`; const name = `<span>${sanitizedFilename} (${intl.formatMessage(intlFileStateType)})</span>`;
return `${name}</br>${link}`; return `${name}</br>${link}`;
}; };

View File

@ -30,6 +30,7 @@ import org.apache.commons.io.FilenameUtils;
import org.bigbluebutton.web.services.PresentationService import org.bigbluebutton.web.services.PresentationService
import org.bigbluebutton.presentation.UploadedPresentation import org.bigbluebutton.presentation.UploadedPresentation
import org.bigbluebutton.api.MeetingService; import org.bigbluebutton.api.MeetingService;
import org.bigbluebutton.api.util.ParamsUtil;
import org.bigbluebutton.api.Util; import org.bigbluebutton.api.Util;
class PresentationController { class PresentationController {
@ -161,6 +162,7 @@ class PresentationController {
// Gets the name minus the path from a full fileName. // Gets the name minus the path from a full fileName.
// a/b/c.txt --> c.txt // a/b/c.txt --> c.txt
presFilename = FilenameUtils.getName(presOrigFilename) presFilename = FilenameUtils.getName(presOrigFilename)
presFilename = ParamsUtil.stripTags(presFilename)
filenameExt = FilenameUtils.getExtension(presFilename) filenameExt = FilenameUtils.getExtension(presFilename)
} else { } else {
log.warn "Upload failed. File Empty." log.warn "Upload failed. File Empty."