Fix XSS (CVE-2020-5497)

2020-04-10 15:15:49 -06:00 · 2020-04-10 15:15:49 -06:00 · cacf6a653b
parent 0d4ef2cb4f
commit cacf6a653b
2 changed files with 10 additions and 7 deletions
--- a/openid-connect-common/src/main/java/org/mitre/openid/connect/web/UserInfoInterceptor.java
+++ b/openid-connect-common/src/main/java/org/mitre/openid/connect/web/UserInfoInterceptor.java
@ -79,8 +79,9 @@ public class UserInfoInterceptor extends HandlerInterceptorAdapter {
 				// if they're logging into this server from a remote OIDC server, pass through their user info
 				OIDCAuthenticationToken oidc = (OIDCAuthenticationToken) auth;
 				if (oidc.getUserInfo() != null) {
+					JsonElement json = gson.fromJson(oidc.getUserInfo().toJson().toString(), JsonElement.class);
 					request.setAttribute("userInfo", oidc.getUserInfo());
-					request.setAttribute("userInfoJson", oidc.getUserInfo().toJson());
+					request.setAttribute("userInfoJson", gson.toJson(json));
 				} else {
 					request.setAttribute("userInfo", null);
 					request.setAttribute("userInfoJson", "null");
@ -94,8 +95,9 @@ public class UserInfoInterceptor extends HandlerInterceptorAdapter {

 					// if we have one, inject it so views can use it
 					if (user != null) {
+						JsonElement json = gson.fromJson(user.toJson().toString(), JsonElement.class);
 						request.setAttribute("userInfo", user);
-						request.setAttribute("userInfoJson", user.toJson());
+						request.setAttribute("userInfoJson", gson.toJson(json));
 					}
 				}
 			}
--- a/openid-connect-server-webapp/src/main/webapp/WEB-INF/tags/topbar.tag
+++ b/openid-connect-server-webapp/src/main/webapp/WEB-INF/tags/topbar.tag
@ -1,24 +1,25 @@
 <%@attribute name="pageName" required="false"%>
 <%@ taglib uri="http://java.sun.com/jsp/jstl/core" prefix="c"%>
+<%@ taglib prefix="fn" uri="http://java.sun.com/jsp/jstl/functions"%>
 <%@ taglib prefix="security" uri="http://www.springframework.org/security/tags"%>
 <%@ taglib prefix="spring" uri="http://www.springframework.org/tags"%>
 <%@ taglib prefix="o" tagdir="/WEB-INF/tags"%>
 <c:choose>
 	<c:when test="${ not empty userInfo.preferredUsername }">
-		<c:set var="shortName" value="${ userInfo.preferredUsername }" />
+		<c:set var="shortName" value="${ fn:escapeXml(userInfo.preferredUsername) }" />
 	</c:when>
 	<c:otherwise>
-		<c:set var="shortName" value="${ userInfo.sub }" />
+		<c:set var="shortName" value="${ fn:escapeXml(userInfo.sub) }" />
 	</c:otherwise>
 </c:choose>
 <c:choose>
 	<c:when test="${ not empty userInfo.name }">
-		<c:set var="longName" value="${ userInfo.name }" />
+		<c:set var="longName" value="${ fn:escapeXml(userInfo.name) }" />
 	</c:when>
 	<c:otherwise>
 		<c:choose>
 			<c:when test="${ not empty userInfo.givenName || not empty userInfo.familyName }">
-				<c:set var="longName" value="${ userInfo.givenName } ${ userInfo.familyName }" />
+				<c:set var="longName" value="${ fn:escapeXml(userInfo.givenName) } ${ fn:escapeXml(userInfo.familyName) }" />
 			</c:when>
 			<c:otherwise>
 				<c:set var="longName" value="${ shortName }" />