XSS Attack Prevention

(Jorge Caballero) #1

Hi,

We’ve detected a possible security issue in SonarQube.

Repro steps:

  1. Go to Administration > Configuration > General Settings.

  2. Enter in “About page text” field: aaabbb
    image

  3. Go to about page. JavaScript message is shown.
    image

  • which versions are you using (SonarQube 7.3.0.15553)
  • what are you trying to achieve (Deploy a SonarQube PoC environment to evaluate SonarQube services)

Does SonarQube implement XSS Attack Prevention at code level?

(G Ann Campbell) #5

Hi,

Thanks for taking the time to report this. In fact, it was identified previously through our own testing procedures, but since only SonarQube administrators can set this property we’ve determined that as a practical matter it’s not a risk. Does this make sense?

 
Ann

(Jorge Caballero) #6

Hi Ann,

Thank so much for replying. Yeah, it makes sense for me.

Regards,

(Daniel Ruf) #7

Hi, I fail to see how this is practical as this can be abused by attackers.

Also I wonder if there is a (responsible) disclosure workflow as vulnerabilities should not be discussed in the public normally.

(Alexandre Gigleux) #9

Hello,

That’s a valid point. We have a responsible disclosure workflow for SonarSource’s customers and we will adapt it to make it available for community users.
I will come back to this thread once it is published.

Regards

(Alexandre Gigleux) #10

Hello @DanielRuf,

Our Responsible Vulnerability Disclosure policy has been published.

Thanks

(G Ann Campbell) #11

Hi again,

I just noticed that Fabrice updated the hall of fame with a new name :tada:.

Which makes me wonder if we don’t want to add dates, so folks can meaningfully show up more than once…? (Yes, we shouldn’t have that many vulnerabilities, but…)