Merge pull request from GHSA-32hw-3pvh-vcvc

* Fixing xss on common controller for Mautic 3.x branch. * Add test cases to validate xss filteration.
mautic · Aug 30, 2021 · 942cb69 · 942cb69
1 parent e6a4059
commit 942cb69
Show file tree

Hide file tree

Showing 2 changed files with 36 additions and 2 deletions.
diff --git a/app/bundles/CoreBundle/Controller/CommonController.php b/app/bundles/CoreBundle/Controller/CommonController.php
@@ -184,7 +184,7 @@ public function delegateView($args)
             $args = [
                 'contentTemplate' => $args,
                 'passthroughVars' => [
-                    'mauticContent' => strtolower($this->request->get('bundle')),
+                    'mauticContent' => strtolower(InputHelper::alphanum($this->request->query->get('bundle'))),
                 ],
             ];
         }
@@ -201,7 +201,7 @@ public function delegateView($args)
             if (isset($args['passthroughVars']['mauticContent'])) {
                 $mauticContent = $args['passthroughVars']['mauticContent'];
             } else {
-                $mauticContent = strtolower($this->request->get('bundle'));
+                $mauticContent = strtolower(InputHelper::alphanum($this->request->query->get('bundle')));
             }
             $args['viewParameters']['mauticContent'] = $mauticContent;
         }

diff --git a/app/bundles/UserBundle/Tests/Functional/Controller/PublicControllerTest.php b/app/bundles/UserBundle/Tests/Functional/Controller/PublicControllerTest.php
@@ -0,0 +1,34 @@
+<?php
+
+declare(strict_types=1);
+
+/*
+ * @copyright   2021 Mautic Contributors. All rights reserved
+ * @author      Mautic
+ *
+ * @link        http://mautic.org
+ *
+ * @license     GNU/GPLv3 http://www.gnu.org/licenses/gpl-3.0.html
+ */
+
+namespace Mautic\UserBundle\Tests\Functional\Controller;
+
+use Mautic\CoreBundle\Test\MauticMysqlTestCase;
+
+class PublicControllerTest extends MauticMysqlTestCase
+{
+    /**
+     * Tests to ensure that xss is prevented on password reset page.
+     */
+    public function testXssFilterOnPasswordReset(): void
+    {
+        $this->client->request('GET', '/passwordreset?bundle=%27-alert("XSS%20TEST%20Mautic")-%27');
+        $clientResponse = $this->client->getResponse();
+        $this->assertSame(200, $clientResponse->getStatusCode(), 'Return code must be 200.');
+        $responseData = $clientResponse->getContent();
+        // Tests that actual string is not present.
+        $this->assertStringNotContainsString('-alert("xss test mautic")-', $responseData, 'XSS injection attempt is filtered.');
+        // Tests that sanitized string is passed.
+        $this->assertStringContainsString('alertxsstestmautic', $responseData, 'XSS sanitized string is present.');
+    }
+}