From ee0444b6c7b8597b1acd6000f486488d08137492 Mon Sep 17 00:00:00 2001 From: nscuro Date: Fri, 29 Nov 2024 16:47:37 +0100 Subject: [PATCH] Fix missing URI encoding for vulnerability IDs Fixes #1097 Signed-off-by: nscuro --- .../VulnerabilityAuditByOccurrence.vue | 5 ++- ...lnerabilityAuditGroupedByVulnerability.vue | 5 ++- .../portfolio/projects/ProjectFindings.vue | 4 +-- .../vulnerabilities/AffectedProjects.vue | 2 +- .../vulnerabilities/Vulnerability.vue | 35 ++++++++++++++----- .../VulnerabilityCreateVulnerabilityModal.vue | 4 ++- .../vulnerabilities/VulnerabilityList.vue | 10 ++++-- 7 files changed, 48 insertions(+), 17 deletions(-) diff --git a/src/views/globalAudit/VulnerabilityAuditByOccurrence.vue b/src/views/globalAudit/VulnerabilityAuditByOccurrence.vue index 806e1f351..8942f65b9 100644 --- a/src/views/globalAudit/VulnerabilityAuditByOccurrence.vue +++ b/src/views/globalAudit/VulnerabilityAuditByOccurrence.vue @@ -491,7 +491,10 @@ export default { sortable: true, formatter(value, row, index) { let url = xssFilters.uriInUnQuotedAttr( - '../vulnerabilities/' + row.vulnerability.source + '/' + value, + '../vulnerabilities/' + + row.vulnerability.source + + '/' + + encodeURIComponent(value), ); return ( common.formatSourceLabel(row.vulnerability.source) + diff --git a/src/views/globalAudit/VulnerabilityAuditGroupedByVulnerability.vue b/src/views/globalAudit/VulnerabilityAuditGroupedByVulnerability.vue index 893045c8e..5deb43191 100644 --- a/src/views/globalAudit/VulnerabilityAuditGroupedByVulnerability.vue +++ b/src/views/globalAudit/VulnerabilityAuditGroupedByVulnerability.vue @@ -456,7 +456,10 @@ export default { sortable: true, formatter(value, row, index) { let url = xssFilters.uriInUnQuotedAttr( - '../vulnerabilities/' + row.vulnerability.source + '/' + value, + '../vulnerabilities/' + + row.vulnerability.source + + '/' + + encodeURIComponent(value), ); return ( common.formatSourceLabel(row.vulnerability.source) + diff --git a/src/views/portfolio/projects/ProjectFindings.vue b/src/views/portfolio/projects/ProjectFindings.vue index c805c1ed2..604cb8759 100644 --- a/src/views/portfolio/projects/ProjectFindings.vue +++ b/src/views/portfolio/projects/ProjectFindings.vue @@ -238,7 +238,7 @@ export default { '../../../vulnerabilities/' + row.vulnerability.source + '/' + - value, + encodeURIComponent(value), ); return ( common.formatSourceLabel(row.vulnerability.source) + @@ -263,7 +263,7 @@ export default { '../../../vulnerabilities/' + alias.source + '/' + - alias.vulnId, + encodeURIComponent(alias.vulnId), ); label += common.formatSourceLabel(alias.source) + diff --git a/src/views/portfolio/vulnerabilities/AffectedProjects.vue b/src/views/portfolio/vulnerabilities/AffectedProjects.vue index 09b248226..ad93410e7 100644 --- a/src/views/portfolio/vulnerabilities/AffectedProjects.vue +++ b/src/views/portfolio/vulnerabilities/AffectedProjects.vue @@ -118,7 +118,7 @@ export default { }, methods: { apiUrl: function () { - let url = `${this.$api.BASE_URL}/${this.$api.URL_VULNERABILITY}/source/${this.source}/vuln/${this.vulnId}/projects`; + let url = `${this.$api.BASE_URL}/${this.$api.URL_VULNERABILITY}/source/${this.source}/vuln/${encodeURIComponent(this.vulnId)}/projects`; if (this.showInactiveProjects === undefined) { url += '?excludeInactive=true'; } else { diff --git a/src/views/portfolio/vulnerabilities/Vulnerability.vue b/src/views/portfolio/vulnerabilities/Vulnerability.vue index 3f20f7f54..102f25f0d 100644 --- a/src/views/portfolio/vulnerabilities/Vulnerability.vue +++ b/src/views/portfolio/vulnerabilities/Vulnerability.vue @@ -66,7 +66,7 @@ {{ alias.vulnId }} @@ -446,7 +446,7 @@ export default { if (this.uuid) { url = `${this.