Skip to content

[FIX] Backport GHSA patches and fixes from hotfix_v2.4.29#1087

Open
Che4ter wants to merge 6 commits into
dfir-iris:developfrom
baseVISION:contrib/security-fixes-and-backports
Open

[FIX] Backport GHSA patches and fixes from hotfix_v2.4.29#1087
Che4ter wants to merge 6 commits into
dfir-iris:developfrom
baseVISION:contrib/security-fixes-and-backports

Conversation

@Che4ter

@Che4ter Che4ter commented Jun 11, 2026

Copy link
Copy Markdown

This PR backports multiple security patches and stability fixes that are currently missing from the develop branch.

Context

The GHSA security patches (GHSA-vjc3-7jwv-j9qf, GHSA-w78h-mx7h-qm3h, GHSA-g588-5gmf-p5cx, GHSA-8hwq-v6vm-9grr, GHSA-qhqj-8qw6-wp8v) were only implemented in the master and hotfix branches, not in the current develop branch.

Additionally, this PR includes the latest fixes from hotfix_v2.4.29 to address stability issues that affect the develop branch as well.

Changes

  • 5 GHSA security patches
  • 9 stability and bug fixes backported from hotfix_v2.4.29

These fixes improve security and stability without breaking changes.

@coderabbitai

coderabbitai Bot commented Jun 11, 2026

Copy link
Copy Markdown

Important

Review skipped

Auto reviews are disabled on base/target branches other than the default branch.

🗂️ Base branches to auto review (1)
  • api_*

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 48cff1e6-ae80-459e-83ad-323982d0b99b

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

  • 🔍 Trigger review
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

whikernel and others added 6 commits July 8, 2026 10:13
…filter values

- 'owner' (case owner username) and 'asset_type' were left unsanitized
  by the previous sanitation pass in this same table config.
- sanitizeHTML was being applied unconditionally for every DataTables
  render call (display/sort/filter/type), causing the search box and
  sort order to operate on the HTML-encoded value instead of the raw
  one. Sanitize only for the 'display' type via a shared helper.
- Guard asset_type/owner renderers against a null value (asset_type_id
  and case owner are both nullable).
user and action come from modification_history, which embeds the
acting user's username verbatim. They were appended as raw HTML via
jQuery .append(), so a username containing HTML/script executed when
an analyst opened the alert history modal.
alert_title was only quote-escaped before being embedded in the
popover's HTML content, so a title containing unquoted HTML (e.g. an
img tag with an onerror handler) still executed. Run it through
sanitizeHTML before the quote-escaping used for the attribute context.
…olumns

Use the same falsy check (!data) as the owner/asset_type renderers
instead of a strict === null comparison, so an undefined state value
falls back to 'Unknown' instead of throwing on data.state_name.
@Che4ter Che4ter force-pushed the contrib/security-fixes-and-backports branch from ce2ba69 to 224d353 Compare July 8, 2026 08:36
@Che4ter

Che4ter commented Jul 8, 2026

Copy link
Copy Markdown
Author

Hi @whikernel
I noticed that since I submitted this pr you already fixed the most the issues yourself. I therefore rebased this pr onto your current develop but there are still some smaller issues worth checking out. For example I found several more missing XSS sanitizations.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants