New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fix reflected XSS attack when hitting getCookie endpoint #452
Conversation
This patch sanitizes the Server generated error message, to escape the HTML tags if any present. Resolves: BZ#1789907 Signed-off-by: Dinesh Prasanth M K <dmoluguw@redhat.com>
IIUC
In renderValue() the values are escaped for JavaScript using The servlet will then insert the code into one of the templates below and send the page to the client (see web.xml): When the client renders the page it will use the JavaScript
I think ideally the escaping for HTML should happen just before it's used. It can be done using escapeHtml():
or using jQuery which should escape the value automatically:
If the value is escaped too early on the server side there's a risk that the value might not be rendered correctly since the client might use the value in different ways. However, since this is a legacy servlet which will be replaced pretty soon, feel free to merge but just be aware of the potential issue. |
Wouldn't it be safer to transfer it as e.g., a JSON object, and then do: document.write('<form name="cookieForm" method="post">');
data = JSON.parse(ret);
document.getElementByName("cookieForm").action = data["url"]; (Or, replace data with how it is done currently? Then the browser can set the value directly as the action instead of having to escape it (and perhaps, we just need to deny the |
thanks for the review Endi and Alex. Endi, I did verify the param values using a dummy url:
I'll merge this PR now based on the ACKs and green light from CI |
When we convert this servlet into REST API later we'll definitely be using JSON, but I don't know if we want to make major changes in the old servlets right now. If you think the JSON code can be reused in the REST API later feel free to do so. |
@SilleBille Did you test this with a URL like:
and did it behave correctly? |
hmmm. I received the following:
See that the |
Hmmm ok, weird. |
This patch sanitizes the Server generated error message in
getCookie
, to escapeHTML tags, if present.
Resolves: BZ#1789907 CVE-2019-10221
Signed-off-by: Dinesh Prasanth M K <dmoluguw@redhat.com>