[TAXII ingester] Problem with passwords containing ":"

[Lhorus6]

Description

If the credentials password used for a TAXII ingester contains ":", the platform deletes the end of the password (i.e. the ":" and all that follows).

Environment

OCTI 6.0.7

Reproducible Steps

Steps to create the smallest reproducible scenario:

1. Go to "Data > ingestion > TAXII feed" and create a TAXII ingester
2. Select "Basic user / password" as Authentication type
3. Put a password with ":" inside
4. Close and reopen the configuration panel
5. Check the password used -> it's been cut

[aHenryJard]

The user and password in Taxii feeds are concatenated together and coverted in base64 to create a Bearer on the backend side.
Here =>

opencti/opencti-platform/opencti-graphql/src/manager/ingestionManager.ts

Lines 215 to 216 in 5e7492d

	const auth = Buffer.from(ingestion.authentication_value, 'utf-8').toString('base64');
	headers.Authorization = `Basic ${auth}`;

And authentication is stored as one string field authentication_value on database, that can be depending on authentication_type:

• "username:password" for basic
• "base64certificate:base64key:base64CA" for certificate
• "theToken" for bearer

So basically the authentication header that is send in request for username/password is "Bearer base64(username:password)"

First, I don't think it's possible to have ':' in the username because I don't know how the "Bearer usern:ame:password" will be read on the Taxii API side, but I think that ':' in the password side will work (since it's not the first ':' found in the string), I mean "username:pass:word" should works fine on taxi API side.

1. Proposal 1 - more easy to implement but less user friendly:

• in frontend we prevent users from having a ':' in both password and username, saying it's not allowed to have this character

Or

2. Proposal 2 - a bit more complex to implement but more user friendly:

• in frontend we prevent user to put a ":" in the username
• instead of sending a string "username:password" to backend, we send it base64 encoded like "base64(username:password)" => so no ":" anymore on this string
• to be backward compatible it's possible to check if ':' is present to know if it's base64 encoded or not (because existing username:password are not base64 in database)

I check other authentications ways, there is no ":" issue because it's base64 encoded already (we could check that on the frontend by the way), or the whole string is use as it is without splitting on ':'.

@nino-filigran could you give me your opinio between proposal 1 and 2 please ?

[nino-filigran]

In both solutions, I see that we would prevent users to input a ":" in their usernames. Given that we do not allow it in username, I would be keen to prevent it in the pwd field then. It's often something that exists in pwd forms.

This makes me wonder though: what if some users have already a ":" in their usernames or pwd, would they be affected?

cc @Jipegien in case you do not agree.

[Lhorus6]

If users currently have ":" in the password, their TAXII doesn't work (this is the subject of this issue). As for the username, I'd be surprised if any users have ":" in it. If that's the case, I don't think it works either.