From b7ad6cfe6238829434005629b76bc5c3452bb609 Mon Sep 17 00:00:00 2001
From: BaiJiangJie <32935519+BaiJiangJie@users.noreply.github.com>
Date: Thu, 25 Apr 2019 18:16:41 +0800
Subject: [PATCH 1/2] =?UTF-8?q?[Update]=20=E9=98=B2=E6=AD=A2=20XSS=20(#263?=
 =?UTF-8?q?3)?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

* [Bugfix] 修改管理用户列表显示bug

* [Bugfix] 修复刷新批量命令页面的bug

* [Update] 防止 XSS
---
 apps/assets/templates/assets/admin_user_assets.html      | 1 +
 apps/assets/templates/assets/admin_user_list.html        | 2 +-
 apps/assets/templates/assets/asset_list.html             | 1 +
 apps/assets/templates/assets/cmd_filter_list.html        | 1 +
 apps/assets/templates/assets/domain_list.html            | 1 +
 apps/assets/templates/assets/label_list.html             | 1 +
 apps/assets/templates/assets/system_user_asset.html      | 1 +
 apps/assets/templates/assets/system_user_list.html       | 1 +
 apps/common/const.py                                     | 4 ++--
 apps/ops/templates/ops/command_execution_create.html     | 4 ++++
 apps/perms/templates/perms/asset_permission_list.html    | 1 +
 apps/templates/_message.html                             | 3 ++-
 apps/terminal/templates/terminal/terminal_list.html      | 1 +
 apps/users/templates/users/user_granted_asset.html       | 4 +++-
 apps/users/templates/users/user_group_granted_asset.html | 4 +++-
 apps/users/templates/users/user_group_list.html          | 2 ++
 apps/users/templates/users/user_list.html                | 1 +
 17 files changed, 27 insertions(+), 6 deletions(-)

diff --git a/apps/assets/templates/assets/admin_user_assets.html b/apps/assets/templates/assets/admin_user_assets.html
index d22c5406f..c893ead80 100644
--- a/apps/assets/templates/assets/admin_user_assets.html
+++ b/apps/assets/templates/assets/admin_user_assets.html
@@ -98,6 +98,7 @@ function initTable() {
 		order: [],
 		columnDefs: [
 			{targets: 0, createdCell: function (td, cellData, rowData) {
+			    cellData = htmlEscape(cellData);
 				var detail_btn = '<a href="{% url "assets:asset-detail" pk=DEFAULT_PK %}" data-aid="'+rowData.id+'">' + cellData + '</a>';
 				$(td).html(detail_btn.replace('{{ DEFAULT_PK }}', rowData.id));
 			}},
diff --git a/apps/assets/templates/assets/admin_user_list.html b/apps/assets/templates/assets/admin_user_list.html
index 9b14a3d9c..605e89060 100644
--- a/apps/assets/templates/assets/admin_user_list.html
+++ b/apps/assets/templates/assets/admin_user_list.html
@@ -91,7 +91,7 @@ $(document).ready(function(){
              }}],
         ajax_url: '{% url "api-assets:admin-user-list" %}',
         columns: [{data: function(){return ""}}, {data: "name"}, {data: "username" }, {data: "assets_amount" },
-                  {data: "reachable_amount"}, {data: "unreachable_amount"}, {data: "id"}, {data: "comment"}]
+                  {data: "reachable_amount"}, {data: "unreachable_amount"}, {data: "id"}, {data: "comment"}, {data: "id"}]
     };
     jumpserver.initServerSideDataTable(options)
 })
diff --git a/apps/assets/templates/assets/asset_list.html b/apps/assets/templates/assets/asset_list.html
index 8adc81de9..aa27de7a8 100644
--- a/apps/assets/templates/assets/asset_list.html
+++ b/apps/assets/templates/assets/asset_list.html
@@ -156,6 +156,7 @@ function initTable() {
         ele: $('#asset_list_table'),
         columnDefs: [
             {targets: 1, createdCell: function (td, cellData, rowData) {
+                cellData = htmlEscape(cellData);
                 {% url 'assets:asset-detail' pk=DEFAULT_PK as the_url  %}
                 var detail_btn = '<a href="{{ the_url }}">' + cellData + '</a>';
                 $(td).html(detail_btn.replace('{{ DEFAULT_PK }}', rowData.id));
diff --git a/apps/assets/templates/assets/cmd_filter_list.html b/apps/assets/templates/assets/cmd_filter_list.html
index 3a4feeae0..c7f8e7d3e 100644
--- a/apps/assets/templates/assets/cmd_filter_list.html
+++ b/apps/assets/templates/assets/cmd_filter_list.html
@@ -40,6 +40,7 @@ function initTable() {
         ele: $('#cmd_filter_list_table'),
         columnDefs: [
             {targets: 1, createdCell: function (td, cellData, rowData) {
+                cellData = htmlEscape(cellData);
                 var detail_btn = '<a href="{% url 'assets:cmd-filter-detail' pk=DEFAULT_PK %}">' + cellData + '</a>';
                 $(td).html(detail_btn.replace('{{ DEFAULT_PK }}', rowData.id));
             }},
diff --git a/apps/assets/templates/assets/domain_list.html b/apps/assets/templates/assets/domain_list.html
index a0c6e869e..5cd717535 100644
--- a/apps/assets/templates/assets/domain_list.html
+++ b/apps/assets/templates/assets/domain_list.html
@@ -41,6 +41,7 @@ function initTable() {
         ele: $('#domain_list_table'),
         columnDefs: [
             {targets: 1, createdCell: function (td, cellData, rowData) {
+                cellData = htmlEscape(cellData);
                 var detail_btn = '<a href="{% url "assets:domain-detail" pk=DEFAULT_PK %}">' + cellData + '</a>';
                 $(td).html(detail_btn.replace('{{ DEFAULT_PK }}', rowData.id));
              }},
diff --git a/apps/assets/templates/assets/label_list.html b/apps/assets/templates/assets/label_list.html
index d2fa9958a..3cb90788a 100644
--- a/apps/assets/templates/assets/label_list.html
+++ b/apps/assets/templates/assets/label_list.html
@@ -30,6 +30,7 @@ function initTable() {
         columnDefs: [
             {targets: 1, createdCell: function (td, cellData, rowData) {
 {#                var detail_btn = '<a href="{% url "assets:label-detail" pk=DEFAULT_PK %}">' + cellData + '</a>';#}
+                cellData = htmlEscape(cellData);
                 var detail_btn = '<a>' + cellData + '</a>';
                 $(td).html(detail_btn.replace('{{ DEFAULT_PK }}', rowData.id));
              }},
diff --git a/apps/assets/templates/assets/system_user_asset.html b/apps/assets/templates/assets/system_user_asset.html
index 4ffdf2a91..082e13fd8 100644
--- a/apps/assets/templates/assets/system_user_asset.html
+++ b/apps/assets/templates/assets/system_user_asset.html
@@ -144,6 +144,7 @@ function initAssetsTable() {
 		order: [],
 		columnDefs: [
 			{targets: 0, createdCell: function (td, cellData, rowData) {
+			    cellData = htmlEscape(cellData);
 				var detail_btn = '<a href="{% url "assets:asset-detail" pk=DEFAULT_PK %}" data-aid="'+rowData.id+'">' + cellData + '</a>';
 				$(td).html(detail_btn.replace('{{ DEFAULT_PK }}', rowData.id));
 			}},
diff --git a/apps/assets/templates/assets/system_user_list.html b/apps/assets/templates/assets/system_user_list.html
index 6ed0d0d26..b31039a46 100644
--- a/apps/assets/templates/assets/system_user_list.html
+++ b/apps/assets/templates/assets/system_user_list.html
@@ -49,6 +49,7 @@ function initTable() {
         ele: $('#system_user_list_table'),
         columnDefs: [
             {targets: 1, createdCell: function (td, cellData, rowData) {
+                cellData = htmlEscape(cellData);
                 var detail_btn = '<a href="{% url "assets:system-user-detail" pk=DEFAULT_PK %}">' + cellData + '</a>';
                 $(td).html(detail_btn.replace('{{ DEFAULT_PK }}', rowData.id));
             }},
diff --git a/apps/common/const.py b/apps/common/const.py
index 6652593cb..018177d89 100644
--- a/apps/common/const.py
+++ b/apps/common/const.py
@@ -3,7 +3,7 @@
 
 from django.utils.translation import ugettext_lazy as _
 
-create_success_msg = _("<b>%(name)s</b> was created successfully")
-update_success_msg = _("<b>%(name)s</b> was updated successfully")
+create_success_msg = _("%(name)s was created successfully")
+update_success_msg = _("%(name)s was updated successfully")
 FILE_END_GUARD = ">>> Content End <<<"
 celery_task_pre_key = "CELERY_"
diff --git a/apps/ops/templates/ops/command_execution_create.html b/apps/ops/templates/ops/command_execution_create.html
index 8352d1607..4aaee0406 100644
--- a/apps/ops/templates/ops/command_execution_create.html
+++ b/apps/ops/templates/ops/command_execution_create.html
@@ -82,6 +82,7 @@
 <script>
 var zTree, show = 0;
 var systemUserId = null;
+var url = null;
 var treeUrl = "{% url 'api-perms:my-nodes-assets-as-tree' %}?cache_policy=1";
 
 function initTree() {
@@ -114,6 +115,9 @@ function initTree() {
     if (systemUserId) {
         url = treeUrl + '&system_user=' + systemUserId
     }
+    else{
+        url = treeUrl
+    }
 
