Skip to content

Mitigate CVE-2025-3573 #545

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 7 commits into from
Apr 26, 2025
Merged

Mitigate CVE-2025-3573 #545

merged 7 commits into from
Apr 26, 2025

Conversation

@tenzap
Copy link
Collaborator

@tenzap tenzap commented Apr 26, 2025
edited by coderabbitai bot
Loading

Initially reported at https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1104134

Hence update jquery-validation & use escapeHtml: true, (as recommended at jquery-validation/jquery-validation#2462).

Summary by CodeRabbit

  • Bug Fixes

    • Improved translation handling for phone number validation errors, ensuring error messages are now displayed in the user's language across multiple areas.
    • Corrected French translation typos for clearer messaging.
    • Fixed a variable naming typo in JSON handling to prevent potential issues.

  • New Features

    • Added a no-operation translation helper to support translation tooling.

  • Style

    • Updated client-side validation to escape HTML in error messages, enhancing security and display consistency.

  • Documentation

    • Updated plugin version information in the credits.

  • Chores

    • Enhanced translation tooling to recognize new translation helper functions.

@coderabbitai
Copy link

coderabbitai bot commented Apr 26, 2025
edited
Loading

Walkthrough

The changes focus on improving internationalization and client-side validation security across the application. Error messages resulting from phone number validation are now consistently passed through translation functions before being displayed, ensuring localization throughout controllers and models. A new helper function, tr_no_op, is introduced for marking strings for translation without altering them. Client-side form validation scripts are updated to use the escapeHtml: true option, enhancing security by preventing HTML injection in validation error messages. Additionally, some translation strings are corrected, and the jQuery Validation plugin version is updated in the documentation.

Changes

File(s) Change Summary
application/controllers/Kalkun.php Error messages from phone number validation are now passed through tr_raw() for translation before being output as JSON.
application/controllers/Messages.php,
application/controllers/Phonebook.php,
application/models/Kalkun_model.php,
application/models/User_model.php,
application/plugins/stop_manager/controllers/Stop_manager.php		 Error messages from phone number validation are now passed through tr() for translation before being displayed with show_error.
application/helpers/i18n_helper.php Added new helper function tr_no_op($label) for marking strings for translation without modifying them.
application/helpers/kalkun_helper.php Changed error message assignment in is_phone_number_valid from tr() to tr_no_op(); fixed variable name typo in json_protect function from $înput to $input.
application/language/french/kalkun_lang.php Corrected typographical errors in two French translation strings.
application/plugins/server_alert/views/js_server_alert.php,
application/plugins/sms_credit/views/js_users.php,
application/plugins/soap/views/js_remote_access.php,
application/plugins/stop_manager/views/js_stop_manager.php,
application/plugins/whitelist_number/views/js_whitelist_number.php,
application/views/js_init/message/js_compose.php,
application/views/js_init/users/js_add_user.php,
application/views/main/settings/password.php,
application/views/main/settings/personal.php		 Updated jQuery validation initialization to include escapeHtml: true, enabling HTML character escaping in validation error messages.
application/views/main/phonebook/contact/add_contact.php Replaced simple validation call with detailed configuration: added escapeHtml: true, explicit rules for required fields, remote validation for phone number, and custom error messages.
docs/CREDITS Updated jQuery Validation plugin version from 1.19.5 to 1.21.0.
utils/check_translation.php Included tr_no_op in the list of functions recognized for translation label extraction.

Sequence Diagram(s)

sequenceDiagram
    participant User
    participant Form (Client)
    participant Server (Controller)
    participant Model
    participant Translator

    User->>Form (Client): Submit form with phone number
    Form (Client)->>Server (Controller): Send phone number for validation
    Server (Controller)->>Model: Validate phone number
    Model-->>Server (Controller): Return validation result (TRUE or error message)
    alt Validation fails
        Server (Controller)->>Translator: Translate error message (tr() or tr_raw())
        Translator-->>Server (Controller): Localized error message
        Server (Controller)-->>Form (Client): Return translated error message
        Form (Client)-->>User: Display translated error message (with HTML escaped)
    else Validation succeeds
        Server (Controller)-->>Form (Client): Return success
        Form (Client)-->>User: Proceed as normal
    end
Loading 
sequenceDiagram
    participant Developer
    participant Helper (i18n_helper)
    participant check_translation.php

    Developer->>Helper (i18n_helper): Call tr_no_op("Some string")
    Helper (i18n_helper)-->>Developer: Return "Some string" unchanged

    check_translation.php->>Helper (i18n_helper): Scan for tr_no_op calls
    Helper (i18n_helper)-->>check_translation.php: Provide strings for translation extraction
Loading
✨ Finishing Touches
  • 📝 Generate Docstrings

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share
🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

  • Review comments: Directly reply to a review comment made by CodeRabbit. Example:
    • I pushed a fix in commit <commit_id>, please review it.
    • Generate unit testing code for this file.
    • Open a follow-up GitHub issue for this discussion.
  • Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
    • @coderabbitai generate unit testing code for this file.
    • @coderabbitai modularize this function.
  • PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
    • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
    • @coderabbitai read src/utils.ts and generate unit testing code.
    • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.
    • @coderabbitai help me debug CodeRabbit configuration file.

Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments.

CodeRabbit Commands (Invoked using PR comments)

  • @coderabbitai pause to pause the reviews on a PR.
  • @coderabbitai resume to resume the paused reviews.
  • @coderabbitai review to trigger an incremental review. This is useful when automatic reviews are disabled for the repository.
  • @coderabbitai full review to do a full review from scratch and review all the files again.
  • @coderabbitai summary to regenerate the summary of the PR.
  • @coderabbitai generate docstrings to generate docstrings for this PR.
  • @coderabbitai generate sequence diagram to generate a sequence diagram of the changes in this PR.
  • @coderabbitai resolve resolve all the CodeRabbit review comments.
  • @coderabbitai configuration to show the current CodeRabbit configuration for the repository.
  • @coderabbitai help to get help.

Other keywords and placeholders

  • Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
  • Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
  • Add @coderabbitai anywhere in the PR title to generate the title automatically.

Documentation and Community

  • Visit our Documentation for detailed information on how to use CodeRabbit.
  • Join our Discord Community to get help, request features, and share feedback.
  • Follow us on X/Twitter for updates and announcements.

coderabbitai[bot]
coderabbitai bot reviewed Apr 26, 2025
View reviewed changes
Copy link

@coderabbitai coderabbitai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 0

🧹 Nitpick comments (1)
application/helpers/kalkun_helper.php (1)

539-541: Fixed parameter name typo.

The parameter name was corrected from a misspelled $înput to the properly spelled $input. This improves code readability and maintainability while keeping the function's behavior unchanged.

📜 Review details

Configuration used: .coderabbit.yaml
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between bcec04f and 73cae26.

⛔ Files ignored due to path filters (1)
  • media/js/jquery-plugin/jquery.validate.min.js is excluded by !**/*.min.js
📒 Files selected for processing (21)
  • application/controllers/Kalkun.php (2 hunks)
  • application/controllers/Messages.php (1 hunks)
  • application/controllers/Phonebook.php (1 hunks)
  • application/helpers/i18n_helper.php (1 hunks)
  • application/helpers/kalkun_helper.php (2 hunks)
  • application/language/french/kalkun_lang.php (2 hunks)
  • application/models/Kalkun_model.php (1 hunks)
  • application/models/User_model.php (1 hunks)
  • application/plugins/server_alert/views/js_server_alert.php (1 hunks)
  • application/plugins/sms_credit/views/js_users.php (1 hunks)
  • application/plugins/soap/views/js_remote_access.php (2 hunks)
  • application/plugins/stop_manager/controllers/Stop_manager.php (1 hunks)
  • application/plugins/stop_manager/views/js_stop_manager.php (1 hunks)
  • application/plugins/whitelist_number/views/js_whitelist_number.php (2 hunks)
  • application/views/js_init/message/js_compose.php (1 hunks)
  • application/views/js_init/users/js_add_user.php (1 hunks)
  • application/views/main/phonebook/contact/add_contact.php (1 hunks)
  • application/views/main/settings/password.php (1 hunks)
  • application/views/main/settings/personal.php (1 hunks)
  • docs/CREDITS (1 hunks)
  • utils/check_translation.php (1 hunks)
🧰 Additional context used
🧬 Code Graph Analysis (8)
application/plugins/stop_manager/controllers/Stop_manager.php (1)
application/helpers/i18n_helper.php (1)
  • tr (25-28)
application/controllers/Phonebook.php (1)
application/helpers/i18n_helper.php (1)
  • tr (25-28)
application/models/User_model.php (1)
application/helpers/i18n_helper.php (1)
  • tr (25-28)
application/models/Kalkun_model.php (1)
application/helpers/i18n_helper.php (1)
  • tr (25-28)
application/helpers/kalkun_helper.php (1)
application/helpers/i18n_helper.php (1)
  • tr_no_op (91-94)
application/controllers/Kalkun.php (1)
application/helpers/i18n_helper.php (1)
  • tr_raw (40-43)
application/controllers/Messages.php (1)
application/helpers/i18n_helper.php (1)
  • tr (25-28)
application/views/main/phonebook/contact/add_contact.php (1)
application/helpers/i18n_helper.php (1)
  • tr_js (74-80)
⏰ Context from checks skipped due to timeout of 90000ms (3)
  • GitHub Check: test (ubuntu-latest, 5.6)
  • GitHub Check: test (ubuntu-latest, 7.0)
  • GitHub Check: check-code (ubuntu-latest, 8.2)
🔇 Additional comments (29)
application/plugins/server_alert/views/js_server_alert.php (1)

6-6: Security enhancement: Adding HTML escaping to prevent injection attacks

The addition of escapeHtml: true to the jQuery validation configuration is an excellent security improvement that prevents potential HTML injection attacks in validation error messages. This change directly addresses CVE-2025-3573 as mentioned in the PR objectives.

application/plugins/sms_credit/views/js_users.php (1)

17-17: Security enhancement: Adding HTML escaping to prevent injection attacks

The addition of escapeHtml: true to the jQuery validation configuration is an excellent security improvement that prevents potential HTML injection attacks in validation error messages. This change directly addresses CVE-2025-3573 as mentioned in the PR objectives.

application/helpers/i18n_helper.php (1)

81-94: Good addition of translation marker function

The tr_no_op function serves as a helpful utility for marking strings for translation without altering their content. This is particularly useful for the translation checking tools to identify strings that require translation, while preserving their original format.

application/views/main/settings/personal.php (1)

6-6: Security enhancement: Adding HTML escaping to prevent injection attacks

The addition of escapeHtml: true to the jQuery validation configuration is an excellent security improvement that prevents potential HTML injection attacks in validation error messages. This change directly addresses CVE-2025-3573 as mentioned in the PR objectives.

application/views/js_init/users/js_add_user.php (1)

7-7: Security enhancement: HTML escaping enabled for validation messages

Adding escapeHtml: true to the validation configuration properly mitigates CVE-2025-3573 by preventing potential XSS attacks through validation error messages. This is exactly the recommended fix from the jquery-validation project.

docs/CREDITS (1)

13-13: Library version updated to address security vulnerability

Updating jQuery Validation to version 1.21.0 is appropriate as this version includes the security fix for CVE-2025-3573. This change aligns with the PR objective of mitigating the vulnerability.

Let's verify this is the appropriate version:

What version of jQuery Validation contains the fix for CVE-2025-3573?
application/plugins/stop_manager/views/js_stop_manager.php (1)

50-50: Security enhancement: HTML escaping enabled for validation messages

Adding escapeHtml: true to the validation configuration properly mitigates CVE-2025-3573 by preventing potential XSS attacks through validation error messages. This is consistent with the changes made to other validation scripts in the application.

application/views/main/settings/password.php (1)

6-6: Security enhancement: HTML escaping enabled for validation messages

Adding escapeHtml: true to the validation configuration properly mitigates CVE-2025-3573 by preventing potential XSS attacks through validation error messages. This is consistent with the changes made to other validation scripts in the application.

application/views/js_init/message/js_compose.php (1)

196-196: Security enhancement: XSS protection added to validation messages

Adding escapeHtml: true to the jQuery validation configuration is a security best practice that prevents potential XSS attacks by escaping HTML characters in validation error messages. This change addresses CVE-2025-3573 as mentioned in the PR objectives.

application/plugins/soap/views/js_remote_access.php (2)

13-13: Security enhancement: XSS protection added to validation messages

Adding escapeHtml: true to the jQuery validation configuration prevents potential XSS attacks by escaping HTML characters in validation error messages. This change helps mitigate CVE-2025-3573.

29-29: Security enhancement: XSS protection added to validation messages

Similarly, adding escapeHtml: true to this form's validation configuration ensures consistent protection against XSS attacks across all forms in the application.

application/language/french/kalkun_lang.php (2)

362-362: Fixed French translation typo

The French translation for "Please enter a name for your message" has been corrected from "Veuillz" to "Veuillez", fixing a typographical error.

382-382: Fixed French translation typo

The French translation for "Value is too short" has been corrected from "La valeur estr trop courte" to "La valeur est trop courte", fixing a typographical error.

application/plugins/whitelist_number/views/js_whitelist_number.php (2)

76-76: Security enhancement: XSS protection added to validation messages

Adding escapeHtml: true to the jQuery validation configuration helps prevent XSS attacks by escaping HTML characters in validation error messages. This change is consistent with the security improvements made throughout the application to address CVE-2025-3573.

98-98: Security enhancement: XSS protection added to validation messages

Similarly, adding escapeHtml: true to this form's validation configuration ensures consistent protection against XSS attacks across all forms in the application.

application/plugins/stop_manager/controllers/Stop_manager.php (1)

133-133: Enhanced security with error message escaping and translation

The change correctly wraps the phone number validation error message with the tr() function, which provides two important benefits:

  1. It translates the error message based on the user's language settings
  2. It applies HTML entity encoding via htmlentities() to prevent potential XSS attacks

This change is part of the security improvements to mitigate CVE-2025-3573 by ensuring error messages are properly escaped.

application/models/User_model.php (1)

171-171: Enhanced security with error message escaping and translation

The change correctly wraps the phone number validation error message with the tr() function, which provides two important benefits:

  1. It translates the error message based on the user's language settings
  2. It applies HTML entity encoding via htmlentities() to prevent potential XSS attacks

This change is part of the security improvements to mitigate CVE-2025-3573 by ensuring error messages are properly escaped.

utils/check_translation.php (2)

213-213: Added support for new tr_no_op translation function

The code correctly adds the newly introduced tr_no_op function to the list of translation functions that the script checks for when analyzing PHP files. This ensures that strings wrapped with tr_no_op() will be properly extracted for inclusion in translation files.

