Skip to content

Fix Console API and Angular XSS security flaws#3076

Open
CydeWeys wants to merge 1 commit into
google:masterfrom
CydeWeys:security-audit-part2
Open

Fix Console API and Angular XSS security flaws#3076
CydeWeys wants to merge 1 commit into
google:masterfrom
CydeWeys:security-audit-part2

Conversation

@CydeWeys

@CydeWeys CydeWeys commented Jun 1, 2026
edited by gbrodman
Loading

Copy link
Copy Markdown
Member

This commit addresses the following security vulnerabilities identified in the recent audit of the Console App and Backend APIs:

  1. Angular XSS: Removed unsafe [innerHTML] bindings across all console-webapp templates (Contact, Registrars, Registrar Details, Users List) in favor of standard Angular interpolation.
  2. Broken Access Control (IDOR): PasswordResetRequestAction and PasswordResetVerifyAction now explicitly verify that the target user's email belongs to the authorized registrarId.
  3. Missing Permission Check: ConsoleEppPasswordAction now explicitly checks for CONFIGURE_EPP_CONNECTION permission before updating the EPP password.
  4. Denial of Service (DoS): ConsoleBulkDomainAction now strictly limits the size of bulk domain lists to 500 domains to prevent thread exhaustion.
  5. Denial of Service (OOM): ConsoleHistoryDataAction now uses .setMaxResults(500) on JPA native queries to prevent eager loading of the entire database into memory.

Also removes an outdated Joda-Time migration reference from GEMINI.md.

This change is Reviewable

@CydeWeys CydeWeys force-pushed the security-audit-part2 branch 2 times, most recently from 2e5e136 to 4c0b7df Compare June 18, 2026 20:23
@CydeWeys
Fix Console API and Angular XSS security flaws
bae4dbf 
This commit addresses the following security vulnerabilities identified in the recent audit of the Console App and Backend APIs:

1. Angular XSS: Removed unsafe [innerHTML] bindings across all console-webapp templates (Contact, Registrars, Registrar Details, Users List) in favor of standard Angular interpolation.
2. Broken Access Control (IDOR): PasswordResetRequestAction and PasswordResetVerifyAction now explicitly verify that the target user's email belongs to the authorized registrarId.
3. Missing Permission Check: ConsoleEppPasswordAction now explicitly checks for CONFIGURE_EPP_CONNECTION permission before updating the EPP password.
4. Denial of Service (DoS): ConsoleBulkDomainAction now strictly limits the size of bulk domain lists (configurable, default 500) to prevent thread exhaustion.
5. Denial of Service (OOM): ConsoleHistoryDataAction now uses .setMaxResults() (configurable, default 500) on JPA native queries to prevent eager loading of the entire database into memory.

Makes the history query limit and bulk domain action limit configurable via RegistryConfig, allowing smaller limits to be used in tests to avoid heavy resource persistence.

Also removes an outdated Joda-Time migration reference from GEMINI.md.
@CydeWeys CydeWeys force-pushed the security-audit-part2 branch from 4c0b7df to bae4dbf Compare June 18, 2026 20:39
@CydeWeys CydeWeys requested a review from ptkach June 18, 2026 20:39
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@ptkach ptkach Awaiting requested review from ptkach

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@CydeWeys