summaryrefslogtreecommitdiffstats
path: root/web/gui/src/dashboard.js/xss.js
diff options
context:
space:
mode:
authorDaniel Baumann <daniel.baumann@progress-linux.org>2024-05-04 14:31:17 +0000
committerDaniel Baumann <daniel.baumann@progress-linux.org>2024-05-04 14:31:17 +0000
commit8020f71afd34d7696d7933659df2d763ab05542f (patch)
tree2fdf1b5447ffd8bdd61e702ca183e814afdcb4fc /web/gui/src/dashboard.js/xss.js
parentInitial commit. (diff)
downloadnetdata-8020f71afd34d7696d7933659df2d763ab05542f.tar.xz
netdata-8020f71afd34d7696d7933659df2d763ab05542f.zip
Adding upstream version 1.37.1.upstream/1.37.1upstream
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to 'web/gui/src/dashboard.js/xss.js')
-rw-r--r--web/gui/src/dashboard.js/xss.js84
1 files changed, 84 insertions, 0 deletions
diff --git a/web/gui/src/dashboard.js/xss.js b/web/gui/src/dashboard.js/xss.js
new file mode 100644
index 0000000..fa66f34
--- /dev/null
+++ b/web/gui/src/dashboard.js/xss.js
@@ -0,0 +1,84 @@
+// ----------------------------------------------------------------------------------------------------------------
+// XSS checks
+
+NETDATA.xss = {
+ enabled: (typeof netdataCheckXSS === 'undefined') ? false : netdataCheckXSS,
+ enabled_for_data: (typeof netdataCheckXSS === 'undefined') ? false : netdataCheckXSS,
+
+ string: function (s) {
+ return s.toString()
+ .replace(/</g, '&lt;')
+ .replace(/>/g, '&gt;')
+ .replace(/"/g, '&quot;')
+ .replace(/'/g, '&#39;');
+ },
+
+ object: function (name, obj, ignore_regex) {
+ if (typeof ignore_regex !== 'undefined' && ignore_regex.test(name)) {
+ // console.log('XSS: ignoring "' + name + '"');
+ return obj;
+ }
+
+ switch (typeof(obj)) {
+ case 'string':
+ const ret = this.string(obj);
+ if (ret !== obj) {
+ console.log('XSS protection changed string ' + name + ' from "' + obj + '" to "' + ret + '"');
+ }
+ return ret;
+
+ case 'object':
+ if (obj === null) {
+ return obj;
+ }
+
+ if (Array.isArray(obj)) {
+ // console.log('checking array "' + name + '"');
+
+ let len = obj.length;
+ while (len--) {
+ obj[len] = this.object(name + '[' + len + ']', obj[len], ignore_regex);
+ }
+ } else {
+ // console.log('checking object "' + name + '"');
+
+ for (var i in obj) {
+ if (obj.hasOwnProperty(i) === false) {
+ continue;
+ }
+ if (this.string(i) !== i) {
+ console.log('XSS protection removed invalid object member "' + name + '.' + i + '"');
+ delete obj[i];
+ } else {
+ obj[i] = this.object(name + '.' + i, obj[i], ignore_regex);
+ }
+ }
+ }
+ return obj;
+
+ default:
+ return obj;
+ }
+ },
+
+ checkOptional: function (name, obj, ignore_regex) {
+ if (this.enabled) {
+ //console.log('XSS: checking optional "' + name + '"...');
+ return this.object(name, obj, ignore_regex);
+ }
+ return obj;
+ },
+
+ checkAlways: function (name, obj, ignore_regex) {
+ //console.log('XSS: checking always "' + name + '"...');
+ return this.object(name, obj, ignore_regex);
+ },
+
+ checkData: function (name, obj, ignore_regex) {
+ if (this.enabled_for_data) {
+ //console.log('XSS: checking data "' + name + '"...');
+ return this.object(name, obj, ignore_regex);
+ }
+ return obj;
+ }
+};