KNOX-1817 - Fix XSS issues with Alias API #70
Conversation
There was a problem hiding this comment.
One change required for sure - new version property not in the right place and doesn't follow same naming convention.
Also I don't know if we need to url decode the parameters. jax-rs should decode them automatically?
- https://docs.jboss.org/resteasy/docs/1.0.2.GA/userguide/html/_Encoded_and_encoding.html
- https://www.concretepage.com/webservices/resteasy-3/rest-web-service-jax-rs-encoded-annotation-example-with-resteasy-3
If the path params are decoded automatically, not sure we need to add the url decoding and the added catch exceptions.
| return status(INTERNAL_SERVER_ERROR). | ||
| entity("Error adding alias " + alias + " for cluster " + topology | ||
| entity("Error adding alias " + Encode.forHtml(alias) + " for cluster " + Encode.forHtml(topology) | ||
| + ", reason: " + e.toString()). |
There was a problem hiding this comment.
Will the e.toString() potentially print the value of the alias from line 111 on a decoding error?
There was a problem hiding this comment.
Interesting, there is a chance it could, I will remove it.
There was a problem hiding this comment.
I think if the URLDecoder stuff is removed then there shouldn't be a reason for the alias to be printed. Not sure though.
| /* check if the string is properly encoded and expect encoded values */ | ||
| topology = URLDecoder.decode(topology, StandardCharsets.UTF_8.name()); | ||
| alias = URLDecoder.decode(alias, StandardCharsets.UTF_8.name()); | ||
| value = URLDecoder.decode(value, StandardCharsets.UTF_8.name()); |
There was a problem hiding this comment.
Does this limit the values that can be used for an alias?
There was a problem hiding this comment.
values ? I did not follow the comment. I will be taking out this piece of code because of your earlier comment.
There was a problem hiding this comment.
Yea sorry wasn't clear. I meant does the url decoding mess up what alias values can be stored. ie: kevin%20password but guess it doesn't matter since this gets removed anyway :)
There was a problem hiding this comment.
Ahh, I see, righto, I thought I was doing it wrong by not decoding it and including the 'application/x-www-form-urlencoded' but I was wrong.
| @@ -360,7 +361,8 @@ public Response uploadProviderConfiguration(@PathParam("name") String name, @Con | |||
| } | |||
| } catch (URISyntaxException e) { | |||
| log.invalidResourceURI(e.getInput(), e.getReason(), e); | |||
| response = status(Response.Status.BAD_REQUEST).entity("{ \"error\" : \"Failed to deploy provider configuration " + name + "\" }").build(); | |||
| response = status(Response.Status.BAD_REQUEST).entity("{ \"error\" : \"Failed to deploy provider configuration " + Encode | |||
| .forHtml(name) + "\" }").build(); | |||
There was a problem hiding this comment.
Seems like a weird break? Put Encode.forHtml(... on the same line?
There was a problem hiding this comment.
yeah, I fixed one weird break and introduced another :(
| @@ -230,6 +230,7 @@ | |||
| <xml-matchers.version>0.10</xml-matchers.version> | |||
| <zip4j.version>1.3.2</zip4j.version> | |||
| <zookeeper.version>3.4.13</zookeeper.version> | |||
| <owasp-java-encoder>1.2.2</owasp-java-encoder> | |||
There was a problem hiding this comment.
Should be in alphabetical order, this is out of place
There was a problem hiding this comment.
Property should also end in .version so something like owasp-java-encoder.version
There was a problem hiding this comment.
I did not realize we were doing props in alphabetical order, previously we used to add new properties at the bottom, I'll change it to make it in order.
Missed the .version, forgot to clean up, I'll fix this.
There was a problem hiding this comment.
Yea alphabetical after I cleaned up all the poms. Makes it easier to find later :)
|
Since the content type is JSON, I think it would be an issue if the returned JSON document contained characters encoded for HTML. This may be confusing to a client using the JSON document since HTML-encoded characters may be re-encoded if being displayed in an HTML document.
|
Oh right, this needs to be fixed.
You are right, jax-rs does automatically decode params so we don't this. |
Thanks @rlevas for using the <script> example. I was in two minds about using the HTML encoder, the argument I had in my mind was, something like Angular can pull out the value from JSON and use it. I get your point that HTML encoding is the responsibility of the app that does the conversion and <script> have no meaning as far as JSON is concerned. I am inclined towards taking the HTML encoding out for the JSON responses now. |
What changes were proposed in this pull request?
The Alias API was passing user input back in some cases as response without encoding, this was when an error was thrown or when a response message saying 'alias' for a 'topology' was created. This opens up the API for XSS attacks. The PR:
How was this patch tested?
The patch was tested manually e.g.
`curl -iku admin:admin-password -H "Content-Type: application/json" -d "value=mysecret" -X PUT 'https://localhost:8443/gateway/admin/api/v1/aliases/sandbox/somelongreallylongalias<>'
HTTP/1.1 201 Created
Date: Tue, 12 Mar 2019 19:54:00 GMT
Set-Cookie: KNOXSESSIONID=node0tb9bz05vhh6k1xpp0ti2p0vqh2.node0;Path=/gateway/admin;Secure;HttpOnly
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Set-Cookie: rememberMe=deleteMe; Path=/gateway/admin; Max-Age=0; Expires=Mon, 11-Mar-2019 19:54:00 GMT
Content-Type: application/json
Content-Length: 85
Server: Jetty(9.4.15.v20190215)
{ "created" : { "topology": "sandbox", "alias": "somelongreallylongalias<>" } }`