$api.BASE_URL}/${this.$api.URL_VULNERABILITY}/${this.uuid}`; } else { - url = `${this.$api.BASE_URL}/${this.$api.URL_VULNERABILITY}/source/${this.source}/vuln/${this.vulnId}`; + url = `${this.$api.BASE_URL}/${this.$api.URL_VULNERABILITY}/source/${this.source}/vuln/${encodeURIComponent(this.vulnId)}`; } this.axios.get(url).then((response) => { this.vulnerability = response.data; @@ -467,7 +467,7 @@ export default { initializeData: function () { this.uuid = this.$route.params.uuid; this.source = this.$route.params.source; - this.vulnId = this.$route.params.vulnId; + this.vulnId = decodeURIComponent(this.$route.params.vulnId); }, routeTo(path) { if (path) { @@ -479,19 +479,31 @@ export default { '/vulnerabilities/' + this.source + '/' + - this.vulnId + + encodeURIComponent(this.vulnId) + '/' + path, }); } } else if ( this.$route.fullPath !== - '/vulnerabilities/' + this.source + '/' + this.vulnId && + '/vulnerabilities/' + + this.source + + '/' + + encodeURIComponent(this.vulnId) && this.$route.fullPath !== - '/vulnerabilities/' + this.source + '/' + this.vulnId + '/' + '/vulnerabilities/' + + this.source + + '/' + + encodeURIComponent(this.vulnId) + + '/' ) { this.$router.push({ - path: '/vulnerabilities/' + this.source + '/' + this.vulnId + '/', + path: + '/vulnerabilities/' + + this.source + + '/' + + encodeURIComponent(this.vulnId) + + '/', }); } }, @@ -500,7 +512,7 @@ export default { '/vulnerabilities\\/' + this.source + '\\/' + - this.vulnId + + encodeURIComponent(this.vulnId) + '\\/([^\\/]*)', 'gi', ); @@ -533,7 +545,12 @@ export default { } catch (e) { this.$toastr.e(this.$t('condition.forbidden')); this.$router.replace({ - path: '/vulnerabilities/' + this.source + '/' + this.vulnId + '/', + path: + '/vulnerabilities/' + + this.source + + '/' + + encodeURIComponent(this.vulnId) + + '/', }); this.$refs.overview.active = true; } diff --git a/src/views/portfolio/vulnerabilities/VulnerabilityCreateVulnerabilityModal.vue b/src/views/portfolio/vulnerabilities/VulnerabilityCreateVulnerabilityModal.vue index fd6411350..5cfbc842d 100644 --- a/src/views/portfolio/vulnerabilities/VulnerabilityCreateVulnerabilityModal.vue +++ b/src/views/portfolio/vulnerabilities/VulnerabilityCreateVulnerabilityModal.vue @@ -1508,7 +1508,9 @@ export default { this.$emit('refreshTable'); this.$toastr.s(this.$t('message.vulnerability_created')); this.$router.replace({ - path: '/vulnerabilities/INTERNAL/' + this.vulnerability.vulnId, + path: + '/vulnerabilities/INTERNAL/' + + encodeURIComponent(this.vulnerability.vulnId), }); }) .catch((error) => { diff --git a/src/views/portfolio/vulnerabilities/VulnerabilityList.vue b/src/views/portfolio/vulnerabilities/VulnerabilityList.vue index d3fa22ee2..31725c80a 100644 --- a/src/views/portfolio/vulnerabilities/VulnerabilityList.vue +++ b/src/views/portfolio/vulnerabilities/VulnerabilityList.vue @@ -74,7 +74,10 @@ export default { sortable: true, formatter(value, row, index) { let url = xssFilters.uriInUnQuotedAttr( - '../vulnerabilities/' + row.source + '/' + value, + '../vulnerabilities/' + + row.source + + '/' + + encodeURIComponent(value), ); return ( common.formatSourceLabel(row.source) + @@ -93,7 +96,10 @@ export default { for (let i = 0; i < aliases.length; i++) { let alias = aliases[i]; let url = xssFilters.uriInUnQuotedAttr( - '../vulnerabilities/' + alias.source + '/' + alias.vulnId, + '../vulnerabilities/' + + alias.source + + '/' + + encodeURIComponent(alias.vulnId), ); label += common.formatSourceLabel(alias.source) +