PB 2553: stopping XSS attacks by whitelisting

[ltkum]

• Issue: The api_url, wms_url and wmts_url params can currently receive any url as values, which means a malicious party could use them as an attack vector. This is especially true for api_url, which can send html back and is needed to operate that way.
• Fix: We have made regexes which enfore a whitelist on those parameters As we need external sources html to be rendered (for the feature informations, for example), we sadly can't sanitize the html given to us without breaking a lot of currently working layers. We can only limit the sources and hope they don't provide malicious content.

Test link

[cypress]

web-mapviewer    Run #6529

Run Properties:   Failed #6529  •  4b9e83d343: PB 2553: stopping XSS attacks by whitelisting

Project	web-mapviewer
Branch Review	fix-PB-2253-whitelisting-only-some-urls-for-apis
Run status	Failed #6529
Run duration	08m 31s
Commit	4b9e83d343: PB 2553: stopping XSS attacks by whitelisting
Committer	Martin Künzi
View all properties for this run ↗︎

---

Test results
Failures	34
Flaky	0
Pending	20
Skipped	2
Passing	225
View all changes introduced in this branch ↗︎

---

Tests for review

  3d/layers.cy.js • 10 failed tests • e2e/chrome/mobile

View Output

Test		Artifacts
Test of layer handling in 3D > add layer from search bar		Test Replay Screenshots
Test of layer handling in 3D > sets the opacity to the value defined in the layers URL param or menu UI		Test Replay Screenshots
Test of layer handling in 3D > sets the timestamp of a layer when specified in the layers URL param		Test Replay Screenshots
Test of layer handling in 3D > reorders visible layers when corresponding buttons are pressed		Test Replay Screenshots
Test of layer handling in 3D > add GeoJson layer with opacity from URL param		Test Replay Screenshots
Test of layer handling in 3D > removes a layer from the visible layers when the "remove" button is pressed		Test Replay Screenshots
Test of layer handling in 3D > uses the 3D configuration of a layer if one exists		Test Replay Screenshots
Test of layer handling in 3D > add KML layer from drawing		Test Replay Screenshots
Test of layer handling in 3D > Verify layer features in 2D and 3D		Test Replay Screenshots
Test of layer handling in 3D > Verify a layer with EPSG:4326(WEBMERCATOR) bounding box in 2D and 3D		Test Replay Screenshots

  importToolFile.cy.js • 1 failed test • e2e/chrome/mobile

View Output

Test		Artifacts
The Import File Tool > Import KML file		Test Replay Screenshots

  geolocation.cy.js • 5 failed tests • e2e/chrome/mobile

View Output

Test		Artifacts
Geolocation cypress > Test geolocation when first time activating it > Prompt the user to authorize geolocation when the geolocation button is clicked for the first time on 3D Map		Test Replay Screenshots
Geolocation cypress > Test geolocation when geolocation is authorized > Doesn't prompt the user if geolocation has previously been authorized on 3D Map		Test Replay Screenshots
Geolocation cypress > Test geolocation when geolocation is failed to be retrieved > shows an error telling the user geolocation is denied on 3D Map		Test Replay Screenshots
Geolocation cypress > Test geolocation when geolocation is failed to be retrieved > shows an alert telling the user geolocation is not able to be retrieved due to time out on 3D Map		Test Replay Screenshots
Geolocation cypress > Test geolocation when geolocation is failed to be retrieved > shows an alert telling the user geolocation is not available for other reason on 3D Map		Test Replay Screenshots

  3d/transitionTo3d.cy.js • 6 failed tests • e2e/chrome/mobile

View Output

Test		Artifacts
Testing transitioning between 2D and 3D > 3D toggle button > activates 3D when we click on the 3D toggle button		Test Replay Screenshots
Testing transitioning between 2D and 3D > 3D toggle button > shows the users that 3D is active by changing its color		Test Replay Screenshots
... > adds the 3D URL param to the URL when it is activated		Test Replay Screenshots
... > correctly parses the 3D param at startup if present		Test Replay Screenshots
... > parses the camera URL param correctly at app startup		Test Replay Screenshots
Testing transitioning between 2D and 3D > transition to 3D > translates 2D position correctly		Test Replay Screenshots

  legacyParamImport.cy.js • 3 failed tests • e2e/chrome/mobile

View Output

Test		Artifacts
Test on legacy param import > 3D import > transfers camera parameter from legacy URL to the new URL		Test Replay Screenshots
Test on legacy param import > 3D import > transfers camera parameter from legacy URL to the new URL only heading		Test Replay Screenshots
Test on legacy param import > 3D import > transfers camera parameter from legacy URL to the new URL only elevation		Test Replay Screenshots

The first 5 failed specs are shown, see all 11 specs in Cypress Cloud.