     $.get(url, function(data, status){
         $.fn.zTree.init($("#assetTree"), setting, data);
diff --git a/apps/perms/templates/perms/asset_permission_list.html b/apps/perms/templates/perms/asset_permission_list.html
index 9af4577f1..b7b6d4d6f 100644
--- a/apps/perms/templates/perms/asset_permission_list.html
+++ b/apps/perms/templates/perms/asset_permission_list.html
@@ -146,6 +146,7 @@ function initTable() {
                 $(td).html("<i class='fa fa-angle-right'></i>");
             }},
             {targets: 1, createdCell: function (td, cellData, rowData) {
+                cellData = htmlEscape(cellData);
                 var detail_btn = '<a href="{% url "perms:asset-permission-detail" pk=DEFAULT_PK %}">' + cellData + '</a>';
                 $(td).html(detail_btn.replace('{{ DEFAULT_PK }}', rowData.id));
             }},
diff --git a/apps/templates/_message.html b/apps/templates/_message.html
index 3f13ff87b..bdcbb6d5f 100644
--- a/apps/templates/_message.html
+++ b/apps/templates/_message.html
@@ -47,7 +47,8 @@
 {% if messages %}
     {% for message in messages %}
         <div class="alert alert-{{ message.tags }} help-message" >
-            {{ message|safe }}
+{#            {{ message|safe }}#}
+            {{ message }}
             <button aria-hidden="true" data-dismiss="alert" class="close" type="button" style="outline: none;">×</button>
         </div>
 
