HDDS-2111. XSS fragments can be injected to the S3g landing page

[elek]

VULNERABILITY DETAILS
There is a way to bypass anti-XSS filter for DOM XSS exploiting a "window.location.href".

Considering a typical URL:

scheme://domain:port/path?query_string#fragment_id

Browsers encode correctly both "path" and "query_string", but not the "fragment_id". 

So if used "fragment_id" the vector is also not logged on Web Server.

VERSION
Chrome Version: 10.0.648.134 (Official Build 77917) beta

REPRODUCTION CASE
This is an index.html page:

{code:java}
aws s3api --endpoint <script>document.write(window.location.href.replace("static/", ""))</script> create-bucket --bucket=wordcount
{code}

The attack vector is:
index.html?#<script>alert('XSS');</script>

• PoC:
  For your convenience, a minimalist PoC is located on:
  http://security.onofri.org/xss_location.html?#<script>alert('XSS');</script>

• References

• DOM Based Cross-Site Scripting or XSS of the Third Kind - http://www.webappsec.org/projects/articles/071105.shtml

reference:- 

https://bugs.chromium.org/p/chromium/issues/detail?id=76796

See: https://issues.apache.org/jira/browse/HDDS-2111

[hadoop-yetus]

💔 -1 overall

Vote	Subsystem	Runtime	Comment
0	reexec	42	Docker mode activated.
		_ Prechecks _
+1	dupname	0	No case conflicting files found.
+1	@author	0	The patch does not contain any @author tags.
-1	test4tests	0	The patch doesn't appear to include any new or modified tests. Please justify why no new tests are needed for this patch. Also please list what manual steps were performed to verify this patch.
		_ trunk Compile Tests _
-1	mvninstall	32	hadoop-ozone in trunk failed.
-1	compile	21	hadoop-ozone in trunk failed.
+1	mvnsite	0	trunk passed
+1	shadedclient	880	branch has no errors when building and testing our client artifacts.
-1	javadoc	21	hadoop-hdds in trunk failed.
-1	javadoc	19	hadoop-ozone in trunk failed.
		_ Patch Compile Tests _
-1	mvninstall	34	hadoop-ozone in the patch failed.
-1	jshint	77	The patch generated 1392 new + 2737 unchanged - 0 fixed = 4129 total (was 2737)
-1	compile	25	hadoop-ozone in the patch failed.
-1	javac	25	hadoop-ozone in the patch failed.
+1	mvnsite	0	the patch passed
+1	whitespace	0	The patch has no whitespace issues.
+1	shadedclient	654	patch has no errors when building and testing our client artifacts.
-1	javadoc	18	hadoop-hdds in the patch failed.
-1	javadoc	18	hadoop-ozone in the patch failed.
		_ Other Tests _
-1	unit	134	hadoop-hdds in the patch failed.
-1	unit	28	hadoop-ozone in the patch failed.
+1	asflicense	32	The patch does not generate ASF License warnings.
		2408

Reason	Tests
Failed junit tests	hadoop.ozone.container.ozoneimpl.TestOzoneContainer
	hadoop.ozone.container.keyvalue.TestKeyValueContainer

Subsystem	Report/Notes
Docker	Client=19.03.1 Server=19.03.1 base: https://builds.apache.org/job/hadoop-multibranch/job/PR-1447/1/artifact/out/Dockerfile
GITHUB PR	#1447
Optional Tests	dupname asflicense compile javac javadoc mvninstall mvnsite unit shadedclient jshint
uname	Linux f1154b87d514 4.15.0-58-generic #64-Ubuntu SMP Tue Aug 6 11:12:41 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux
Build tool	maven
Personality	personality/hadoop.sh
git revision	trunk / 6a9f7ca
Default Java	1.8.0_222
mvninstall	https://builds.apache.org/job/hadoop-multibranch/job/PR-1447/1/artifact/out/branch-mvninstall-hadoop-ozone.txt
compile	https://builds.apache.org/job/hadoop-multibranch/job/PR-1447/1/artifact/out/branch-compile-hadoop-ozone.txt
javadoc	https://builds.apache.org/job/hadoop-multibranch/job/PR-1447/1/artifact/out/branch-javadoc-hadoop-hdds.txt
javadoc	https://builds.apache.org/job/hadoop-multibranch/job/PR-1447/1/artifact/out/branch-javadoc-hadoop-ozone.txt
mvninstall	https://builds.apache.org/job/hadoop-multibranch/job/PR-1447/1/artifact/out/patch-mvninstall-hadoop-ozone.txt
jshint	https://builds.apache.org/job/hadoop-multibranch/job/PR-1447/1/artifact/out/diff-patch-jshint.txt
compile	https://builds.apache.org/job/hadoop-multibranch/job/PR-1447/1/artifact/out/patch-compile-hadoop-ozone.txt
javac	https://builds.apache.org/job/hadoop-multibranch/job/PR-1447/1/artifact/out/patch-compile-hadoop-ozone.txt
javadoc	https://builds.apache.org/job/hadoop-multibranch/job/PR-1447/1/artifact/out/patch-javadoc-hadoop-hdds.txt
javadoc	https://builds.apache.org/job/hadoop-multibranch/job/PR-1447/1/artifact/out/patch-javadoc-hadoop-ozone.txt
unit	https://builds.apache.org/job/hadoop-multibranch/job/PR-1447/1/artifact/out/patch-unit-hadoop-hdds.txt
unit	https://builds.apache.org/job/hadoop-multibranch/job/PR-1447/1/artifact/out/patch-unit-hadoop-ozone.txt
Test Results	https://builds.apache.org/job/hadoop-multibranch/job/PR-1447/1/testReport/
Max. process+thread count	399 (vs. ulimit of 5500)
modules	C: hadoop-ozone/s3gateway U: hadoop-ozone/s3gateway
Console output	https://builds.apache.org/job/hadoop-multibranch/job/PR-1447/1/console
versions	git=2.7.4 maven=3.3.9 jshint=2.10.2
Powered by	Apache Yetus 0.10.0 http://yetus.apache.org

This message was automatically generated.

[elek]

/retest

[hadoop-yetus]

💔 -1 overall

Vote	Subsystem	Runtime	Comment
0	reexec	43	Docker mode activated.
		_ Prechecks _
+1	dupname	0	No case conflicting files found.
+1	@author	0	The patch does not contain any @author tags.
-1	test4tests	0	The patch doesn't appear to include any new or modified tests. Please justify why no new tests are needed for this patch. Also please list what manual steps were performed to verify this patch.
		_ trunk Compile Tests _
-1	mvninstall	33	hadoop-ozone in trunk failed.
-1	compile	22	hadoop-ozone in trunk failed.
+1	mvnsite	0	trunk passed
+1	shadedclient	879	branch has no errors when building and testing our client artifacts.
+1	javadoc	169	trunk passed
		_ Patch Compile Tests _
-1	mvninstall	33	hadoop-ozone in the patch failed.
-1	jshint	83	The patch generated 1392 new + 2737 unchanged - 0 fixed = 4129 total (was 2737)
-1	compile	24	hadoop-ozone in the patch failed.
-1	javac	24	hadoop-ozone in the patch failed.
+1	mvnsite	0	the patch passed
+1	whitespace	0	The patch has no whitespace issues.
+1	shadedclient	677	patch has no errors when building and testing our client artifacts.
+1	javadoc	156	the patch passed
		_ Other Tests _
-1	unit	189	hadoop-hdds in the patch failed.
-1	unit	25	hadoop-ozone in the patch failed.
+1	asflicense	31	The patch does not generate ASF License warnings.
		2723

Reason	Tests
Failed junit tests	hadoop.ozone.container.keyvalue.TestKeyValueContainer
	hadoop.ozone.container.common.TestDatanodeStateMachine
	hadoop.ozone.container.ozoneimpl.TestOzoneContainer

Subsystem	Report/Notes
Docker	Client=19.03.1 Server=19.03.1 base: https://builds.apache.org/job/hadoop-multibranch/job/PR-1447/2/artifact/out/Dockerfile
GITHUB PR	#1447
Optional Tests	dupname asflicense compile javac javadoc mvninstall mvnsite unit shadedclient jshint
uname	Linux e3e3320f7474 4.15.0-60-generic #67-Ubuntu SMP Thu Aug 22 16:55:30 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux
Build tool	maven
Personality	personality/hadoop.sh
git revision	trunk / 56f042c
Default Java	1.8.0_222
mvninstall	https://builds.apache.org/job/hadoop-multibranch/job/PR-1447/2/artifact/out/branch-mvninstall-hadoop-ozone.txt
compile	https://builds.apache.org/job/hadoop-multibranch/job/PR-1447/2/artifact/out/branch-compile-hadoop-ozone.txt
mvninstall	https://builds.apache.org/job/hadoop-multibranch/job/PR-1447/2/artifact/out/patch-mvninstall-hadoop-ozone.txt
jshint	https://builds.apache.org/job/hadoop-multibranch/job/PR-1447/2/artifact/out/diff-patch-jshint.txt
compile	https://builds.apache.org/job/hadoop-multibranch/job/PR-1447/2/artifact/out/patch-compile-hadoop-ozone.txt
javac	https://builds.apache.org/job/hadoop-multibranch/job/PR-1447/2/artifact/out/patch-compile-hadoop-ozone.txt
unit	https://builds.apache.org/job/hadoop-multibranch/job/PR-1447/2/artifact/out/patch-unit-hadoop-hdds.txt
unit	https://builds.apache.org/job/hadoop-multibranch/job/PR-1447/2/artifact/out/patch-unit-hadoop-ozone.txt
Test Results	https://builds.apache.org/job/hadoop-multibranch/job/PR-1447/2/testReport/
Max. process+thread count	413 (vs. ulimit of 5500)
modules	C: hadoop-ozone/s3gateway U: hadoop-ozone/s3gateway
Console output	https://builds.apache.org/job/hadoop-multibranch/job/PR-1447/2/console
versions	git=2.7.4 maven=3.3.9 jshint=2.10.2
Powered by	Apache Yetus 0.10.0 http://yetus.apache.org

This message was automatically generated.