From 72946e11135e250ad24d32a2a06fb1698158e33a Mon Sep 17 00:00:00 2001
From: Lan Tian <xuyh0120@outlook.com>
Date: Sun, 17 Jan 2021 01:14:49 +0800
Subject: [PATCH] frontend: filter output to prevent XSS

---
 frontend/bgpmap.go                     |  5 +++--
 frontend/bindata/templates/bgpmap.tpl  |  6 ++++--
 frontend/bindata/templates/page.tpl    | 12 ++++++------
 frontend/bindata/templates/summary.tpl | 12 ++++++------
 frontend/render.go                     |  4 +++-
 frontend/webserver.go                  |  4 ++--
 6 files changed, 24 insertions(+), 19 deletions(-)

diff --git a/frontend/bgpmap.go b/frontend/bgpmap.go
index add7697..203cd0c 100644
--- a/frontend/bgpmap.go
+++ b/frontend/bgpmap.go
@@ -2,6 +2,7 @@ package main
 
 import (
 	"fmt"
+	"html"
 	"net"
 	"strings"
 )
@@ -24,7 +25,7 @@ func birdRouteToGraphviz(servers []string, responses []string, target string) st
 	graph := make(map[string]string)
 	// Helper to add an edge
 	addEdge := func(src string, dest string, attr string) {
-		key := "\"" + src + "\" -> \"" + dest + "\""
+		key := "\"" + html.EscapeString(src) + "\" -> \"" + html.EscapeString(dest) + "\""
 		_, present := graph[key]
 		// Do not remove edge's attributes if it's already present
 		if present && len(attr) == 0 {
@@ -34,7 +35,7 @@ func birdRouteToGraphviz(servers []string, responses []string, target string) st
 	}
 	// Helper to set attribute for a point in graph
 	addPoint := func(name string, attr string) {
-		key := "\"" + name + "\""
+		key := "\"" + html.EscapeString(name) + "\""
 		_, present := graph[key]
 		// Do not remove point's attributes if it's already present
 		if present && len(attr) == 0 {
diff --git a/frontend/bindata/templates/bgpmap.tpl b/frontend/bindata/templates/bgpmap.tpl
index 89b6aa6..24ca52c 100644
--- a/frontend/bindata/templates/bgpmap.tpl
+++ b/frontend/bindata/templates/bgpmap.tpl
@@ -1,4 +1,6 @@
 <h2>BGPmap: {{ html .Target }}</h2>
+<div id="bgpmap">
+</div>
 
