New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Possible reflective cross site scripting in the io.dropwizard.validation.ConstraintViolations #953

Closed
WarFox opened this Issue Mar 25, 2015 · 4 comments

Comments

Projects
None yet
5 participants
@WarFox

WarFox commented Mar 25, 2015

We have come across a problem in when doing JSR-303 validation, due to dropwizard ConstraintViolations adding the InvalidValue back in the message.

The following request payload,

{
   "url": "/address/<script>alert(2)</script>"
}

will result in the following error

{
"errors": [
"url must be a valid URL (was /address/<script>alert(2)</script>)"
]
}

We don't want the "was" part.

Based on the investigation we found that it is being appended in the ConstraintViolations.format() method.

public static <T> String format(ConstraintViolation<T> v) {
    if (v.getConstraintDescriptor().getAnnotation() instanceof ValidationMethod) {
        final ImmutableList<Path.Node> nodes = ImmutableList.copyOf(v.getPropertyPath());
        final ImmutableList<Path.Node> usefulNodes = nodes.subList(0, nodes.size() - 1);
        final String msg = v.getMessage().startsWith(".") ? "%s%s" : "%s %s";
        return String.format(msg,
                             Joiner.on('.').join(usefulNodes),
                             v.getMessage()).trim();
    } else {
        return String.format("%s %s (was %s)",
                             v.getPropertyPath(),
                             v.getMessage(),
                             v.getInvalidValue());
    }
}

Is there any way that we can avoid the invalidValue from being attached to the message?

If not can we have a feature switch for that?

@carlo-rtr carlo-rtr added this to the 0.9.0 milestone Mar 27, 2015

@prb

This comment has been minimized.

prb commented Apr 1, 2015

See also #892.

@WarFox

This comment has been minimized.

WarFox commented Apr 3, 2015

The issue I reported could be rectified if the invalidValue is not printed.

Is it something that could be considered?

I don't see a point in printing out the value that was sent in the request payload.

@piefel

This comment has been minimized.

piefel commented Apr 14, 2015

Funny, I was just about to prepare a patch that used that very function to log invalid messages on the server side. On the client, it probably is not as necessary, since the client might know what it just sent.

@WarFox

This comment has been minimized.

WarFox commented Apr 21, 2015

Please have a look at the pull request #1001
and advice if it is okay.

@joschi joschi closed this in 9dabfaa Apr 25, 2015

joschi added a commit that referenced this issue Apr 25, 2015

Merge pull request #1001 from WarFox/fix/dropwizard-953
Possible reflective cross site scripting in ConstraintViolation

Fixes #953
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment