New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
KNOX-1817 - Fix XSS issues with Alias API #70
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
One change required for sure - new version property not in the right place and doesn't follow same naming convention.
Also I don't know if we need to url decode the parameters. jax-rs should decode them automatically?
- https://docs.jboss.org/resteasy/docs/1.0.2.GA/userguide/html/_Encoded_and_encoding.html
- https://www.concretepage.com/webservices/resteasy-3/rest-web-service-jax-rs-encoded-annotation-example-with-resteasy-3
If the path params are decoded automatically, not sure we need to add the url decoding and the added catch exceptions.
return status(INTERNAL_SERVER_ERROR). | ||
entity("Error adding alias " + alias + " for cluster " + topology | ||
entity("Error adding alias " + Encode.forHtml(alias) + " for cluster " + Encode.forHtml(topology) | ||
+ ", reason: " + e.toString()). |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Will the e.toString() potentially print the value of the alias from line 111 on a decoding error?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Interesting, there is a chance it could, I will remove it.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think if the URLDecoder stuff is removed then there shouldn't be a reason for the alias to be printed. Not sure though.
/* check if the string is properly encoded and expect encoded values */ | ||
topology = URLDecoder.decode(topology, StandardCharsets.UTF_8.name()); | ||
alias = URLDecoder.decode(alias, StandardCharsets.UTF_8.name()); | ||
value = URLDecoder.decode(value, StandardCharsets.UTF_8.name()); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Does this limit the values that can be used for an alias?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
values ? I did not follow the comment. I will be taking out this piece of code because of your earlier comment.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yea sorry wasn't clear. I meant does the url decoding mess up what alias values can be stored. ie: kevin%20password
but guess it doesn't matter since this gets removed anyway :)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ahh, I see, righto, I thought I was doing it wrong by not decoding it and including the 'application/x-www-form-urlencoded' but I was wrong.
@@ -360,7 +361,8 @@ public Response uploadProviderConfiguration(@PathParam("name") String name, @Con | |||
} | |||
} catch (URISyntaxException e) { | |||
log.invalidResourceURI(e.getInput(), e.getReason(), e); | |||
response = status(Response.Status.BAD_REQUEST).entity("{ \"error\" : \"Failed to deploy provider configuration " + name + "\" }").build(); | |||
response = status(Response.Status.BAD_REQUEST).entity("{ \"error\" : \"Failed to deploy provider configuration " + Encode | |||
.forHtml(name) + "\" }").build(); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Seems like a weird break? Put Encode.forHtml(...
on the same line?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
yeah, I fixed one weird break and introduced another :(
@@ -230,6 +230,7 @@ | |||
<xml-matchers.version>0.10</xml-matchers.version> | |||
<zip4j.version>1.3.2</zip4j.version> | |||
<zookeeper.version>3.4.13</zookeeper.version> | |||
<owasp-java-encoder>1.2.2</owasp-java-encoder> |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Should be in alphabetical order, this is out of place
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Property should also end in .version
so something like owasp-java-encoder.version
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I did not realize we were doing props in alphabetical order, previously we used to add new properties at the bottom, I'll change it to make it in order.
Missed the .version, forgot to clean up, I'll fix this.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yea alphabetical after I cleaned up all the poms. Makes it easier to find later :)
Since the content type is JSON, I think it would be an issue if the returned JSON document contained characters encoded for HTML. This may be confusing to a client using the JSON document since HTML-encoded characters may be re-encoded if being displayed in an HTML document.
|
Oh right, this needs to be fixed.
You are right, jax-rs does automatically decode params so we don't this. |
Thanks @rlevas for using the <script> example. I was in two minds about using the HTML encoder, the argument I had in my mind was, something like Angular can pull out the value from JSON and use it. I get your point that HTML encoding is the responsibility of the app that does the conversion and <script> have no meaning as far as JSON is concerned. I am inclined towards taking the HTML encoding out for the JSON responses now. |
What changes were proposed in this pull request?
The Alias API was passing user input back in some cases as response without encoding, this was when an error was thrown or when a response message saying 'alias' for a 'topology' was created. This opens up the API for XSS attacks. The PR:
How was this patch tested?
The patch was tested manually e.g.
`curl -iku admin:admin-password -H "Content-Type: application/json" -d "value=mysecret" -X PUT 'https://localhost:8443/gateway/admin/api/v1/aliases/sandbox/somelongreallylongalias<>'
HTTP/1.1 201 Created
Date: Tue, 12 Mar 2019 19:54:00 GMT
Set-Cookie: KNOXSESSIONID=node0tb9bz05vhh6k1xpp0ti2p0vqh2.node0;Path=/gateway/admin;Secure;HttpOnly
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Set-Cookie: rememberMe=deleteMe; Path=/gateway/admin; Max-Age=0; Expires=Mon, 11-Mar-2019 19:54:00 GMT
Content-Type: application/json
Content-Length: 85
Server: Jetty(9.4.15.v20190215)
{ "created" : { "topology": "sandbox", "alias": "somelongreallylongalias<>" } }`