 <script src="https://cdn.jsdelivr.net/npm/viz.js@2.1.2/viz.min.js" crossorigin="anonymous"></script>
 <script src="https://cdn.jsdelivr.net/npm/viz.js@2.1.2/lite.render.js" crossorigin="anonymous"></script>
@@ -6,9 +8,9 @@
   var viz = new Viz();
   viz.renderSVGElement(`{{ .Result }}`)
   .then(element => {
-    document.body.appendChild(element);
+    document.getElementById("bgpmap").appendChild(element);
   })
   .catch(error => {
-    document.body.innerHTML = "<pre>"+error+"</pre>"
+    document.getElementById("bgpmap").innerHTML = "<pre>"+error+"</pre>"
   });
 </script>
diff --git a/frontend/bindata/templates/page.tpl b/frontend/bindata/templates/page.tpl
index 5c50a02..017b51c 100644
--- a/frontend/bindata/templates/page.tpl
+++ b/frontend/bindata/templates/page.tpl
@@ -5,7 +5,7 @@
 <meta http-equiv="X-UA-Compatible" content="IE=edge">
 <meta name="viewport" content="width=device-width, initial-scale=1, maximum-scale=1, user-scalable=no">
 <meta name="renderer" content="webkit">
-<title>{{ .Title }}</title>
+<title>{{ html .Title }}</title>
 <link rel="stylesheet" href="https://cdn.jsdelivr.net/npm/bootstrap@4.5.1/dist/css/bootstrap.min.css" integrity="sha256-VoFZSlmyTXsegReQCNmbXrS4hBBUl/cexZvPmPWoJsY=" crossorigin="anonymous">
 <meta name="robots" content="noindex, nofollow">
 </head>
@@ -29,12 +29,12 @@
 		<ul class="navbar-nav mr-auto">
 			<li class="nav-item">
 				<a class="nav-link{{ if .AllServersLinkActive }} active{{ end }}"
-					href="/{{ $option }}/{{ .AllServersURL }}/{{ $target }}"> All Servers </a>
+					href="/{{ urlquery $option }}/{{ urlquery .AllServersURL }}/{{ urlquery $target }}"> All Servers </a>
 			</li>
 			{{ range $k, $v := .Servers }}
 			<li class="nav-item">
 				<a class="nav-link{{ if eq $server $v }} active{{ end }}"
-					href="/{{ $option }}/{{ $v }}/{{ $target }}">{{ $v }}</a>
+					href="/{{ urlquery $option }}/{{ urlquery $v }}/{{ urlquery $target }}">{{ html $v }}</a>
 			</li>
 			{{ end }}
 		</ul>
@@ -45,11 +45,11 @@
 			<div class="input-group">
 				<select name="action" class="form-control">
 					{{ range $k, $v := .Options }}
-					<option value="{{ $k }}"{{ if eq $k $.URLOption }} selected{{end}}>{{ $v }}</option>
+					<option value="{{ html $k }}"{{ if eq $k $.URLOption }} selected{{end}}>{{ html $v }}</option>
 					{{ end }}
 				</select>
-				<input name="server" class="d-none" value="{{ $server }}">
-				<input name="target" class="form-control" placeholder="Target" aria-label="Target" value="{{ $target }}">
+				<input name="server" class="d-none" value="{{ html $server }}">
+				<input name="target" class="form-control" placeholder="Target" aria-label="Target" value="{{ html $target }}">
 				<div class="input-group-append">
 					<button class="btn btn-outline-success" type="submit">&raquo;</button>
 				</div>
diff --git a/frontend/bindata/templates/summary.tpl b/frontend/bindata/templates/summary.tpl
index eb72128..cd06d20 100644
--- a/frontend/bindata/templates/summary.tpl
+++ b/frontend/bindata/templates/summary.tpl
@@ -9,12 +9,12 @@
   <tbody>
 {{ range .Rows }}
     <tr class="table-{{ .MappedState }}">
-      <td><a href="/detail/{{ $ServerName }}/{{ urlquery .Name }}">{{ html .Name }}</a></td>
-      <td>{{ .Proto }}</td>
-      <td>{{ .Table }}</td>
-      <td>{{ .State }}</td>
-      <td>{{ .Since }}</td>
-      <td>{{ .Info  }}</td>
+      <td><a href="/detail/{{ urlquery $ServerName }}/{{ urlquery .Name }}">{{ html .Name }}</a></td>
+      <td>{{ html .Proto }}</td>
+      <td>{{ html .Table }}</td>
+      <td>{{ html .State }}</td>
+      <td>{{ html .Since }}</td>
+      <td>{{ html .Info  }}</td>
     </tr>
 {{ end }}
   </tbody>
diff --git a/frontend/render.go b/frontend/render.go
index 2b9da29..899fd6a 100644
--- a/frontend/render.go
+++ b/frontend/render.go
@@ -7,6 +7,7 @@ import (
 	"regexp"
 	"sort"
 	"strings"
+	"text/template"
 )
 
 // static options map
@@ -81,6 +82,7 @@ func renderPageTemplate(w http.ResponseWriter, r *http.Request, title string, co
 func smartFormatter(s string) string {
 	var result string
 	result += "<pre>"
+	s = template.HTMLEscapeString(s)
 	for _, line := range strings.Split(s, "\n") {
 		var lineFormatted string
 		if strings.HasPrefix(strings.TrimSpace(line), "BGP.as_path:") || strings.HasPrefix(strings.TrimSpace(line), "Neighbor AS:") || strings.HasPrefix(strings.TrimSpace(line), "Local AS:") {
@@ -103,7 +105,7 @@ func summaryTable(data string, serverName string) string {
 	lines := strings.Split(strings.TrimSpace(data), "\n")
 	if len(lines) <= 1 {
 		// Likely backend returned an error message
-		return "<pre>" + strings.TrimSpace(data) + "</pre>"
+		return "<pre>" + template.HTMLEscapeString(strings.TrimSpace(data)) + "</pre>"
 	}
 
 	args := TemplateSummary{
diff --git a/frontend/webserver.go b/frontend/webserver.go
index 71ac742..9dc36a9 100644
--- a/frontend/webserver.go
+++ b/frontend/webserver.go
@@ -9,7 +9,7 @@ import (
 	"os"
 	"strings"
 
-	"github.com/elazarl/go-bindata-assetfs"
+	assetfs "github.com/elazarl/go-bindata-assetfs"
 	"github.com/gorilla/handlers"
 )
 
@@ -124,7 +124,7 @@ func webBackendCommunicator(endpoint string, command string) func(w http.Respons
 
 		renderPageTemplate(
 			w, r,
-			" - "+html.EscapeString(endpoint+" "+backendCommand),
+			" - "+endpoint+" "+backendCommand,
 			content,
 		)
 	}