patch cyberchef xss vuln (arkime#2601)

* patch cyberchef xss vuln vuln: gchq/CyberChef#1468 patch: https://github.com/gchq/CyberChef/pull/1549/files * update changelog ain't nobody got time to guess numbers * fix it for invalid sessions too --------- Co-authored-by: erinne23 <[email protected]>
mmguero-dev · Jan 18, 2024 · a94f708 · a94f708
1 parent ce71e94
commit a94f708
Show file tree

Hide file tree

Showing 3 changed files with 53 additions and 5 deletions.
diff --git a/CHANGELOG b/CHANGELOG
@@ -109,6 +109,7 @@ NOTICE: Create a parliament config file before upgrading (see https://arkime.com
   - #2525 add [config setting](https://arkime.com/settings#spiViewCategoryOrder) to set spiview category order
   - #2523 resize session detail field label/values
   - #2552 added %URIEncodedText% for URI encoded substitution (thanks @vpiserchia)
+  - #2601 patch cyberchef xss vuln (https://github.com/gchq/CyberChef/issues/1468)
 ## Parliament
   - #2377 dashboard-only mode removed, if you want users to just see the dashboard don't assign them the parliamentUser role
   - #2395 configuration is now stored in opensearch/elasticsearch

diff --git a/release/new_cyber_chef.pl b/release/new_cyber_chef.pl
@@ -48,6 +48,26 @@
       .then((result) => {
         interval = setInterval(() => {
           if (typeof app !== 'undefined') {
+            // THIS IS A HACK TO GET AROUND A CYBERCHEF BUG
+            // https://github.com/gchq/CyberChef/issues/1468
+            // https://github.com/gchq/CyberChef/pull/1549
+            app.manager.recipe.addOperation = (name) => {
+              const item = document.createElement('li');
+
+              item.classList.add('operation');
+
+              if (app.operations[name] != null) {
+                item.innerHTML = name;
+              }
+
+              app.manager.recipe.buildRecipeOperation(item);
+              document.getElementById('rec-list').appendChild(item);
+
+              $(item).find("[data-toggle='tooltip']").tooltip();
+              item.dispatchEvent(app.manager.operationadd);
+              return item;
+            };
+
             app.manager.recipe.addOperation('From Hex');
             app.setInput(result.data);
             clearInterval(interval);

diff --git a/viewer/public/cyberchef.html b/viewer/public/cyberchef.html
@@ -36,6 +36,7 @@
       }
     }
 
+    let data;
     let interval;
 
     // fetch the data to populate the input
@@ -48,16 +49,42 @@
         }
       })
       .then((result) => {
+        data = result.data;
+      })
+      .catch((error) => {
+        console.log('error', error);
+      }).finally(() => {
         interval = setInterval(() => {
           if (typeof app !== 'undefined') {
-            app.manager.recipe.addOperation('From Hex');
-            app.setInput(result.data);
+            // THIS IS A HACK TO GET AROUND A CYBERCHEF BUG
+            // https://github.com/gchq/CyberChef/issues/1468
+            // https://github.com/gchq/CyberChef/pull/1549
+            // replaces the addOperation function
+            app.manager.recipe.addOperation = (name) => {
+              const item = document.createElement('li');
+
+              item.classList.add('operation');
+
+              if (app.operations[name] != null) { // THIS is the fix
+                item.innerHTML = name;
+              }
+
+              app.manager.recipe.buildRecipeOperation(item);
+              document.getElementById('rec-list').appendChild(item);
+
+              $(item).find("[data-toggle='tooltip']").tooltip();
+              item.dispatchEvent(app.manager.operationadd);
+              return item;
+            };
+
+            if (data) {
+              app.manager.recipe.addOperation('From Hex');
+              app.setInput(data);
+            }
+
             clearInterval(interval);
           }
         }, 100);
-      })
-      .catch((error) => {
-        console.log('error', error);
       });
 
     setTimeout(() => {