Skip to content

/ dropwizard

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Possible reflective cross site scripting in the io.dropwizard.validation.ConstraintViolations #953

Closed
WarFox opened this issue Mar 25, 2015 · 4 comments
Closed

Possible reflective cross site scripting in the io.dropwizard.validation.ConstraintViolations #953

WarFox opened this issue Mar 25, 2015 · 4 comments
Labels
security
Milestone
0.9.0

Comments

@WarFox
Copy link

@WarFox WarFox commented Mar 25, 2015

We have come across a problem in when doing JSR-303 validation, due to dropwizard ConstraintViolations adding the InvalidValue back in the message.

The following request payload,

{
   "url": "/address/<script>alert(2)</script>"
}

will result in the following error

{
"errors": [
"url must be a valid URL (was /address/<script>alert(2)</script>)"
]
}

We don't want the "was" part.

Based on the investigation we found that it is being appended in the ConstraintViolations.format() method.

public static <T> String format(ConstraintViolation<T> v) {
    if (v.getConstraintDescriptor().getAnnotation() instanceof ValidationMethod) {
        final ImmutableList<Path.Node> nodes = ImmutableList.copyOf(v.getPropertyPath());
        final ImmutableList<Path.Node> usefulNodes = nodes.subList(0, nodes.size() - 1);
        final String msg = v.getMessage().startsWith(".") ? "%s%s" : "%s %s";
        return String.format(msg,
                             Joiner.on('.').join(usefulNodes),
                             v.getMessage()).trim();
    } else {
        return String.format("%s %s (was %s)",
                             v.getPropertyPath(),
                             v.getMessage(),
                             v.getInvalidValue());
    }
}

Is there any way that we can avoid the invalidValue from being attached to the message?

If not can we have a feature switch for that?
@carlo-rtr carlo-rtr added this to the 0.9.0 milestone Mar 27, 2015
@prb
Copy link

@prb prb commented Apr 1, 2015

See also #892.
@WarFox
Copy link
Author

@WarFox WarFox commented Apr 3, 2015

The issue I reported could be rectified if the invalidValue is not printed.

Is it something that could be considered?

I don't see a point in printing out the value that was sent in the request payload.
@piefel
Copy link

@piefel piefel commented Apr 14, 2015

Funny, I was just about to prepare a patch that used that very function to log invalid messages on the server side. On the client, it probably is not as necessary, since the client might know what it just sent.
@WarFox
Copy link
Author

@WarFox WarFox commented Apr 21, 2015

Please have a look at the pull request #1001
and advice if it is okay.
@joschi joschi closed this in 9dabfaa Apr 25, 2015
joschi added a commit that referenced this issue Apr 25, 2015
@joschi
Merge pull request #1001 from WarFox/fix/dropwizard-953
fe53b65 
Possible reflective cross site scripting in ConstraintViolation

Fixes #953
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
security
Projects
None yet
Milestone
0.9.0
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
5 participants
@prb @WarFox @piefel @glennmcallister @carlo-rtr