Skip to content

Commit

Permalink
mgr/dashboard: fix cookie injection issue
Browse files Browse the repository at this point in the history
Fixes: CVE-2021-3509
Signed-off-by: Ernesto Puerta <epuertat@redhat.com>
(cherry picked from commit b39922818bc57cde1b016e9ad41908b18063b93b)
  • Loading branch information
epuertat authored and liewegas committed May 13, 2021
1 parent 775a15b commit af3fffa
Showing 1 changed file with 3 additions and 28 deletions.
31 changes: 3 additions & 28 deletions src/pybind/mgr/dashboard/controllers/docs.py
Original file line number Diff line number Diff line change
Expand Up @@ -8,7 +8,7 @@

from .. import DEFAULT_VERSION, mgr
from ..api.doc import Schema, SchemaInput, SchemaType
from . import ENDPOINT_MAP, BaseController, Controller, Endpoint, allow_empty_body
from . import ENDPOINT_MAP, BaseController, Controller, Endpoint

NO_DESCRIPTION_AVAILABLE = "*No description available*"

Expand Down Expand Up @@ -383,31 +383,13 @@ def api_json(self):
def api_all_json(self):
return self._gen_spec(True, "/")

def _swagger_ui_page(self, all_endpoints=False, token=None):
def _swagger_ui_page(self, all_endpoints=False):
base = cherrypy.request.base
if all_endpoints:
spec_url = "{}/docs/api-all.json".format(base)
else:
spec_url = "{}/docs/api.json".format(base)

auth_header = cherrypy.request.headers.get('authorization')
auth_cookie = cherrypy.request.cookie['token']
jwt_token = ""
if auth_cookie is not None:
jwt_token = auth_cookie.value
elif auth_header is not None:
scheme, params = auth_header.split(' ', 1)
if scheme.lower() == 'bearer':
jwt_token = params
else:
if token is not None:
jwt_token = token

api_key_callback = """, onComplete: () => {{
ui.preauthorizeApiKey('jwt', '{}');
}}
""".format(jwt_token)

page = """
<!DOCTYPE html>
<html>
Expand Down Expand Up @@ -448,27 +430,20 @@ def _swagger_ui_page(self, all_endpoints=False, token=None):
SwaggerUIBundle.presets.apis
],
layout: "BaseLayout"
{}
}})
window.ui = ui
}}
</script>
</body>
</html>
""".format(spec_url, api_key_callback)
""".format(spec_url)

return page

@Endpoint(json_response=False, version=None)
def __call__(self, all_endpoints=False):
return self._swagger_ui_page(all_endpoints)

@Endpoint('POST', path="/", json_response=False,
query_params="{all_endpoints}", version=None)
@allow_empty_body
def _with_token(self, token, all_endpoints=False):
return self._swagger_ui_page(all_endpoints, token)


if __name__ == "__main__":
import sys
Expand Down

0 comments on commit af3fffa

Please sign in to comment.