From b01f277e4ba6f0c57290619626f0757fedabcd50 Mon Sep 17 00:00:00 2001
From: Livio Amstutz <livio.a@gmail.com>
Date: Fri, 19 Mar 2021 09:10:50 +0100
Subject: [PATCH] fix: cherry pick security issue fixes (#1432)

* fix: potential "Potentially unsafe external link" of TOS and EMail Links

* fix: "Size computation for allocation may overflow" by limiting aes encrypt to 64MB
---
 internal/crypto/aes.go                               | 4 ++++
 internal/notification/static/templates/template.html | 2 +-
 internal/ui/login/static/templates/footer.html       | 2 +-
 internal/ui/login/static/templates/register.html     | 2 +-
 internal/ui/login/static/templates/register_org.html | 2 +-
 5 files changed, 8 insertions(+), 4 deletions(-)

diff --git a/internal/crypto/aes.go b/internal/crypto/aes.go
index 41720b04f6..892b098278 100644
--- a/internal/crypto/aes.go
+++ b/internal/crypto/aes.go
@@ -92,6 +92,10 @@ func EncryptAES(plainText []byte, key string) ([]byte, error) {
 		return nil, err
 	}
 
+	maxSize := 64 * 1024 * 1024
+	if len(plainText) > maxSize {
+		return nil, errors.ThrowPreconditionFailedf(nil, "CRYPT-AGg4t3", "data too large, max bytes: %v", maxSize)
+	}
 	cipherText := make([]byte, aes.BlockSize+len(plainText))
 	iv := cipherText[:aes.BlockSize]
 	if _, err = io.ReadFull(rand.Reader, iv); err != nil {
diff --git a/internal/notification/static/templates/template.html b/internal/notification/static/templates/template.html
index 3627215a1b..5664f98646 100644
--- a/internal/notification/static/templates/template.html
+++ b/internal/notification/static/templates/template.html
@@ -301,7 +301,7 @@
                                                                                         <td align="center" vertical-align="middle" style="font-size:0px;padding:10px 25px;word-break:break-word;">
                                                                                             <table border="0" cellpadding="0" cellspacing="0" role="presentation" style="border-collapse:separate;line-height:100%;">
                                                                                                 <tr>
-                                                                                                    <td align="center" bgcolor="#5282C1" role="presentation" style="border:none;border-radius:3px;cursor:auto;mso-padding-alt:10px 25px;background:#5282C1;" valign="middle"> <a href="{{.URL}}" style="display:inline-block;background:#5282C1;color:#ffffff;font-family:Ubuntu, Helvetica, Arial, sans-serif;font-size:16px;font-weight:normal;line-height:120%;margin:0;text-decoration:none;text-transform:none;padding:10px 25px;mso-padding-alt:0px;border-radius:3px;"
+                                                                                                    <td align="center" bgcolor="#5282C1" role="presentation" style="border:none;border-radius:3px;cursor:auto;mso-padding-alt:10px 25px;background:#5282C1;" valign="middle"> <a href="{{.URL}}" rel="noopener noreferrer" style="display:inline-block;background:#5282C1;color:#ffffff;font-family:Ubuntu, Helvetica, Arial, sans-serif;font-size:16px;font-weight:normal;line-height:120%;margin:0;text-decoration:none;text-transform:none;padding:10px 25px;mso-padding-alt:0px;border-radius:3px;"
                                                                                                                                                                                                                                                                                  target="_blank">
                                                                                                             {{.ButtonText}}
                                                                                                         </a> </td>
diff --git a/internal/ui/login/static/templates/footer.html b/internal/ui/login/static/templates/footer.html
index 8e3428d0cd..c45b53f07d 100644
--- a/internal/ui/login/static/templates/footer.html
+++ b/internal/ui/login/static/templates/footer.html
@@ -1,7 +1,7 @@
 {{define "footer"}}
 <footer>
     <span class="fill-space"></span>
-    <a href="{{t "Footer.TosLink"}}" target="_blank" alt="Privacy Policy">{{t "Footer.TosPrivacyPolicy"}}</a>
+    <a href="{{t "Footer.TosLink"}}" rel="noopener noreferrer" target="_blank" alt="Privacy Policy">{{t "Footer.TosPrivacyPolicy"}}</a>
     <a href="https://docs.zitadel.ch/use" target="_black" alt="Help">{{t "Footer.Help"}}</a>
 </footer>
 {{end}}
\ No newline at end of file
diff --git a/internal/ui/login/static/templates/register.html b/internal/ui/login/static/templates/register.html
index 22b00471a0..42de4c4a16 100644
--- a/internal/ui/login/static/templates/register.html
+++ b/internal/ui/login/static/templates/register.html
@@ -86,7 +86,7 @@
                     name="register-term-confirmation" required>
                 <label for="register-term-confirmation">
                     {{t "Registration.TosConfirm"}}
-                    <a class="tos-link" target="_blank" href="{{t "Registration.TosLink"}}">
+                    <a class="tos-link" target="_blank" href="{{t "Registration.TosLink"}}" rel="noopener noreferrer">
                         {{t "Registration.TosLinkText"}}
                     </a>
                 </label>
diff --git a/internal/ui/login/static/templates/register_org.html b/internal/ui/login/static/templates/register_org.html
index f68982b1bc..27d34f5945 100644
--- a/internal/ui/login/static/templates/register_org.html
+++ b/internal/ui/login/static/templates/register_org.html
@@ -75,7 +75,7 @@
                     name="register-term-confirmation" required>
                 <label class="lgn-label" for="register-term-confirmation">
                     {{t "RegistrationOrg.TosConfirm"}}
-                    <a class="tos-link" target="_blank" href="{{t "RegistrationOrg.TosLink"}}">{{t "RegistrationOrg.TosLinkText"}}</a>
+                    <a class="tos-link" target="_blank" href="{{t "RegistrationOrg.TosLink"}}" rel="noopener noreferrer">{{t "RegistrationOrg.TosLinkText"}}</a>
                 </label>
             </div>
         </div>