Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Remove Tag Cleaning on Frontend #6052

Draft
wants to merge 5 commits into
base: master
Choose a base branch
from
Draft

Remove Tag Cleaning on Frontend #6052

wants to merge 5 commits into from

Conversation

charleshu-8
Copy link
Contributor

@charleshu-8 charleshu-8 commented Aug 1, 2024

  • Make frontend display any tags given in the OHDF object.

Signed-off-by: Charles Hu <[email protected]>
@charleshu-8 charleshu-8 added the bug Something isn't working label Aug 1, 2024
@charleshu-8 charleshu-8 self-assigned this Aug 1, 2024
@charleshu-8 charleshu-8 linked an issue Aug 1, 2024 that may be closed by this pull request
@charleshu-8
Copy link
Contributor Author

The tags stem from how the Fortify mapper doesn't seem to clean up the XML tags that are converted and used in its mappings. Adding a tag filter on the HTML export side removes these tags to mirror how we do things on the frontend, but it does seem like some context is lost as a result of the tags encoding some information.

EX)

  • Pre-filter:
    &lt;Content&gt;&lt;Paragraph&gt;Attackers are able to control the file system path argument to &lt;Replace key&#x3D;&quot;PrimaryCall.name&quot;&#x2F;&gt; at &lt;Replace key&#x3D;&quot;PrimaryLocation.file&quot;&#x2F;&gt; line &lt;Replace key&#x3D;&quot;PrimaryLocation.line&quot;&#x2F;&gt;, which allows them to access or modify otherwise protected files.&lt;AltParagraph&gt;Allowing user input to control paths used in file system operations could enable an attacker to access or modify otherwise protected system resources.&lt;&#x2F;AltParagraph&gt;&lt;&#x2F;Paragraph&gt;&lt;&#x2F;Content&gt;

  • Post-filter:
    Attackers are able to control the file system path argument to at line , which allows them to access or modify otherwise protected files.Allowing user input to control paths used in file system operations could enable an attacker to access or modify otherwise protected system resources.

As this behavior is mirrored on the frontend as well, I recommend addressing this issue in a rework of the Fortify mapper instead.

@charleshu-8 charleshu-8 marked this pull request as ready for review August 1, 2024 10:51
Copy link
Contributor

@Amndeep7 Amndeep7 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I do not agree with this PR.

I am actually fine with the raw HTML showing up in the results cause now we can see the full information.

I think the correct direction would be to fix both the frontend and the HTML export to allow for displaying HTML formatted data.

Signed-off-by: Charles Hu <[email protected]>
@charleshu-8 charleshu-8 changed the title Clean Up Tags in HTML Export Remove Tag Cleaning on Frontend Aug 1, 2024
@charleshu-8
Copy link
Contributor Author

Pivoting this to instead remove tag cleaning on Heimdall frontend.

@charleshu-8 charleshu-8 marked this pull request as draft August 1, 2024 20:07
Copy link

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Something isn't working
Projects
None yet
Development

Successfully merging this pull request may close these issues.

HTML export doesn't render html properly in some cases [BUG]
2 participants