-
Notifications
You must be signed in to change notification settings - Fork 130
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
CVE Fix - XSS in PathLength attribute in CA agent web page #446
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This looks like it gets the job done. I would ask that maybe we could check if those math functions being used are supported fully in any of our supported browsers..
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This validation should occur on the server side. Validation on the client side is fine for a message to the user, but ultimately it should be occurring on the server side.
Edit: Additionally, you can use the number typed input element instead of this client-side validation. However, you still need server-side validation.
function validateForm(form) { | ||
pathLength = form.basicConstraintsPathLen; | ||
|
||
if(pathLength != null && !Number.isInteger(parseInt(pathLength.value))) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Number.isInteger
wrapping parseInt
is excessive and redundant. :)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This validation should occur on the server side. Validation on the client side is fine for a message to the user, but ultimately it should be occurring on the server side.
There is server side validation already included. The web UI throws this message when you try to enter anything funky
The Certificate System has encountered an unrecoverable error.
Error Message:
java.lang.NumberFormatException: For input string: ""
Please contact your local administrator for assistance
The CVE is to prevent execution of malicious JS on the client browser. So, my patch is trying to clean out before sending the values to the server.
Also, note that I couldn't test this with anyother value other than -1
. I filed a bug: https://pagure.io/dogtagpki/issue/3179
Edit: Additionally, you can use the number typed input element instead of this client-side validation. However, you still need server-side validation.
I can try that
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Then it isn't clear to me where exactly the vulnerability occurs? Is it because the error message is displayed incorrectly (getting interpreted as HTML)? If so, was it fixed by #434? If not, we should fix the site that displays the error message.
Otherwise, I really don't see how this is worthy of a CVE: user types at computer and attacks themselves. Closed->NOTABUG. You don't need RHCS for that. You can do that with bash or literally anything else. Or directly on the web console.
Is this XSS stored? Does it get saved for an agent to stumble upon later? (i.e., if you make this page, and then access it as another user / with another browser and same user -- do you hit the same XSS again?) -- Then you need to sanitize the incorrect value before saving it in the database and also sanitize where it gets displayed to the agent. But this isn't the proper fix for it if so.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yeah, good point. Someone could be using the pki cli command for some of this stuff.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I was referring to the comment above about server side checking.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Also perhaps he is using the isInteger to handle the case if parseInt returns the Nan value, which I guess is not a number.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ah I figured this out. The server endpoint doesn't do any CSRF protection and also responds to GET requests. This truly makes it a reflected XSS, which is bad. The fix is three part:
- Sanitize the output error message,
- Enable CSRF protection,
- Optionally handle only POST requests.
19e1ec9
to
2faf105
Compare
- The input type is set to number when "integer" is encountered - The server error message is html escaped, before it gets displayed in client browser Resolves: BZ#1710171 Signed-off-by: Dinesh Prasanth M K <dmoluguw@redhat.com>
2faf105
to
6e5572f
Compare
@cipherboy Seems like IPA doesn't like my patch. They are submitting cert approval request via GET. update: After talking to Fraser, I have filed a IPA ticket: https://pagure.io/freeipa/issue/8373 I am not familiar with enabling CSRF protection. I tried to google and found only ways to enable it in a Spring framework. IIUC, we don't use spring. Do you have any docs which I can refer to? OTOH, |
The issue was in Certmonger. There is a pull request: https://pagure.io/certmonger/pull-request/157. We need to wait for it to be merged and for new release of certmonger. |
be18898
to
6e5572f
Compare
Thanks, Fraser! I have reverted the commit for now and will push it as part of separate PR. @cipherboy @jmagne as discussed on IRC, out of the 3 part fix that Alex mentioned, only the first is addressed in this PR. The second is already handled via the |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
👍 Looks good to me, thanks Dinesh for updating!!
Merging based on the ACK and green light from CI! Thank you for the reviews and suggestions |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Iknow you merged, but looks good..
Clean out
Path Length
field in CA's Agent Web pageBZ#1710171
Signed-off-by: Dinesh Prasanth M K <dmoluguw@redhat.com>