1
0
mirror of https://github.com/google/nomulus synced 2026-06-09 16:33:02 +00:00
Files
nomulus/console-webapp
Ben McIlwain 7c23413d83 Fix Console API and Angular XSS security flaws (#3076)
This commit addresses the following security vulnerabilities identified in the recent audit of the Console App and Backend APIs:

1. Angular XSS: Removed unsafe [innerHTML] bindings across all console-webapp templates (Contact, Registrars, Registrar Details, Users List) in favor of standard Angular interpolation.
2. Broken Access Control (IDOR): PasswordResetRequestAction and PasswordResetVerifyAction now explicitly verify that the target user's email belongs to the authorized registrarId.
3. Missing Permission Check: ConsoleEppPasswordAction now explicitly checks for CONFIGURE_EPP_CONNECTION permission before updating the EPP password.
4. Denial of Service (DoS): ConsoleBulkDomainAction now strictly limits the size of bulk domain lists (configurable, default 500) to prevent thread exhaustion.
5. Denial of Service (OOM): ConsoleHistoryDataAction now uses .setMaxResults() (configurable, default 500) on JPA native queries to prevent eager loading of the entire database into memory.

Makes the history query limit and bulk domain action limit configurable via RegistryConfig, allowing smaller limits to be used in tests to avoid heavy resource persistence.

Also removes an outdated Joda-Time migration reference from GEMINI.md.
2026-06-24 20:39:42 +00:00
..
2023-01-05 16:23:40 -05:00
2024-01-16 13:45:56 -05:00
2026-02-24 20:08:27 +00:00
2026-04-02 21:23:00 +00:00
2026-02-24 20:08:27 +00:00
2026-02-24 20:08:27 +00:00
2026-02-24 20:08:27 +00:00

ConsoleWebapp

A web application for managing Nomulus.

Status

Console webapp is currently under active development and some parts of it are expected to change.

Deployment

The webapp is deployed as part of the default Nomulus GKE service image. During the image build task, the Gradle script triggers the following:

  1. Console webapp build script buildConsoleWebapp, which installs dependencies, assembles a compiled ts -> js, minified, optimized static artifact (html, css, js)
  2. Artifact assembled in step 1 then gets copied to the jetty webapp resource location, so that it can be staged inside the default GKE service container.

Development server

Run npm run start:dev to start both webapp dev server and API server instance. Navigate to http://localhost:4200/. The application will automatically reload if you change any of the source files.

Code scaffolding

Run ng generate component component-name to generate a new component. You can also use ng generate directive|pipe|service|class|guard|interface|enum|module.

Build

Run ng build to build the project. The build artifacts will be stored in the dist/ directory.

Running unit tests

Run ng test to execute the unit tests via Karma.

Running end-to-end tests

Run ng e2e to execute the end-to-end tests via a platform of your choice. To use this command, you need to first add a package that implements end-to-end testing capabilities.

Further help

To get more help on the Angular CLI use ng help or go check out the Angular CLI Overview and Command Reference page.