Jeremy Choi of Red Hat reports: Description of problem: Since a team's name is not properly validated, stored XSS attacks are possible. Once scripts are injected when a team is created, the scripts will be run when the team name is shown later. Currently, only length is checked for the team name. (in controller/app/models/team.rb) 27 validates :name, 28 presence: {message: "Name is required and cannot be blank"}, 29 length: {maximum: 250, minimum: 2, message: "Team name must be a minimum of 2 and maximum of 250 characters."} For the PoC of XSS steps in online devenv_5060, see below. Version-Release number of selected component (if applicable): How reproducible: 100% Steps to Reproduce: 1. Create a global team with XSS payload oo-broker cd /var/www/openshift/broker script/rails c Team.create :name => "Global team 1 - <script>alert('xss')</script>" 2. Go to domain page(/app/console/domain/$domian_name) and follow the menus, 'Edit members...' -> 'Add a team...' 3. Try to make the team name shown up by searching with e.g. 'Global' Actual results: See the attached Expected results: Stricter input validation/output sanitization is required for team name. Additional info:
Global teams can only be created by administrators, whom we generally trust not to XSS their users. The console ought to ensure the team name is properly escaped though. That does seem like a bug, if not much of a security one. If user-owned teams can be created and displayed this way, then it's surely an XSS bug. Can't see the blocking bug to see if that's what it's about.