Issues
- Cross-site Scripting (XSS) in server.go error responseMODREP-23Resolved issue: MODREP-23Mike Taylor
- Release mod-reporting. Fix version: v1.3.0 (Sunflower)MODREP-22Resolved issue: MODREP-22Mike Taylor
- Ability to dynamically set port number at runtimeMODREP-21Resolved issue: MODREP-21Mike Taylor
- Release mod-reporting. Fix version: x.x.x (Sunflower)MODREP-19Resolved issue: MODREP-19Mike Taylor
- Update to mod-reporting Java 21MODREP-20Resolved issue: MODREP-20Mike Taylor
- Reporting database password is disclosed in GET /ldp/config/dbinfo responseMODREP-18Resolved issue: MODREP-18Mike Taylor
- Metadb-only features should fail more politely when run against LDP ClassicMODREP-17Resolved issue: MODREP-17Mike Taylor
- Upgrade dependency on crypto libraryMODREP-16Resolved issue: MODREP-16Mike Taylor
- Format all code according to `gofmt` standard, add Makefile ruleMODREP-15Resolved issue: MODREP-15Mike Taylor
- Set up dev-time vulnerability checking and fix existing vulnerabilitiesMODREP-14Resolved issue: MODREP-14Mike Taylor
- Upgrade required Go version to currentMODREP-13Resolved issue: MODREP-13Mike Taylor
- Investigate out-of-memory problemMODREP-12Resolved issue: MODREP-12Mike Taylor
- Think about invalidation of session cachingMODREP-11Resolved issue: MODREP-11Mike Taylor
- Config tool mishandles JSON object-vs-string dichotomyMODREP-10Resolved issue: MODREP-10Mike Taylor
- Release mod-reporting. Fix version: 1.1.0 (Ramsons)MODREP-9Resolved issue: MODREP-9Mike Taylor
- Implement /ldp/db/logMODREP-8Resolved issue: MODREP-8Mike Taylor
- Review and cleanup Module Descriptors for mod-reportingMODREP-7Resolved issue: MODREP-7Mike Taylor
- Make initial releaseMODREP-6Resolved issue: MODREP-6Mike Taylor
- Enable API-related GitHub WorkflowsMODREP-5Resolved issue: MODREP-5David Crossley
- Security checks on reporting-query URLsMODREP-4Mike Taylor
- Change default logging configuration to include timestampMODREP-3Resolved issue: MODREP-3Mike Taylor
- Provide meta-information from MetaDB via new WSAPIsMODREP-2Resolved issue: MODREP-2Mike Taylor
- Protect run-report facility from SQL injectionMODREP-1Resolved issue: MODREP-1Mike Taylor
23 of 23
Cross-site Scripting (XSS) in server.go error response
Done
Description
CSP Request Details
None
CSP Rejection Details
None
Potential Workaround
None
Checklist
hideDetails
Details
Assignee
Mike Taylor
Mike TaylorReporter
Julian Ladisch
Julian LadischPriority
P2Sprint
Development Team
Thor
Fix versions
Release
Sunflower (R1 2025) Bug Fix
RCA Group
TBD
TestRail: Cases
Open TestRail: Cases
TestRail: Runs
Open TestRail: Runs
Created last week
Updated 20 hours ago
Resolved 5 days ago
Activity
Show:
Julian Ladisch 20 hours ago
Thank you!
func Error changes the Content-Type to text, server.go initially had set it to html: https://github.com/folio-org/mod-reporting/blob/v1.3.0/src/server.go#L106
Mike Taylor 5 days ago
Mike Taylor 5 days ago
It seems to me that func Error(w ResponseWriter, error string, code int) does not escape the string, so html.EscapeString would be needed in any case — is that your understanding, too?
Mike Taylor 5 days ago
Nicely spotted! Thanks, I’ll take this.
snyk.io reports that server.go
https://github.com/folio-org/mod-reporting/blob/v1.3.0/src/server.go#L161
https://github.com/folio-org/mod-reporting/blob/v1.3.0/src/server.go#L176
creates an HTTP error response that may contain external content. An attacker may embed malicious HTML code into the external content resulting in a Cross-site Scripting (XSS) attack (provided that the response is directly displayed in the browser/front-end without masking of HTML entities).
Some options for a potential fix:
func Error(w ResponseWriter, error string, code int)https://pkg.go.dev/net/http#Errorhtml.EscapeStringhttps://pkg.go.dev/net/http#hdr-Servers