Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Remove Tag Cleaning on Frontend #6052

Draft
wants to merge 5 commits into
base: master
Choose a base branch
from
Draft

Remove Tag Cleaning on Frontend #6052

wants to merge 5 commits into from

Conversation

charleshu-8
Copy link
Contributor

@charleshu-8 charleshu-8 commented Aug 1, 2024
edited
Loading

  • Make frontend display any tags given in the OHDF object.

@charleshu-8
Clean up tags
95d4d3e 
Signed-off-by: Charles Hu <[email protected]>
@charleshu-8 charleshu-8 added the bug Something isn't working label Aug 1, 2024
@charleshu-8 charleshu-8 self-assigned this Aug 1, 2024
@charleshu-8 charleshu-8 linked an issue Aug 1, 2024 that may be closed by this pull request
HTML export doesn't render html properly in some cases [BUG] #6038
Open
@charleshu-8
Copy link
Contributor Author

The tags stem from how the Fortify mapper doesn't seem to clean up the XML tags that are converted and used in its mappings. Adding a tag filter on the HTML export side removes these tags to mirror how we do things on the frontend, but it does seem like some context is lost as a result of the tags encoding some information.

EX)

  • Pre-filter:
    &lt;Content&gt;&lt;Paragraph&gt;Attackers are able to control the file system path argument to &lt;Replace key&#x3D;&quot;PrimaryCall.name&quot;&#x2F;&gt; at &lt;Replace key&#x3D;&quot;PrimaryLocation.file&quot;&#x2F;&gt; line &lt;Replace key&#x3D;&quot;PrimaryLocation.line&quot;&#x2F;&gt;, which allows them to access or modify otherwise protected files.&lt;AltParagraph&gt;Allowing user input to control paths used in file system operations could enable an attacker to access or modify otherwise protected system resources.&lt;&#x2F;AltParagraph&gt;&lt;&#x2F;Paragraph&gt;&lt;&#x2F;Content&gt;

  • Post-filter:
    Attackers are able to control the file system path argument to at line , which allows them to access or modify otherwise protected files.Allowing user input to control paths used in file system operations could enable an attacker to access or modify otherwise protected system resources.

As this behavior is mirrored on the frontend as well, I recommend addressing this issue in a rework of the Fortify mapper instead.

@charleshu-8 charleshu-8 marked this pull request as ready for review August 1, 2024 10:51
Amndeep7
Amndeep7 requested changes Aug 1, 2024
View reviewed changes
Copy link
Contributor

@Amndeep7 Amndeep7 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I do not agree with this PR.

I am actually fine with the raw HTML showing up in the results cause now we can see the full information.

I think the correct direction would be to fix both the frontend and the HTML export to allow for displaying HTML formatted data.

@charleshu-8
Undo tag cleaning
9ea6714 
Signed-off-by: Charles Hu <[email protected]>
@charleshu-8 charleshu-8 changed the title Clean Up Tags in HTML Export Remove Tag Cleaning on Frontend Aug 1, 2024
@charleshu-8
Copy link
Contributor Author

Pivoting this to instead remove tag cleaning on Heimdall frontend.

@charleshu-8 charleshu-8 marked this pull request as draft August 1, 2024 20:07
@sonarcloud SonarCloud
Copy link

sonarcloud bot commented Aug 23, 2024

Quality Gate Passed Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarCloud

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Amndeep7 Amndeep7 Amndeep7 requested changes

Requested changes must be addressed to merge this pull request.

Assignees

@charleshu-8 charleshu-8

Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

HTML export doesn't render html properly in some cases [BUG]
2 participants
@charleshu-8 @Amndeep7