XSS Attack Prevention

George_Knight · March 27, 2019, 11:13am

Hi,

We’ve detected a possible security issue in SonarQube.

Repro steps:

Go to Administration > Configuration > General Settings.
Enter in “About page text” field: aaabbb
Go to about page. JavaScript message is shown.

which versions are you using (SonarQube 7.3.0.15553)
what are you trying to achieve (Deploy a SonarQube PoC environment to evaluate SonarQube services)

Does SonarQube implement XSS Attack Prevention at code level?

ganncamp · March 27, 2019, 11:51am

Hi,

Thanks for taking the time to report this. In fact, it was identified previously through our own testing procedures, but since only SonarQube administrators can set this property we’ve determined that as a practical matter it’s not a risk. Does this make sense?

Ann

George_Knight · March 29, 2019, 4:34pm

Hi Ann,

Thank so much for replying. Yeah, it makes sense for me.

Regards,

DanielRuf · April 1, 2019, 4:47am

Hi, I fail to see how this is practical as this can be abused by attackers.

Also I wonder if there is a (responsible) disclosure workflow as vulnerabilities should not be discussed in the public normally.

Alexandre_Gigleux · April 12, 2019, 9:11am

Hello,

That’s a valid point. We have a responsible disclosure workflow for SonarSource’s customers and we will adapt it to make it available for community users.
I will come back to this thread once it is published.

Regards

Alexandre_Gigleux · May 2, 2019, 7:09am

Hello @DanielRuf,

Our Responsible Vulnerability Disclosure policy has been published.

Thanks