diff --git a/apps/terminal/templates/terminal/terminal_list.html b/apps/terminal/templates/terminal/terminal_list.html
index 3039c0425..479944c00 100644
--- a/apps/terminal/templates/terminal/terminal_list.html
+++ b/apps/terminal/templates/terminal/terminal_list.html
@@ -50,6 +50,7 @@ function initTable() {
         buttons: [],
         columnDefs: [
             {targets: 1, createdCell: function (td, cellData, rowData) {
+                cellData = htmlEscape(cellData);
                 var detail_btn = '<a href="{% url "terminal:terminal-detail" pk=DEFAULT_PK %}">' + cellData + '</a>';
                 $(td).html(detail_btn.replace('{{ DEFAULT_PK }}', rowData.id));
              }},
diff --git a/apps/users/templates/users/user_granted_asset.html b/apps/users/templates/users/user_granted_asset.html
index 6c0534937..41aea998c 100644
--- a/apps/users/templates/users/user_granted_asset.html
+++ b/apps/users/templates/users/user_granted_asset.html
@@ -77,6 +77,7 @@ function initTable() {
         ele: $('#user_assets_table'),
         columnDefs: [
             {targets: 1, createdCell: function (td, cellData, rowData) {
+                cellData = htmlEscape(cellData);
                 {% url 'assets:asset-detail' pk=DEFAULT_PK as the_url  %}
                 var detail_btn = '<a href="{{ the_url }}">' + cellData + '</a>';
                 $(td).html(detail_btn.replace('{{ DEFAULT_PK }}', rowData.id));
@@ -91,7 +92,8 @@ function initTable() {
             {targets: 4, createdCell: function (td, cellData) {
                 var users = [];
                 $.each(cellData, function (id, data) {
-                    users.push(data.name);
+                    var name = htmlEscape(data.name);
+                    users.push(name);
                 });
                 $(td).html(users.join(', '))
             }}
diff --git a/apps/users/templates/users/user_group_granted_asset.html b/apps/users/templates/users/user_group_granted_asset.html
index 70e2beef6..e4a8d77f0 100644
--- a/apps/users/templates/users/user_group_granted_asset.html
+++ b/apps/users/templates/users/user_group_granted_asset.html
@@ -77,6 +77,7 @@ function initTable() {
         ele: $('#user_assets_table'),
         columnDefs: [
             {targets: 1, createdCell: function (td, cellData, rowData) {
+                cellData = htmlEscape(cellData);
                 {% url 'assets:asset-detail' pk=DEFAULT_PK as the_url  %}
                 var detail_btn = '<a href="{{ the_url }}">' + cellData + '</a>';
                 $(td).html(detail_btn.replace('{{ DEFAULT_PK }}', rowData.id));
@@ -91,7 +92,8 @@ function initTable() {
             {targets: 4, createdCell: function (td, cellData) {
                 var users = [];
                 $.each(cellData, function (id, data) {
-                    users.push(data.name);
+                    var name = htmlEscape(data.name);
+                    users.push(name);
                 });
                 $(td).html(users.join(', '))
             }}
diff --git a/apps/users/templates/users/user_group_list.html b/apps/users/templates/users/user_group_list.html
index b2eecc01f..6f6c6fc72 100644
--- a/apps/users/templates/users/user_group_list.html
+++ b/apps/users/templates/users/user_group_list.html
@@ -28,6 +28,7 @@ $(document).ready(function() {
         buttons: [],
         columnDefs: [
             {targets: 1, createdCell: function (td, cellData, rowData) {
+                cellData = htmlEscape(cellData);
                 var detail_btn = '<a href="{% url "users:user-group-detail" pk=DEFAULT_PK %}">' + cellData + '</a>';
                 $(td).html(detail_btn.replace('{{ DEFAULT_PK }}', rowData.id));
              }},
@@ -36,6 +37,7 @@ $(document).ready(function() {
                 $(td).html(html);
              }},
             {targets: 3, createdCell: function (td, cellData) {
+                cellData = htmlEscape(cellData);
                 var innerHtml = cellData.length > 30 ? cellData.substring(0, 30) + '...': cellData;
                 $(td).html('<span href="javascript:void(0);" data-toggle="tooltip" title="' + cellData + '">' + innerHtml + '</span>');
              }},
diff --git a/apps/users/templates/users/user_list.html b/apps/users/templates/users/user_list.html
index f3e2b7894..15b5fb2f9 100644
--- a/apps/users/templates/users/user_list.html
+++ b/apps/users/templates/users/user_list.html
@@ -59,6 +59,7 @@ function initTable() {
         ele: $('#user_list_table'),
         columnDefs: [
             {targets: 1, createdCell: function (td, cellData, rowData) {
+                cellData = htmlEscape(cellData);
                 var detail_btn = '<a href="{% url "users:user-detail" pk=DEFAULT_PK %}">' + cellData + '</a>';
                 $(td).html(detail_btn.replace("{{ DEFAULT_PK }}", rowData.id));
              }},

From 3a3da94468f45237ac6d7a4784541b785d5bcfc7 Mon Sep 17 00:00:00 2001
From: BaiJiangJie <32935519+BaiJiangJie@users.noreply.github.com>
Date: Thu, 25 Apr 2019 18:55:48 +0800
Subject: [PATCH 2/2] =?UTF-8?q?[Update]=20=E4=BF=AE=E6=94=B9=E9=A2=84?=
 =?UTF-8?q?=E7=95=99/auth/login/=E9=A1=B5=E9=9D=A2=E6=96=B9=E5=BC=8F(admin?=
 =?UTF-8?q?=3D1)=EF=BC=9B=E8=A7=A3=E5=86=B3luna=E9=A1=B5=E9=9D=A2=E5=88=B7?=
 =?UTF-8?q?=E6=96=B0=E4=B8=8D=E8=B7=B3=E8=BD=ACopenid=E8=AE=A4=E8=AF=81?=
 =?UTF-8?q?=E7=9A=84=E9=97=AE=E9=A2=98=20(#2634)?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 apps/authentication/views/login.py | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/apps/authentication/views/login.py b/apps/authentication/views/login.py
index fc2270eba..53112fcac 100644
--- a/apps/authentication/views/login.py
+++ b/apps/authentication/views/login.py
@@ -59,6 +59,11 @@ class UserLoginView(FormView):
             return redirect(redirect_user_first_login_or_index(
                 request, self.redirect_field_name)
             )
+        # show jumpserver login page if request http://{JUMP-SERVER}/?admin=1
+        if settings.AUTH_OPENID and not self.request.GET.get('admin', 0):
+            query_string = request.GET.urlencode()
+            login_url = "{}?{}".format(settings.LOGIN_URL, query_string)
+            return redirect(login_url)
         request.session.set_test_cookie()
         return super().get(request, *args, **kwargs)