GP-2716 corrected HTML vulnerability in Graph Service label rendering

2025-02-01 14:01:10 +00:00 · 2022-10-18 13:47:55 -04:00 · 2022-10-18 13:47:55 -04:00 · ad6afeaaeb
commit ad6afeaaeb
parent 3c566a4d5f
2 changed files with 13 additions and 7 deletions
--- a/Ghidra/Features/GraphServices/src/main/java/ghidra/graph/visualization/AttributedToolTipInfo.java
+++ b/Ghidra/Features/GraphServices/src/main/java/ghidra/graph/visualization/AttributedToolTipInfo.java
@ -25,12 +25,12 @@ import javax.swing.JToolTip;

 import org.apache.commons.lang3.ArrayUtils;
 import org.apache.commons.lang3.StringUtils;
-import org.apache.commons.text.StringEscapeUtils;

 import com.google.common.base.Splitter;

 import ghidra.graph.viewer.popup.ToolTipInfo;
 import ghidra.service.graph.*;
+import ghidra.util.HTMLUtilities;

 /**
 * Generates tool tips for an {@link AttributedVertex} or {@link AttributedEdge} in 
@ -94,7 +94,8 @@ public class AttributedToolTipInfo extends ToolTipInfo<Attributed> {
 		String vertexType = vertex.getVertexType();

 		buf.append("<H4>");
-		buf.append(vertex.getName());
+		String escapedText = HTMLUtilities.toLiteralHTML(vertex.getName(), 80);
+		buf.append(escapedText);
 		if (vertexType != null) {
 			buf.append("<br>");
 			buf.append("Type: &nbsp;" + vertexType);
@ -125,9 +126,8 @@ public class AttributedToolTipInfo extends ToolTipInfo<Attributed> {
 			}
 			buf.append(key);
 			buf.append(": ");
-			String value = entry.getValue();
-			value = StringEscapeUtils.escapeHtml4(value);
-			String split = String.join("<br>", Splitter.on('\n').split(value));
+			String escapedText = HTMLUtilities.toLiteralHTML(entry.getValue(), 80);
+			String split = String.join("<br>", Splitter.on('\n').split(escapedText));
 			split = split.replaceAll("\\s", "&nbsp;");
 			buf.append(split);
 			buf.append("<br>");
--- a/Ghidra/Features/GraphServices/src/main/java/ghidra/graph/visualization/DefaultGraphRenderer.java
+++ b/Ghidra/Features/GraphServices/src/main/java/ghidra/graph/visualization/DefaultGraphRenderer.java
@ -39,6 +39,7 @@ import org.jungrapht.visualization.util.RectangleUtils;

 import generic.util.image.ImageUtils;
 import ghidra.service.graph.*;
+import ghidra.util.HTMLUtilities;

 /**
 * Handles the rendering of graphs for the {@link DefaultGraphDisplay}
@ -101,6 +102,10 @@ public class DefaultGraphRenderer implements GraphRenderer {
 		iconCache.clear();
 	}

+	private String getVertexRenderedLabel(AttributedVertex v) {
+		return HTMLUtilities.toLiteralHTML(v.toString(), 80);
+	}
+
 	@Override
 	public void initializeViewer(VisualizationViewer<AttributedVertex, AttributedEdge> viewer) {

@ -134,7 +139,7 @@ public class DefaultGraphRenderer implements GraphRenderer {
 			viewer.setInitialDimensionFunction(InitialDimensionFunction
 					.builder(renderContext.getVertexShapeFunction().andThen(toRectangle))
 					.build());
-			renderContext.setVertexLabelFunction(Object::toString);
+			renderContext.setVertexLabelFunction(this::getVertexRenderedLabel);
 			GraphLabelPosition labelPosition = options.getLabelPosition();
 			renderContext.setVertexLabelPosition(getJungraphTPosition(labelPosition));

@ -318,7 +323,8 @@ public class DefaultGraphRenderer implements GraphRenderer {
 		// on the swing thread
 		Font font = options.getFont();
 		label.setFont(font);
-		label.setText(vertexName);
+		String escapedText = HTMLUtilities.toLiteralHTML(vertexName, 80);
+		label.setText(escapedText);
 		Dimension labelSize = label.getPreferredSize();

 		// make sure the the vertexName doesn't make the icon ridiculously big