hamiltop/sec_training_code

## sec_training_code
Remind.com Account Takeover via app client renderer:

Before:
    override fun intercept(chain: Interceptor.Chain): Response {

        var request = chain.request()
        request = authRemindRequestHelper.injectAuthHeader(request)
        request = remindRequestHelper.injectRemindHeader(request)
        return chain.proceed(request)
    }
After
    override fun intercept(chain: Interceptor.Chain): Response {

        var request = chain.request()
        if (this.defaultEndpoint?.let { request.url.host.contains(it) } == true) {
szabiburean marked this conversation as resolved.
            request = this.authRemindRequestHelper.injectAuthHeader(request)
            request = this.remindRequestHelper.injectRemindHeader(request)
        }
        return chain.proceed(request)
    }

Stored XSS Vulnerability at Rename Group Conversation:

Before:
      def self.render(chat_message, viewer)
        editor_name = chat_message.body_values[:editor_name]
        title = chat_message.body_values[:title]
        if viewer_is_affected?(chat_message, viewer)
          I18n.t("models.chat_message.system_message.you_edited_title",
                 title: title
                )
        else
          I18n.t("models.chat_message.system_message.edited_title",
                 name: editor_name,
                 title: title
                )
        end
      end

After:
      def self.render(chat_message, viewer)
        editor_name = chat_message.body_values[:editor_name]
        title = chat_message.body_values[:title]
        # Escape title when rendering this kind of system message
        # We are already escaping new titles when they are editted
        # but we need to protect from previously unescaped tittles
        if title
          title = CGI::escapeHTML(CGI::unescapeHTML(title))
        end
        if viewer_is_affected?(chat_message, viewer)
          I18n.t("models.chat_message.system_message.you_edited_title",
                 title: chat_message.body_values[:title]
                )
        else
          I18n.t("models.chat_message.system_message.edited_title",
                 name: editor_name,
                 title: chat_message.body_values[:title]
                )
        end
      end

Access to an organization's FTP credentials

Before:
        async sftpCredentials(args: any, ctx: Context) {
          return ctx.loaders.FeatureCredentials.getSftpCredentials(args.orgUuid, 'auto-messaging');
        },

After
        async sftpCredentials(args: any, ctx: Context) {
          // We need to have an authenticated user who is an admin for the org uuid
          // See https://app.asana.com/0/1142193044639890/1201986092349803/f
          const authenticatedAdmin = await isCurrentUserAnAdminForOrg(ctx, args.orgUuid);
          if (!authenticatedAdmin) {
            // this field is required to be a list.  For an unauthenticated request, just return an empty list.
            return [];
          }

          return ctx.loaders.FeatureCredentials.getSftpCredentials(args.orgUuid, 'auto-messaging');
        },
	Remind.com Account Takeover via app client renderer:

	Before:
	override fun intercept(chain: Interceptor.Chain): Response {

	var request = chain.request()
	request = authRemindRequestHelper.injectAuthHeader(request)
	request = remindRequestHelper.injectRemindHeader(request)
	return chain.proceed(request)
	}
	After
	override fun intercept(chain: Interceptor.Chain): Response {

	var request = chain.request()
	if (this.defaultEndpoint?.let { request.url.host.contains(it) } == true) {
	szabiburean marked this conversation as resolved.
	request = this.authRemindRequestHelper.injectAuthHeader(request)
	request = this.remindRequestHelper.injectRemindHeader(request)
	}
	return chain.proceed(request)
	}

	Stored XSS Vulnerability at Rename Group Conversation:

	Before:
	def self.render(chat_message, viewer)
	editor_name = chat_message.body_values[:editor_name]
	title = chat_message.body_values[:title]
	if viewer_is_affected?(chat_message, viewer)
	I18n.t("models.chat_message.system_message.you_edited_title",
	title: title
	)
	else
	I18n.t("models.chat_message.system_message.edited_title",
	name: editor_name,
	title: title
	)
	end
	end

	After:
	def self.render(chat_message, viewer)
	editor_name = chat_message.body_values[:editor_name]
	title = chat_message.body_values[:title]
	# Escape title when rendering this kind of system message
	# We are already escaping new titles when they are editted
	# but we need to protect from previously unescaped tittles
	if title
	title = CGI::escapeHTML(CGI::unescapeHTML(title))
	end
	if viewer_is_affected?(chat_message, viewer)
	I18n.t("models.chat_message.system_message.you_edited_title",
	title: chat_message.body_values[:title]
	)
	else
	I18n.t("models.chat_message.system_message.edited_title",
	name: editor_name,
	title: chat_message.body_values[:title]
	)
	end
	end

	Access to an organization's FTP credentials

	Before:
	async sftpCredentials(args: any, ctx: Context) {
	return ctx.loaders.FeatureCredentials.getSftpCredentials(args.orgUuid, 'auto-messaging');
	},

	After
	async sftpCredentials(args: any, ctx: Context) {
	// We need to have an authenticated user who is an admin for the org uuid
	// See https://app.asana.com/0/1142193044639890/1201986092349803/f
	const authenticatedAdmin = await isCurrentUserAnAdminForOrg(ctx, args.orgUuid);
	if (!authenticatedAdmin) {
	// this field is required to be a list. For an unauthenticated request, just return an empty list.
	return [];
	}

	return ctx.loaders.FeatureCredentials.getSftpCredentials(args.orgUuid, 'auto-messaging');
	},