Modern CMS with shop features based on fullstack symfony and sylius components

Summary

enhavo CMS has XSS security issue on the admin page. An authorized attacker can put any kind of javascript. And it is executed on authorized victim browser without induce

Reproduction

Here is how to reproduce this issue.

1. Access to the admin page.
2. Create an Usergroup as payloads.
3. Back to admin user group page.

Then you find that dialog appeared and XSS happens.

Payloads

Set Usergroup as following.

<img src=x onerror="alert(document.cookie);"/>

Event

• 2018-03-05 Vuln is discovered.
• 2018-03-06 Contact to developers.
• 2018-03-13 Open an issue.

At the moment we include the configurations file over yaml configuration files in config/packages/.

The files look like:

imports:
    - { resource: '@EnhavoAppBundle/Resources/config/app/config.yml' }

But in the symfony docs, they advise to use PrependExtensionInterface https://symfony.com/doc/current/bundles/prepend_extension.html

It would be nice, if we can just keep our Resources/config/app/config.yaml. So we just read the content and pass it to extension config.

    public function prepend(ContainerBuilder $container)
    {
        $configs = Yaml::parse(file_get_contents(__DIR__.'/../Resources/config/app/config.yaml'));
        foreach($configs as $name => $config) {
            $container->prependExtensionConfig($name, $config);
        }
    }

We need to apply that on all bundles

| Q | A | ------------- | --- | Bug fix? | no | New feature? | yes | Doc PR? | no | License | MIT

group permissions by prefix to give at least some overview

Hey there!

I belong to an open source security research community, and a member (@wind226) has found an issue, but doesn’t know the best way to disclose it.

If not a hassle, might you kindly add a SECURITY.md file with an email, or another contact method? GitHub recommends this best practice to ensure security issues are responsibly disclosed, and it would serve as a simple instruction for security researchers in the future.

Thank you for your consideration, and I look forward to hearing from you!

(cc @huntr-helper)

For background articles, fill in the title of the modified content: '"><iMg SrC=x OnErRoR=alert(9999)>{{7*7}}

View Article trigger XSS https://demo.enhavo.com/article/cats

| Q | A | ------------- | --- | Bug fix? | yes | New feature? | no | Doc PR? | no | Backport | 0.9, 0.10 | License | MIT

Twig function like media_parameter should accept null as file and return empty string like media_url does. This helps to keep the twig code more clean, instead of adding if cases all the time

This is an automatic backport of pull request #1275 done by Mergify. Cherry-pick of d1fcf07da5a9b497c141942b65b9b9edf44f39c7 has failed:

On branch mergify/bp/0.9/pr-1275
Your branch is up to date with 'origin/0.9'.

You are currently cherry-picking commit d1fcf07da.
  (fix conflicts and run "git cherry-pick --continue")
  (use "git cherry-pick --skip" to skip this patch)
  (use "git cherry-pick --abort" to cancel the cherry-pick operation)

Changes to be committed:
	modified:   assets/node_modules/@enhavo/app/Grid/Filter/Components/FilterBar.vue
	modified:   assets/node_modules/@enhavo/app/Grid/Filter/Components/FilterDropdownComponent.vue
	modified:   assets/node_modules/@enhavo/app/Grid/Filter/Factory/AutoCompleteEntityFactory.ts
	modified:   assets/node_modules/@enhavo/app/Grid/Filter/Model/AbstractFilter.ts
	modified:   assets/node_modules/@enhavo/app/Grid/Filter/Model/BetweenFilter.ts
	modified:   assets/node_modules/@enhavo/app/Grid/Filter/Model/OptionFilter.ts
	modified:   docs/source/reference/filter/age-filter.rst
	modified:   docs/source/reference/filter/auto-complete-entity-filter.rst
	modified:   docs/source/reference/filter/between-filter.rst
	modified:   docs/source/reference/filter/boolean-filter.rst
	new file:   docs/source/reference/filter/date-between-filter.rst
	modified:   docs/source/reference/filter/entity-filter.rst
	modified:   docs/source/reference/filter/index.rst
	modified:   docs/source/reference/filter/option-filter.rst
	new file:   docs/source/reference/filter/option/hidden.rst
	new file:   docs/source/reference/filter/option/initial_active.rst
	new file:   docs/source/reference/filter/option/initial_value.rst
	modified:   docs/source/reference/filter/option/label.rst
	new file:   docs/source/reference/filter/option/permission.rst
	deleted:    docs/source/reference/filter/option/translationDomain.rst
	new file:   docs/source/reference/filter/option/translation_domain.rst
	modified:   docs/source/reference/filter/taxonomy-filter.rst
	modified:   docs/source/reference/filter/text-filter.rst
	modified:   src/Enhavo/Bundle/AppBundle/Filter/AbstractFilterType.php
	modified:   src/Enhavo/Bundle/AppBundle/Filter/Type/AutoCompleteEntityType.php
	modified:   src/Enhavo/Bundle/AppBundle/Filter/Type/BetweenFilterType.php
	modified:   src/Enhavo/Bundle/AppBundle/Filter/Type/BooleanType.php
	modified:   src/Enhavo/Bundle/AppBundle/Filter/Type/DateBetweenFilterType.php
	modified:   src/Enhavo/Bundle/AppBundle/Filter/Type/EntityType.php
	modified:   src/Enhavo/Bundle/AppBundle/Filter/Type/OptionType.php
	modified:   src/Enhavo/Bundle/AppBundle/Filter/Type/TextType.php
	modified:   src/Enhavo/Bundle/MultiTenancyBundle/Filter/TenancyFilterType.php
	modified:   src/Enhavo/Bundle/TaxonomyBundle/Filter/TaxonomyFilterType.php
	modified:   src/Enhavo/Bundle/TaxonomyBundle/Repository/TermRepository.php
	modified:   src/Enhavo/Bundle/UserBundle/Resources/config/routes/admin/user.yaml

Unmerged paths:
  (use "git add <file>..." to mark resolution)
	both modified:   assets/node_modules/@enhavo/app/Grid/Filter/Components/FilterAutoCompleteComponent.vue
	both modified:   assets/node_modules/@enhavo/app/Grid/Filter/Model/AutoCompleteEntityFilter.ts

To fix up this pull request, you can check it out locally. See documentation: https://help.github.com/articles/checking-out-pull-requests-locally/

This is an automatic backport of pull request #1262 done by Mergify.

| Q | A | ------------- | --- | Bug fix? | no | New feature? | yes | Backport | 0.10 | License | MIT

Integrate the CleverReach repository into the main repo to obtain easier maintenance

| Q | A | ------------- | --- | Bug fix? | yes | New feature? | no | Doc PR? | no | Backport | 0.9 | Tickets | | License | MIT

| Q | A | ------------- | --- | Bug fix? | no | New feature? | no | Doc PR? | no | License | MIT

Fully automate releases and subtree pushes

Media files connected to non-public entities are always available if you know their url. If these files are indexed by search engines or manually linked by other sites, they will still be valid after the containing entity has been set to private.

Possible solutions:

1. Public flag on File entity, cascaded from parent entity. High performance, but possible cause for synchronization problems.
2. Symfony Voter system whenever a file is supposed to be displayed. Slows down performance on File display (SEO relevant), but less error prone and good flexibility/code quality.

Speculative suggestion: It might be a good idea to add a navigation node type which references another navigation and renders it like a submenu. This could be useful on pages where the same menu points show up in different places, and it would allow a single source of truth style for managing these points.

SubmenuNavItem doesn't have a good solution for a navigation where the head of the submenu is itself clickable. A possible solution would be an additional field in SubmenuNavItem where another Node can be added, which is then rendered as the head of the submenu.

Also it might be good to prevent the placement of a submenu into this field, which would make no sense. Therefore introduction of groups for navigation items might be a good idea, analogous to groups in blocks/validation/etc.

Related Ticket: #1378 (For the field in the submenu formtype)

A page entity has a parent property, but in the PageFormType the parent selection allow only root pages. Any page in the hierarchy should be able to select, except the ones which create a parent/ child loop.

How to reproduce:

1. Open index of any resource in backend with at least two existing entries.
2. Open update for one of the entries. The index view will indicate which of the entries is currently selected.
3. Make changes to the entry but don't save.
4. Click on another entry in the table view. The indicator in the index view will change immediately, but the update view will not close yet. Instead it asks if you would like to close without saving.
5. Click "Cancel". Now you still have the first entry open, but your index view will indicate a different entry.