215-215: Updated argument handling for tr_no_op function

The code appropriately includes the tr_no_op function in the same argument handling logic as tr, tr_js, and tr_raw, which ensures that the translation extraction correctly processes strings marked with this new function.

application/models/Kalkun_model.php (1)

692-692: Enhanced security with error message escaping and translation

The change correctly wraps the phone number validation error message with the tr() function, which provides two important benefits:

  1. It translates the error message based on the user's language settings
  2. It applies HTML entity encoding via htmlentities() to prevent potential XSS attacks

This change is part of the security improvements to mitigate CVE-2025-3573 by ensuring error messages are properly escaped.

application/controllers/Messages.php (1)

1602-1602: Good security enhancement for error message translation.

Wrapping the phone number validation error message with the tr() function ensures the message is properly translated and HTML-escaped before being displayed to the user, which helps prevent potential XSS vulnerabilities.

application/controllers/Phonebook.php (1)

412-412: Good security enhancement for error message translation.

Wrapping the phone number validation error message with the tr() function ensures proper translation and HTML encoding, maintaining consistency with similar changes in other controllers. This helps prevent potential XSS attacks through error messages.

application/helpers/kalkun_helper.php (1)

458-458: Improved translation handling for validation messages.

Using tr_no_op() instead of direct string assignment marks the error message for translation extraction without altering it at runtime. This ensures the message will be properly included in translation files while maintaining the original functionality.

application/controllers/Kalkun.php (2)

377-380: Good internationalization enhancement for validation messages.

Wrapping the error message with tr_raw() ensures the validation result is properly translated before being returned to the client, maintaining consistency with the internationalization approach used throughout the application.

405-405: Improved error message translation in multiple phone validation.

The error message is now properly translated using tr_raw() before being returned to the client. This enhances the user experience by providing localized validation errors while maintaining the required format with the problematic phone number.

application/views/main/phonebook/contact/add_contact.php (4)

71-98: Security enhancement properly implemented with escapeHtml: true.

The changes properly implement the recommended security fix for CVE-2025-3573 by adding the escapeHtml: true option to the jQuery validation configuration. This prevents potential XSS attacks by escaping HTML in validation error messages. The implementation also includes proper validation rules and translated error messages.

79-88: Remote validation implementation looks good.

The remote validation for phone numbers is properly implemented with appropriate URL and data handling. The GET request to the validation endpoint will help ensure valid phone numbers while providing translated error messages.

90-97: Properly localized validation messages.

Good job using the tr_js() helper function to ensure error messages are properly translated and JSON-encoded for JavaScript. This maintains a consistent localization approach throughout the application.

71-72:

✅ Verification successful

Verify jQuery validation plugin version compatibility.

Ensure that your jQuery validation plugin version supports the escapeHtml option. This option was introduced in a specific version to address the security vulnerability mentioned in CVE-2025-3573.

🏁 Script executed:

#!/bin/bash
# Check the jQuery validation plugin version in use
grep -r "jquery.validate" --include="*.php" --include="*.js" .

Length of output: 1788

🏁 Script executed:

#!/bin/bash
# Locate all jquery.validate.min.js files and print their header comments to determine the version
find . -type f -name "jquery.validate.min.js" -exec sed -n '1,10p' {} \;

Length of output: 25381

Confirmed compatibility with escapeHtml in jQuery Validation Plugin v1.21.0

We’re loading jquery.validate.min.js v1.21.0 (dated 7/17/2024), and this build already checks this.settings.escapeHtml when rendering error labels. No upgrade or additional changes are needed.

@tenzap
Copy link
Collaborator Author

tenzap commented Apr 26, 2025

@kingster, can you please review? I'd like to release a new version with this fix soon to fix the package in Debian (hard freeze starts 15/05).

@tenzap tenzap merged commit a373e23 into kalkun-sms:devel Apr 26, 2025
15 checks passed
@tenzap tenzap deleted the feature-224-cve2025-3573 branch April 26, 2025 19:52
@coderabbitai coderabbitai bot mentioned this pull request Apr 27, 2025
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@coderabbitai coderabbitai[bot] coderabbitai[bot] left review comments

@kingster kingster kingster approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@tenzap @kingster