fix: cherry pick security issue fixes (#1432)

* fix: potential "Potentially unsafe external link" of TOS and EMail Links * fix: "Size computation for allocation may overflow" by limiting aes encrypt to 64MB
2024-12-12 02:54:20 +00:00 · 2021-03-19 09:10:50 +01:00 · 2021-03-19 09:10:50 +01:00 · b01f277e4b
commit b01f277e4b
parent bc7e650089
5 changed files with 8 additions and 4 deletions
--- a/internal/crypto/aes.go
+++ b/internal/crypto/aes.go
@ -92,6 +92,10 @@ func EncryptAES(plainText []byte, key string) ([]byte, error) {
 		return nil, err
 	}

+	maxSize := 64 * 1024 * 1024
+	if len(plainText) > maxSize {
+		return nil, errors.ThrowPreconditionFailedf(nil, "CRYPT-AGg4t3", "data too large, max bytes: %v", maxSize)
+	}
 	cipherText := make([]byte, aes.BlockSize+len(plainText))
 	iv := cipherText[:aes.BlockSize]
 	if _, err = io.ReadFull(rand.Reader, iv); err != nil {
--- a/internal/notification/static/templates/template.html
+++ b/internal/notification/static/templates/template.html
@ -301,7 +301,7 @@
                                                                                        <td align="center" vertical-align="middle" style="font-size:0px;padding:10px 25px;word-break:break-word;">
                                                                                            <table border="0" cellpadding="0" cellspacing="0" role="presentation" style="border-collapse:separate;line-height:100%;">
                                                                                                <tr>
-                                                                                                    <td align="center" bgcolor="#5282C1" role="presentation" style="border:none;border-radius:3px;cursor:auto;mso-padding-alt:10px 25px;background:#5282C1;" valign="middle"> <a href="{{.URL}}" style="display:inline-block;background:#5282C1;color:#ffffff;font-family:Ubuntu, Helvetica, Arial, sans-serif;font-size:16px;font-weight:normal;line-height:120%;margin:0;text-decoration:none;text-transform:none;padding:10px 25px;mso-padding-alt:0px;border-radius:3px;"
+                                                                                                    <td align="center" bgcolor="#5282C1" role="presentation" style="border:none;border-radius:3px;cursor:auto;mso-padding-alt:10px 25px;background:#5282C1;" valign="middle"> <a href="{{.URL}}" rel="noopener noreferrer" style="display:inline-block;background:#5282C1;color:#ffffff;font-family:Ubuntu, Helvetica, Arial, sans-serif;font-size:16px;font-weight:normal;line-height:120%;margin:0;text-decoration:none;text-transform:none;padding:10px 25px;mso-padding-alt:0px;border-radius:3px;"
                                                                                                                                                                                                                                                                                 target="_blank">
                                                                                                            {{.ButtonText}}
                                                                                                        </a> </td>
--- a/internal/ui/login/static/templates/footer.html
+++ b/internal/ui/login/static/templates/footer.html
@ -1,7 +1,7 @@
 {{define "footer"}}
 <footer>
    <span class="fill-space"></span>
-    <a href="{{t "Footer.TosLink"}}" target="_blank" alt="Privacy Policy">{{t "Footer.TosPrivacyPolicy"}}</a>
+    <a href="{{t "Footer.TosLink"}}" rel="noopener noreferrer" target="_blank" alt="Privacy Policy">{{t "Footer.TosPrivacyPolicy"}}</a>
    <a href="https://docs.zitadel.ch/use" target="_black" alt="Help">{{t "Footer.Help"}}</a>
 </footer>
 {{end}}
--- a/internal/ui/login/static/templates/register.html
+++ b/internal/ui/login/static/templates/register.html
@ -86,7 +86,7 @@
                    name="register-term-confirmation" required>
                <label for="register-term-confirmation">
                    {{t "Registration.TosConfirm"}}
-                    <a class="tos-link" target="_blank" href="{{t "Registration.TosLink"}}">
+                    <a class="tos-link" target="_blank" href="{{t "Registration.TosLink"}}" rel="noopener noreferrer">
                        {{t "Registration.TosLinkText"}}
                    </a>
                </label>
--- a/internal/ui/login/static/templates/register_org.html
+++ b/internal/ui/login/static/templates/register_org.html
@ -75,7 +75,7 @@
                    name="register-term-confirmation" required>
                <label class="lgn-label" for="register-term-confirmation">
                    {{t "RegistrationOrg.TosConfirm"}}
-                    <a class="tos-link" target="_blank" href="{{t "RegistrationOrg.TosLink"}}">{{t "RegistrationOrg.TosLinkText"}}</a>
+                    <a class="tos-link" target="_blank" href="{{t "RegistrationOrg.TosLink"}}" rel="noopener noreferrer">{{t "RegistrationOrg.TosLinkText"}}</a>
                </label>
            </div>
        </div>