Skip to content

Commit 8262f29

Browse files
authored
Merge pull request #25 from Pr0cella/2.9.0-patch
v2.9.0 CodeQL
2 parents e24db12 + 0509db4 commit 8262f29

5 files changed

Lines changed: 10 additions & 17 deletions

File tree

CHANGELOG.md

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -22,7 +22,7 @@
2222
- **Resource loading behavior (visualizer disabled mode)**: STIX Composer and standalone STIX visualizer now avoid loading visualizer-owned and bundled third-party resources when `CONFIG.visualizer.enabled` is `false`.
2323

2424
### Security
25-
- **Iframe containment**: Embedded explorer/composer iframes now use sandbox containment (`allow-scripts allow-same-origin`).
25+
- **Iframe containment**: Embedded explorer/composer iframes now use sandbox containment (`allow-scripts allow-same-origin allow-modals`).
2626
- **Prototype pollution hardening**: Import parsing/sanitization now blocks dangerous keys (`__proto__`, `constructor`, `prototype`), uses safe JSON reviver parsing, null-prototype object collectors, and own-property checks in dynamic import field mapping.
2727

2828
#### Shared Loader Hardening

docs/IPC_API-DOCS.md

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -39,7 +39,7 @@ Bootstrap:
3939
- Strict allowlists: message types and payload keys are validated; unknown keys/types are rejected.
4040
- Nonce binding: channel messages must include correct session nonce.
4141
- Immutable shared data: `AF_SHARED_DATA` is schema-checked, cloned, and deep-frozen.
42-
- Iframe containment: iframe sandbox is enabled (`allow-scripts allow-same-origin`).
42+
- Iframe containment: iframe sandbox is enabled (`allow-scripts allow-same-origin allow-modals`).
4343
- Request throttling: per-frame, per-request-type token-bucket limits (configurable).
4444
- Channel-only transport: legacy window request/response IPC path removed.
4545
- Bootstrap resilience: bounded timeout + retry/backoff with terminal failure signaling in child views.

index.html

Lines changed: 6 additions & 10 deletions
Original file line numberDiff line numberDiff line change
@@ -4096,7 +4096,8 @@ <h4>Tips</h4>
40964096
.replace(/>/g, '&gt;')
40974097
.replace(/"/g, '&quot;')
40984098
.replace(/'/g, '&#39;')
4099-
.replace(/`/g, '&#96;');
4099+
.replace(/`/g, '&#96;')
4100+
.replace(/\\/g, '&#92;');
41004101
},
41014102

41024103
// Normalize input: remove control chars, strip script tags, trim, limit length
@@ -4109,7 +4110,6 @@ <h4>Tips</h4>
41094110
// (see sanitize() and sanitizeForStorage()). KCE-SEC-010.
41104111
return String(str)
41114112
.replace(/[\x00-\x1F\x7F]/g, '') // Remove control chars
4112-
.replace(/<script[^>]*>.*?<\/script>/gi, '') // Remove script tags
41134113
.slice(0, maxLength);
41144114
},
41154115

@@ -4213,7 +4213,6 @@ <h4>Tips</h4>
42134213
: /[\x00-\x1F\x7F]/g;
42144214
return String(text)
42154215
.replace(controlPattern, '')
4216-
.replace(/<script[^>]*>.*?<\/script>/gi, '')
42174216
.slice(0, maxLength);
42184217
}
42194218

@@ -4715,8 +4714,8 @@ <h4>Tips</h4>
47154714
const group = (phaseData.groups || []).find(g => g.groupId === groupId);
47164715
if (!group) return;
47174716
group.collapsed = !group.collapsed;
4718-
const escapedId = window.CSS && CSS.escape ? CSS.escape(groupId) : groupId.replace(/"/g, '\\"');
4719-
const groupEl = document.querySelector(`.phase-group[data-group-id="${escapedId}"]`);
4717+
const groupEl = Array.from(document.querySelectorAll('.phase-group'))
4718+
.find(el => el?.dataset?.groupId === groupId);
47204719
if (groupEl) {
47214720
groupEl.classList.toggle('collapsed', group.collapsed);
47224721
} else {
@@ -8889,9 +8888,8 @@ <h4>Observables</h4>
88898888
? `<span class="phase-details-chip">Group: ${esc(item.groupLabel)}</span>`
88908889
: '';
88918890

8892-
const openAction = item.type === 'custom'
8893-
? `openEntityModal('custom', '${InputSecurity.encodeHtmlEntities(item.id)}', '${InputSecurity.encodeHtmlEntities(phaseKey)}', '${InputSecurity.encodeHtmlEntities(item.instanceId || '')}')`
8894-
: `openEntityModal('${escAttr(item.type)}', '${escAttr(item.id)}', '${escAttr(phaseKey)}', '${escAttr(item.instanceId || '')}')`;
8891+
const encodeInlineJsArg = (value) => InputSecurity.encodeHtmlEntities(JSON.stringify(String(value ?? '')));
8892+
const openAction = `openEntityModal(${encodeInlineJsArg(item.type)}, ${encodeInlineJsArg(item.id)}, ${encodeInlineJsArg(phaseKey)}, ${encodeInlineJsArg(item.instanceId || '')})`;
88958893

88968894
return `
88978895
<div class="phase-details-item clickable" onclick="${openAction}">
@@ -9432,8 +9430,6 @@ <h4>Observables</h4>
94329430
// Normalize, remove dangerous chars, limit length
94339431
return String(str)
94349432
.replace(/[\x00-\x1F\x7F]/g, '') // Control chars
9435-
.replace(/<script[^>]*>.*?<\/script>/gi, '') // Script tags
9436-
.replace(/on\w+\s*=/gi, '') // Event handlers (onmouseover=, onerror=, etc.)
94379433
.replace(/[\[\]\{\};"'`]/g, '') // Blocked chars including double quotes
94389434
.replace(/--+/g, '') // SQL comments
94399435
.replace(/</g, '&lt;').replace(/>/g, '&gt;') // Encode angle brackets

stix-builder.html

Lines changed: 2 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -909,13 +909,13 @@ <h6>Outgoing Edges:</h6>
909909
.replace(/>/g, '&gt;')
910910
.replace(/"/g, '&quot;')
911911
.replace(/'/g, '&#39;')
912-
.replace(/`/g, '&#96;');
912+
.replace(/`/g, '&#96;')
913+
.replace(/\\/g, '&#92;');
913914
},
914915
normalize(str, maxLength = 10000) {
915916
if (str === null || str === undefined) return '';
916917
return String(str)
917918
.replace(/[\x00-\x1F\x7F]/g, '')
918-
.replace(/<script[^>]*>.*?<\/script>/gi, '')
919919
.slice(0, maxLength);
920920
},
921921
sanitize(str, maxLength = 10000) {
@@ -1299,8 +1299,6 @@ <h6>Outgoing Edges:</h6>
12991299
if (typeof str !== 'string') return '';
13001300
return String(str)
13011301
.replace(/[\x00-\x1F\x7F]/g, '')
1302-
.replace(/<script[^>]*>.*?<\/script>/gi, '')
1303-
.replace(/on\w+\s*=/gi, '')
13041302
.replace(/[\[\]\{\};"'`]/g, '')
13051303
.replace(/</g, '&lt;').replace(/>/g, '&gt;')
13061304
.trim()

stix-visualization/index.html

Lines changed: 0 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -3,7 +3,6 @@
33

44
<head>
55
<meta charset="utf-8"/>
6-
<link href="../css/cti_flatly_2024-05-07-bootstrap.css" rel="stylesheet">
76
<script src="../config.js"></script>
87
<script>
98
(function configureStixVisualizerAvailability() {

0 commit comments

Comments
 (0)