Fixes pentest issue DG25-16 from 2025-09-02

crates/defguard_core/src/grpc/password_reset.rs

@@ -18,6 +18,7 @@ use crate::{
         mail::{send_password_reset_email, send_password_reset_success_email},
         user::check_password_strength,
     },
+    headers::get_device_info,
     mail::Mail,
     server_config,
 };
@@ -99,13 +100,14 @@ impl PasswordResetServer {
         debug!("Starting password reset request");
 
         let ip_address;
-        let user_agent;
+        let device_info;
         if let Some(ref info) = req_device_info {
             ip_address = info.ip_address.clone();
-            user_agent = info.user_agent.clone().unwrap_or_default();
+            let agent = info.user_agent.clone().unwrap_or_default();
+            device_info = get_device_info(&agent);
         } else {
             ip_address = String::new();
-            user_agent = String::new();
+            device_info = String::new();
         }
 
         let email = request.email;
@@ -152,14 +154,13 @@ impl PasswordResetServer {
             error!("Failed to commit transaction");
             Status::internal("unexpected error")
         })?;
-
         send_password_reset_email(
             &user,
             &self.mail_tx,
             config.enrollment_url.clone(),
             &enrollment.id,
             Some(&ip_address),
-            Some(&user_agent),
+            Some(&device_info),
         )?;
 
         info!(
@@ -255,13 +256,14 @@ impl PasswordResetServer {
         let enrollment = self.validate_session(request.token.as_ref()).await?;
 
         let ip_address;
-        let user_agent;
+        let device_info;
         if let Some(ref info) = req_device_info {
             ip_address = info.ip_address.clone();
-            user_agent = info.user_agent.clone().unwrap_or_default();
+            let agent = info.user_agent.clone().unwrap_or_default();
+            device_info = get_device_info(&agent);
         } else {
             ip_address = String::new();
-            user_agent = String::new();
+            device_info = String::new();
         }
 
         if let Err(err) = check_password_strength(&request.password) {
@@ -302,7 +304,7 @@ impl PasswordResetServer {
             &user,
             &self.mail_tx,
             Some(&ip_address),
-            Some(&user_agent),
+            Some(&device_info),
         )?;
 
         // Prepare event context and push the event

crates/defguard_core/src/grpc/utils.rs

@@ -216,6 +216,7 @@ pub(crate) fn parse_client_info(info: &Option<DeviceInfo>) -> Result<(IpAddr, St
         msg
     })?;
     let user_agent = info.user_agent.clone().unwrap_or_else(String::new);
+    let escaped_agent = tera::escape_html(&user_agent);
 
-    Ok((ip, user_agent))
+    Ok((ip, escaped_agent))
 }

crates/defguard_core/src/handlers/mail.rs

@@ -39,8 +39,8 @@ static EMAIL_MFA_CODE_EMAIL_SUBJECT: &str = "Your Multi-Factor Authentication Co
 static GATEWAY_DISCONNECTED: &str = "Defguard: Gateway disconnected";
 static GATEWAY_RECONNECTED: &str = "Defguard: Gateway reconnected";
 
-pub static EMAIL_PASSOWRD_RESET_START_SUBJECT: &str = "Defguard: Password reset";
-pub static EMAIL_PASSOWRD_RESET_SUCCESS_SUBJECT: &str = "Defguard: Password reset success";
+pub static EMAIL_PASSWORD_RESET_START_SUBJECT: &str = "Defguard: Password reset";
+pub static EMAIL_PASSWORD_RESET_SUCCESS_SUBJECT: &str = "Defguard: Password reset success";
 
 #[derive(Clone, Deserialize)]
 pub struct TestMail {
@@ -461,7 +461,7 @@ pub fn send_password_reset_email(
 
     let mail = Mail {
         to: user.email.clone(),
-        subject: EMAIL_PASSOWRD_RESET_START_SUBJECT.into(),
+        subject: EMAIL_PASSWORD_RESET_START_SUBJECT.into(),
         content: templates::email_password_reset_mail(service_url, token, ip_address, device_info)?,
         attachments: Vec::new(),
         result_tx: None,
@@ -491,7 +491,7 @@ pub fn send_password_reset_success_email(
 
     let mail = Mail {
         to: user.email.clone(),
-        subject: EMAIL_PASSOWRD_RESET_SUCCESS_SUBJECT.into(),
+        subject: EMAIL_PASSWORD_RESET_SUCCESS_SUBJECT.into(),
         content: templates::email_password_reset_success_mail(ip_address, device_info)?,
         attachments: Vec::new(),
         result_tx: None,

crates/defguard_core/src/handlers/user.rs

@@ -8,7 +8,7 @@ use serde_json::json;
 
 use super::{
     AddUserData, ApiResponse, ApiResult, PasswordChange, PasswordChangeSelf,
-    StartEnrollmentRequest, Username, mail::EMAIL_PASSOWRD_RESET_START_SUBJECT,
+    StartEnrollmentRequest, Username, mail::EMAIL_PASSWORD_RESET_START_SUBJECT,
     user_for_admin_or_self,
 };
 use crate::{
@@ -1086,7 +1086,7 @@ pub async fn reset_password(
 
         let mail = Mail {
             to: user.email.clone(),
-            subject: EMAIL_PASSOWRD_RESET_START_SUBJECT.into(),
+            subject: EMAIL_PASSWORD_RESET_START_SUBJECT.into(),
             content: templates::email_password_reset_mail(
                 config.enrollment_url.clone(),
                 enrollment.id.clone().as_str(),

crates/defguard_core/src/headers.rs

@@ -24,7 +24,8 @@ pub(crate) static USER_AGENT_PARSER: LazyLock<UserAgentParser> = LazyLock::new(|
 
 #[must_use]
 pub(crate) fn get_device_info(user_agent: &str) -> String {
-    let client = USER_AGENT_PARSER.parse(user_agent);
+    let escaped = tera::escape_html(user_agent);
+    let client = USER_AGENT_PARSER.parse(&escaped);
     get_user_agent_device(&client)
 }
 

crates/defguard_core/templates/base.tera

@@ -261,7 +261,7 @@
                                     {% endif %}
                                     {% if device_type %}
                                       <p style="margin: auto;">
-                                        <span>Device type:</span> {{ device_type | safe }}
+                                        <span>Device type:</span> {{ device_type }}
                                       </p>
                                     {% endif %}
                                   </div>