1
0
mirror of https://github.com/google/nomulus synced 2026-07-19 06:22:33 +00:00
Commit Graph

18 Commits

Author SHA1 Message Date
Ben McIlwain 7c23413d83 Fix Console API and Angular XSS security flaws (#3076)
This commit addresses the following security vulnerabilities identified in the recent audit of the Console App and Backend APIs:

1. Angular XSS: Removed unsafe [innerHTML] bindings across all console-webapp templates (Contact, Registrars, Registrar Details, Users List) in favor of standard Angular interpolation.
2. Broken Access Control (IDOR): PasswordResetRequestAction and PasswordResetVerifyAction now explicitly verify that the target user's email belongs to the authorized registrarId.
3. Missing Permission Check: ConsoleEppPasswordAction now explicitly checks for CONFIGURE_EPP_CONNECTION permission before updating the EPP password.
4. Denial of Service (DoS): ConsoleBulkDomainAction now strictly limits the size of bulk domain lists (configurable, default 500) to prevent thread exhaustion.
5. Denial of Service (OOM): ConsoleHistoryDataAction now uses .setMaxResults() (configurable, default 500) on JPA native queries to prevent eager loading of the entire database into memory.

Makes the history query limit and bulk domain action limit configurable via RegistryConfig, allowing smaller limits to be used in tests to avoid heavy resource persistence.

Also removes an outdated Joda-Time migration reference from GEMINI.md.
2026-06-24 20:39:42 +00:00
Pavlo Tkach 186dd80567 Enable password reset for registrars (#2971) 2026-02-27 20:02:51 +00:00
Pavlo Tkach 49df9c325a Update angular @21 (#2965) 2026-02-24 20:08:27 +00:00
Pavlo Tkach fc1eb162f2 Remove Primary Contact from users editing screen (#2856) 2025-10-24 20:12:18 +00:00
gbrodman 4738b979e4 Add FE for password-reset verification (#2795)
Tested locally and on alpha with dummy values (and throwing an
exception).

I was able to reuse a bit of code from the EPP password reset, but not
all of it.
2025-08-19 03:00:44 +00:00
gbrodman 9f191e9392 Add Registry Lock password reset on front end (#2785)
This is only enabled for admins, for now at least. It sends an email to
the registry lock email address to reset it.
2025-07-28 20:23:39 +00:00
Pavlo Tkach ed95d19b93 Provide prompt for user deletion UI (#2684) 2025-02-21 20:30:03 +00:00
Pavlo Tkach 4ec2919ce3 Update console dependencies (#2659) 2025-01-31 21:40:37 +00:00
Pavlo Tkach 40b6984ffb Improve console screen reader interaction (#2656) 2025-01-31 16:46:25 +00:00
Pavlo Tkach 765bd9834a Add more accessible names to the console (#2652) 2025-01-29 20:19:00 +00:00
Pavlo Tkach 8987fd37c2 Improve console accessibility (#2649) 2025-01-26 00:47:53 +00:00
Pavlo Tkach f649d960c1 Add user email prefix to the console user create (#2623) 2024-12-13 19:47:21 +00:00
Pavlo Tkach 71afc25110 Fix console new user screen layout (#2617) 2024-12-05 18:17:52 +00:00
Pavlo Tkach fa377733be Allow adding existing users to registrar (#2616) 2024-11-27 22:40:32 +00:00
Pavlo Tkach eeed166310 Add console user role update and minor fixes to delete (#2610) 2024-11-15 18:36:10 +00:00
Pavlo Tkach 35f95bbbe4 Add delete user to the console (#2603)
* Add delete user to the console

* Add delete user to the console

* Add delete user to the console
2024-11-08 18:20:01 +00:00
Pavlo Tkach 91e241374d Add required fields to API users().insert (#2593) 2024-10-17 19:45:12 +00:00
Pavlo Tkach 6e77c89cd6 Add console users screen (#2576) 2024-10-08 16:00:47 +00:00