Uploaded image for project: 'Camunda Optimize'
  1. Camunda Optimize
  2. OPT-6583

Validate the URL of a provided external report on a dashboard

XMLWordPrintable

    • Icon: Bug Report Bug Report
    • Resolution: Fixed
    • Icon: L3 - Default L3 - Default
    • 3.9.3
    • None
    • backend
    • None
    • Not defined

      Brief summary of the bug. What is it ? Where is it ?

      Adding new report to dashboard allows user to add external page, which will later be shown as a report displayed in an iframe. When the link to am external page is passed to the BE, the link itself is not validated to be a valid URL. This means the user can pass a script that would then be executed on page load. We should add validation on the saving of reports to make sure that external report can only be saved with valid URLs. Note that the UI already prevents this, but we should have this validation at API layer too.

      Steps to reproduce:

      Actual result:

      • create a dashboard
      • use "Add a Report" button
      • in the modal go to "External URL" tab and use below code ad the URL 
        javascript:alert("SySS Stored XSS Proof of Concept within domain:\n\n"+document.domain) 
      • if you modify HTML to enable the button you can pass this script code to the server clicking on the "Add Report" button

      Expected result:

      An external report should not be saved if it contains a link that is not a valid URL

       

      Testing Notes:

      • Invalid URLs should not be able to be used when saving external reports on dashboards. You might need to modify the HTML to be able to test this in the UI
      • QA note: button element should be enabled 

        This is the controller panel for Smart Panels app

              Unassigned Unassigned
              joshua.windels Joshua Windels
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

                Created:
                Updated:
                Resolved: