Uploaded image for project: 'OpenIDM'
  1. OpenIDM
  2. OPENIDM-8045

Creating a new managed object with unsupported characters causes an exception

    Details

      Description

      When I worked on OPENIDM-7451, I found bug.. I disabled js validation for name of object during create new object and set it with XSS input. (With developer console I edited html for this form input - removed all js validators) Then I create new object and idm accepted it. Then in idm console were some errors - bad name of object ..

      Name for new object

      <script>alert("XSS");</script>
      

      Exception in idm console

      Bundle: org.forgerock.openidm.repo-orientdb [10] [org.forgerock.openidm.repo.orientdb(60)] The modified method has thrown an exception
      org.apache.felix.log.LogException: com.orientechnologies.orient.core.exception.OStorageException: Error in creation of new cluster 'managed_<script>alert("XSS");</script>' of type: PHYSICAL
      	at com.orientechnologies.orient.core.storage.impl.local.paginated.OLocalPaginatedStorage.addCluster(OLocalPaginatedStorage.java:517)
      	at com.orientechnologies.orient.core.db.raw.ODatabaseRaw.addCluster(ODatabaseRaw.java:421)
      	at com.orientechnologies.orient.core.db.ODatabaseWrapperAbstract.addCluster(ODatabaseWrapperAbstract.java:205)
      ...
      
      Caused by: java.io.IOException: Invalid file name 'managed_<script>alert("xss");</script>'
      

      Then is not possible access to objects list - internal error.

      Expected result:
      Idm shouldn't accept this input ..

      I tried it with idm 4.5.1 RC3 and idm 5.0.0 RC9 where is same error.
      I use orientdb as repo ..

      Also I tried on master 5.5.0 (revision: bdd514a, postcommit-2544) where idm not create new object and show to user "internal error" and throw new exception to idm console.

      Failure to update configuration for managed
      java.io.IOException: Failed to store configuration in repository: An error occurred processing the query request.
      ...
      
      Caused by: org.forgerock.json.resource.InternalServerErrorException: An error occurred processing the query request.
      ...
      
      Caused by: com.orientechnologies.orient.core.exception.OSerializationException: Found invalid % character. Ensure it is opened and closed correctly.
      ...
      

      It should be same also for idm 4.5.0 and 5.0.0

        Attachments

          Activity

            People

            • Assignee:
              brmiller Brendan Miller
              Reporter:
              vojtech.oczka Vojtěch Oczka
              QA Assignee:
              Vojtěch Oczka
            • Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: