From cbf03e47b8b0350a356ca4cebb558af0b8056d56 Mon Sep 17 00:00:00 2001
From: Dustin Frisch <dustin@opennms.com>
Date: Thu, 13 Jul 2023 17:31:21 +0200
Subject: [PATCH] NMS-15782: prevent multiple XSS mishaps

---
 .../src/main/webapp/WEB-INF/jsp/element/nodeList.jsp         | 5 +++--
 opennms-webapp/src/main/webapp/admin/discovery/add-er.jsp    | 3 ++-
 opennms-webapp/src/main/webapp/admin/discovery/add-ir.jsp    | 5 +++--
 .../src/main/webapp/admin/discovery/add-specific.jsp         | 3 ++-
 opennms-webapp/src/main/webapp/admin/discovery/add-url.jsp   | 5 +++--
 .../src/main/webapp/admin/discovery/edit-config.jsp          | 2 +-
 opennms-webapp/src/main/webapp/admin/discovery/edit-scan.jsp | 5 +++--
 opennms-webapp/src/main/webapp/asset/index.jsp               | 5 +++--
 opennms-webapp/src/main/webapp/asset/modify.jsp              | 2 +-
 opennms-webapp/src/main/webapp/element/index.jsp             | 3 ++-
 10 files changed, 23 insertions(+), 15 deletions(-)

diff --git a/opennms-webapp/src/main/webapp/WEB-INF/jsp/element/nodeList.jsp b/opennms-webapp/src/main/webapp/WEB-INF/jsp/element/nodeList.jsp
index b118579c98c8..698432283991 100644
--- a/opennms-webapp/src/main/webapp/WEB-INF/jsp/element/nodeList.jsp
+++ b/opennms-webapp/src/main/webapp/WEB-INF/jsp/element/nodeList.jsp
@@ -35,6 +35,7 @@
 		org.opennms.netmgt.model.monitoringLocations.OnmsMonitoringLocation"%>
 
 <%@ page import="com.google.common.base.Strings" %>
+<%@ page import="org.opennms.core.utils.WebSecurityUtils" %>
 
 <%@ taglib prefix="c" uri="http://java.sun.com/jsp/jstl/core" %>
 <%@ taglib prefix="element" tagdir="/WEB-INF/tags/element" %>
@@ -106,11 +107,11 @@
         for (OnmsMonitoringLocation monitoringLocation : monitoringLocations) {
           if (selectedMonitoringLocation.equals(monitoringLocation.getLocationName())) {
       %>
-      <option value="<%=monitoringLocation.getLocationName()%>" selected><%=monitoringLocation.getLocationName()%></option>
+      <option value="<%=WebSecurityUtils.sanitizeString(monitoringLocation.getLocationName())%>" selected><%=WebSecurityUtils.sanitizeString(monitoringLocation.getLocationName())%></option>
       <%
       } else {
       %>
-      <option value="<%=monitoringLocation.getLocationName()%>"><%=monitoringLocation.getLocationName()%></option>
+      <option value="<%=WebSecurityUtils.sanitizeString(monitoringLocation.getLocationName())%>"><%=WebSecurityUtils.sanitizeString(monitoringLocation.getLocationName())%></option>
       <%
           }
         }
diff --git a/opennms-webapp/src/main/webapp/admin/discovery/add-er.jsp b/opennms-webapp/src/main/webapp/admin/discovery/add-er.jsp
index c7c1fc75d047..00401c9eddc8 100644
--- a/opennms-webapp/src/main/webapp/admin/discovery/add-er.jsp
+++ b/opennms-webapp/src/main/webapp/admin/discovery/add-er.jsp
@@ -41,6 +41,7 @@
   org.opennms.web.admin.discovery.ActionDiscoveryServlet,
   org.opennms.web.admin.discovery.DiscoveryScanServlet
 "%>
+<%@ page import="org.opennms.core.utils.WebSecurityUtils" %>
 <% 
 	response.setDateHeader("Expires", 0);
 	response.setHeader("Pragma", "no-cache");
@@ -134,7 +135,7 @@ function doAddExcludeRange(){
             <div class="col-sm-10">
                 <select id="location" class="form-control custom-select" name="location">
                     <% for (String key : locations.keySet()) { %>
-                    <option value="<%=key%>" <%if(key.equals(currConfig.getLocation().orElse(MonitoringLocationDao.DEFAULT_MONITORING_LOCATION_ID))) out.print("selected");%>><%=locations.get(key)%></option>
+                    <option value="<%=WebSecurityUtils.sanitizeString(key)%>" <%if(key.equals(currConfig.getLocation().orElse(MonitoringLocationDao.DEFAULT_MONITORING_LOCATION_ID))) out.print("selected");%>><%=WebSecurityUtils.sanitizeString(locations.get(key))%></option>
                         <% } %>
                 </select>
             </div>
diff --git a/opennms-webapp/src/main/webapp/admin/discovery/add-ir.jsp b/opennms-webapp/src/main/webapp/admin/discovery/add-ir.jsp
index 5ca2308bb127..1b3661467537 100644
--- a/opennms-webapp/src/main/webapp/admin/discovery/add-ir.jsp
+++ b/opennms-webapp/src/main/webapp/admin/discovery/add-ir.jsp
@@ -43,6 +43,7 @@
   org.opennms.web.admin.discovery.ActionDiscoveryServlet,
   org.opennms.web.admin.discovery.DiscoveryScanServlet
 "%>
+<%@ page import="org.opennms.core.utils.WebSecurityUtils" %>
 <% 
 	response.setDateHeader("Expires", 0);
 	response.setHeader("Pragma", "no-cache");
@@ -180,7 +181,7 @@ function doAddIncludeRange(){
             <select id="foreignsource" class="form-control custom-select" name="foreignsource">
               <option value="" <%if (!currConfig.getForeignSource().isPresent()) out.print("selected");%>>None selected</option>
               <% for (String key : foreignsources.keySet()) { %>
-                <option value="<%=key%>" <%if(key.equals(currConfig.getForeignSource().orElse(null))) out.print("selected");%>><%=foreignsources.get(key)%></option>
+                <option value="<%=WebSecurityUtils.sanitizeString(key)%>" <%if(key.equals(currConfig.getForeignSource().orElse(null))) out.print("selected");%>><%=WebSecurityUtils.sanitizeString(foreignsources.get(key))%></option>
               <% } %>
             </select>
           </div>
@@ -190,7 +191,7 @@ function doAddIncludeRange(){
           <div class="col-sm-10">
             <select id="location" class="form-control custom-select" name="location">
               <% for (String key : locations.keySet()) { %>
-                <option value="<%=key%>" <%if(key.equals(currConfig.getLocation().orElse(MonitoringLocationDao.DEFAULT_MONITORING_LOCATION_ID))) out.print("selected");%>><%=locations.get(key)%></option>
+                <option value="<%=WebSecurityUtils.sanitizeString(key)%>" <%if(key.equals(currConfig.getLocation().orElse(MonitoringLocationDao.DEFAULT_MONITORING_LOCATION_ID))) out.print("selected");%>><%=WebSecurityUtils.sanitizeString(locations.get(key))%></option>
               <% } %>
             </select>
           </div>
diff --git a/opennms-webapp/src/main/webapp/admin/discovery/add-specific.jsp b/opennms-webapp/src/main/webapp/admin/discovery/add-specific.jsp
index 395bacf577cc..ff1b0f268bf0 100644
--- a/opennms-webapp/src/main/webapp/admin/discovery/add-specific.jsp
+++ b/opennms-webapp/src/main/webapp/admin/discovery/add-specific.jsp
@@ -44,6 +44,7 @@
   org.opennms.web.admin.discovery.DiscoveryServletConstants,
   org.opennms.web.admin.discovery.ActionDiscoveryServlet
 "%>
+<%@ page import="org.opennms.core.utils.WebSecurityUtils" %>
 <%
 	response.setDateHeader("Expires", 0);
 	response.setHeader("Pragma", "no-cache");
@@ -162,7 +163,7 @@ function doAddSpecific(){
           <div class="col-sm-10">
             <select id="location" class="form-control custom-select" name="location">
               <% for (String key : locations.keySet()) { %>
-                <option value="<%=key%>" <%if(key.equals(currConfig.getLocation().orElse(MonitoringLocationDao.DEFAULT_MONITORING_LOCATION_ID))) out.print("selected");%>><%=locations.get(key)%></option>
+                <option value="<%=WebSecurityUtils.sanitizeString(key)%>" <%if(key.equals(currConfig.getLocation().orElse(MonitoringLocationDao.DEFAULT_MONITORING_LOCATION_ID))) out.print("selected");%>><%=WebSecurityUtils.sanitizeString(locations.get(key))%></option>
               <% } %>
             </select>
           </div>
diff --git a/opennms-webapp/src/main/webapp/admin/discovery/add-url.jsp b/opennms-webapp/src/main/webapp/admin/discovery/add-url.jsp
index 4b536f04ca55..8e804f5c2861 100644
--- a/opennms-webapp/src/main/webapp/admin/discovery/add-url.jsp
+++ b/opennms-webapp/src/main/webapp/admin/discovery/add-url.jsp
@@ -44,6 +44,7 @@
   org.opennms.web.admin.discovery.ActionDiscoveryServlet,
   org.opennms.web.admin.discovery.DiscoveryScanServlet
 "%>
+<%@ page import="org.opennms.core.utils.WebSecurityUtils" %>
 <% 
 	response.setDateHeader("Expires", 0);
 	response.setHeader("Pragma", "no-cache");
@@ -146,7 +147,7 @@ function doAddIncludeUrl() {
             <select id="foreignsource" class="form-control custom-select" name="foreignsource">
               <option value="" <%if (!currConfig.getForeignSource().isPresent()) out.print("selected");%>>None selected</option>
               <% for (String key : foreignsources.keySet()) { %>
-                <option value="<%=key%>" <%if(key.equals(currConfig.getForeignSource().orElse(null))) out.print("selected");%>><%=foreignsources.get(key)%></option>
+                <option value="<%=WebSecurityUtils.sanitizeString(key)%>" <%if(key.equals(currConfig.getForeignSource().orElse(null))) out.print("selected");%>><%=WebSecurityUtils.sanitizeString(foreignsources.get(key))%></option>
               <% } %>
             </select>
           </div>
@@ -156,7 +157,7 @@ function doAddIncludeUrl() {
           <div class="col-sm-10">
             <select id="location" class="form-control custom-select" name="location">
               <% for (String key : locations.keySet()) { %>
-                <option value="<%=key%>" <%if(key.equals(currConfig.getLocation().orElse(MonitoringLocationDao.DEFAULT_MONITORING_LOCATION_ID))) out.print("selected");%>><%=locations.get(key)%></option>
+                <option value="<%=WebSecurityUtils.sanitizeString(key)%>" <%if(key.equals(currConfig.getLocation().orElse(MonitoringLocationDao.DEFAULT_MONITORING_LOCATION_ID))) out.print("selected");%>><%=WebSecurityUtils.sanitizeString(locations.get(key))%></option>
               <% } %>
             </select>
           </div>
diff --git a/opennms-webapp/src/main/webapp/admin/discovery/edit-config.jsp b/opennms-webapp/src/main/webapp/admin/discovery/edit-config.jsp
index c9ee2a1f122e..02169560296c 100644
--- a/opennms-webapp/src/main/webapp/admin/discovery/edit-config.jsp
+++ b/opennms-webapp/src/main/webapp/admin/discovery/edit-config.jsp
@@ -240,7 +240,7 @@ for (Requisition requisition : reqAccessService.getRequisitions()) {
           <label for="location" class="col-form-label col-md-4">Location</label>
           <select id="location" class="form-control custom-select col-md-8" name="location">
             <% for (String key : locations.keySet()) { %>
-              <option value="<%=key%>" <%if(key.equals(currConfig.getLocation().orElse(MonitoringLocationDao.DEFAULT_MONITORING_LOCATION_ID))) out.print("selected");%>><%=locations.get(key)%></option>
+              <option value="<%=WebSecurityUtils.sanitizeString(key)%>" <%if(key.equals(currConfig.getLocation().orElse(MonitoringLocationDao.DEFAULT_MONITORING_LOCATION_ID))) out.print("selected");%>><%=WebSecurityUtils.sanitizeString(locations.get(key))%></option>
             <% } %>
           </select>
         </div> <!-- form-group -->
diff --git a/opennms-webapp/src/main/webapp/admin/discovery/edit-scan.jsp b/opennms-webapp/src/main/webapp/admin/discovery/edit-scan.jsp
index 137c5669d0a2..3b3db161ed0d 100644
--- a/opennms-webapp/src/main/webapp/admin/discovery/edit-scan.jsp
+++ b/opennms-webapp/src/main/webapp/admin/discovery/edit-scan.jsp
@@ -44,6 +44,7 @@
   org.opennms.web.admin.discovery.DiscoveryServletConstants,
   org.opennms.web.admin.discovery.DiscoveryScanServlet"
 %>
+<%@ page import="org.opennms.core.utils.WebSecurityUtils" %>
 <%
 	response.setDateHeader("Expires", 0);
 	response.setHeader("Pragma", "no-cache");
@@ -207,7 +208,7 @@ for (Requisition requisition : reqAccessService.getRequisitions()) {
                 <select id="foreignsource" class="form-control custom-select col-md-8" name="foreignsource">
                     <option value="" <%if (!currConfig.getForeignSource().isPresent()) out.print("selected");%>>None selected</option>
                     <% for (String key : foreignsources.keySet()) { %>
-                    <option value="<%=key%>" <%if(key.equals(currConfig.getForeignSource().orElse(null))) out.print("selected");%>><%=foreignsources.get(key)%></option>
+                    <option value="<%=WebSecurityUtils.sanitizeString(key)%>" <%if(key.equals(currConfig.getForeignSource().orElse(null))) out.print("selected");%>><%=WebSecurityUtils.sanitizeString(foreignsources.get(key))%></option>
                     <% } %>
                 </select>
             </div> <!-- form-group -->
@@ -215,7 +216,7 @@ for (Requisition requisition : reqAccessService.getRequisitions()) {
                 <label for="location" class="col-form-label col-md-4">Location</label>
                 <select id="location" class="form-control custom-select col-md-8" name="location">
                     <% for (String key : locations.keySet()) { %>
-                    <option value="<%=key%>" <%if(key.equals(currConfig.getLocation().orElse(MonitoringLocationDao.DEFAULT_MONITORING_LOCATION_ID))) out.print("selected");%>><%=locations.get(key)%></option>
+                    <option value="<%=WebSecurityUtils.sanitizeString(key)%>" <%if(key.equals(currConfig.getLocation().orElse(MonitoringLocationDao.DEFAULT_MONITORING_LOCATION_ID))) out.print("selected");%>><%=WebSecurityUtils.sanitizeString(locations.get(key))%></option>
                     <% } %>
                 </select>
             </div> <!-- form-group -->
diff --git a/opennms-webapp/src/main/webapp/asset/index.jsp b/opennms-webapp/src/main/webapp/asset/index.jsp
index 641c75c0545c..2b6c8dbf5377 100644
--- a/opennms-webapp/src/main/webapp/asset/index.jsp
+++ b/opennms-webapp/src/main/webapp/asset/index.jsp
@@ -37,6 +37,7 @@
 		org.opennms.web.element.NetworkElementFactory
 	"
 %>
+<%@ page import="org.opennms.core.utils.WebSecurityUtils" %>
 
 <%!
     protected AssetModel model;
@@ -114,13 +115,13 @@
             <ul class="list-unstyled mb-0" style="width:48%; margin-right:2%; float:left;">
             <% for( int i=0; i < middle; i++ ) {%>
               <%  Asset asset = (Asset)assetsList.get(i); %>
-              <li> <%=asset.getAssetNumber()%>: <a href="asset/modify.jsp?node=<%=asset.getNodeId()%>"><%=NetworkElementFactory.getInstance(getServletContext()).getNodeLabel(asset.getNodeId())%></a></li>
+              <li> <%=WebSecurityUtils.sanitizeString(asset.getAssetNumber())%>: <a href="asset/modify.jsp?node=<%=asset.getNodeId()%>"><%=WebSecurityUtils.sanitizeString(NetworkElementFactory.getInstance(getServletContext()).getNodeLabel(asset.getNodeId()))%></a></li>
             <% } %>
             </ul>
             <ul class="list-unstyled mb-0" style="width:50%; float:left;">
             <% for( int i=middle; i < assetCount; i++ ) {%>
               <%  Asset asset = (Asset)assetsList.get(i); %>
-              <li><%=asset.getAssetNumber()%>: <a href="asset/modify.jsp?node=<%=asset.getNodeId()%>"><%=NetworkElementFactory.getInstance(getServletContext()).getNodeLabel(asset.getNodeId())%></a></li>
+              <li><%=WebSecurityUtils.sanitizeString(asset.getAssetNumber())%>: <a href="asset/modify.jsp?node=<%=asset.getNodeId()%>"><%=WebSecurityUtils.sanitizeString(NetworkElementFactory.getInstance(getServletContext()).getNodeLabel(asset.getNodeId()))%></a></li>
             <% } %>
             </ul>
           </div> <!-- card-body -->
diff --git a/opennms-webapp/src/main/webapp/asset/modify.jsp b/opennms-webapp/src/main/webapp/asset/modify.jsp
index 58ebca035ee0..52e4a0f9e056 100644
--- a/opennms-webapp/src/main/webapp/asset/modify.jsp
+++ b/opennms-webapp/src/main/webapp/asset/modify.jsp
@@ -109,7 +109,7 @@
                         <%-- Standard fields with typeahead suggestions --%>
                         <input type="text" class="form-control" id="{{ field.model }}" name="{{ field.model }}" ng-model="asset[field.model]" ng-if="field.type=='text'"
                           typeahead-editable="true" typeahead-min-length="0" ng-pattern="field.pattern"
-                          uib-typeahead="suggestion for suggestion in getSuggestions(field.model) | filter:$viewValue"
+                          uib-typeahead="_.escape(suggestion) for suggestion in getSuggestions(field.model) | filter:$viewValue"
                           ng-class="{ 'is-invalid': assetForm[field.model].$invalid && !assetForm[field.model].$pristine }">
                         <%-- Password fields --%>
                         <%-- Set `autocomplete="new-password"` to prevent autocomplete.
diff --git a/opennms-webapp/src/main/webapp/element/index.jsp b/opennms-webapp/src/main/webapp/element/index.jsp
index 9d2b602827c2..79fd060ec3ae 100644
--- a/opennms-webapp/src/main/webapp/element/index.jsp
+++ b/opennms-webapp/src/main/webapp/element/index.jsp
@@ -36,6 +36,7 @@
 		org.opennms.web.element.*,
 		org.opennms.web.asset.*,
 		org.opennms.netmgt.model.monitoringLocations.OnmsMonitoringLocation"%>
+<%@ page import="org.opennms.core.utils.WebSecurityUtils" %>
 
 <%!
     protected AssetModel model;
@@ -150,7 +151,7 @@
               <div class="input-group">
                   <select class="custom-select" id="bymonitoringLocation_monitoringLocation" name="monitoringLocation">
                       <% for (OnmsMonitoringLocation monitoringLocation : monitoringLocations) { %>
-                      <option value="<%=monitoringLocation.getLocationName()%>"><%=monitoringLocation.getLocationName()%>
+                      <option value="<%=WebSecurityUtils.sanitizeString(monitoringLocation.getLocationName())%>"><%=WebSecurityUtils.sanitizeString(monitoringLocation.getLocationName())%>
                       </option>
                       <% } %>
                   </select>