Skip to content

Fix Console API and Angular XSS security flaws#3076

Open
CydeWeys wants to merge 1 commit into
google:masterfrom
CydeWeys:security-audit-part2
Open

Fix Console API and Angular XSS security flaws#3076
CydeWeys wants to merge 1 commit into
google:masterfrom
CydeWeys:security-audit-part2

Conversation

@CydeWeys
Copy link
Copy Markdown
Member

@CydeWeys CydeWeys commented Jun 1, 2026
edited by gbrodman
Loading

This commit addresses the following security vulnerabilities identified in the recent audit of the Console App and Backend APIs:

  1. Angular XSS: Removed unsafe [innerHTML] bindings across all console-webapp templates (Contact, Registrars, Registrar Details, Users List) in favor of standard Angular interpolation.
  2. Broken Access Control (IDOR): PasswordResetRequestAction and PasswordResetVerifyAction now explicitly verify that the target user's email belongs to the authorized registrarId.
  3. Missing Permission Check: ConsoleEppPasswordAction now explicitly checks for CONFIGURE_EPP_CONNECTION permission before updating the EPP password.
  4. Denial of Service (DoS): ConsoleBulkDomainAction now strictly limits the size of bulk domain lists to 500 domains to prevent thread exhaustion.
  5. Denial of Service (OOM): ConsoleHistoryDataAction now uses .setMaxResults(500) on JPA native queries to prevent eager loading of the entire database into memory.

Also removes an outdated Joda-Time migration reference from GEMINI.md.

This change is Reviewable

@CydeWeys
Fix Console API and Angular XSS security flaws
d326a2b 
This commit addresses the following security vulnerabilities identified in the recent audit of the Console App and Backend APIs:

1. Angular XSS: Removed unsafe [innerHTML] bindings across all console-webapp templates (Contact, Registrars, Registrar Details, Users List) in favor of standard Angular interpolation.
2. Broken Access Control (IDOR): PasswordResetRequestAction and PasswordResetVerifyAction now explicitly verify that the target user's email belongs to the authorized registrarId.
3. Missing Permission Check: ConsoleEppPasswordAction now explicitly checks for CONFIGURE_EPP_CONNECTION permission before updating the EPP password.
4. Denial of Service (DoS): ConsoleBulkDomainAction now strictly limits the size of bulk domain lists to 500 domains to prevent thread exhaustion.
5. Denial of Service (OOM): ConsoleHistoryDataAction now uses .setMaxResults(500) on JPA native queries to prevent eager loading of the entire database into memory.

Also removes an outdated Joda-Time migration reference from GEMINI.md.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@CydeWeys