Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Possible reflective cross site scripting in the io.dropwizard.validation.ConstraintViolations #953

Closed
WarFox opened this issue Mar 25, 2015 · 4 comments
Labels
Milestone

Comments

@WarFox
Copy link

WarFox commented Mar 25, 2015

We have come across a problem in when doing JSR-303 validation, due to dropwizard ConstraintViolations adding the InvalidValue back in the message.

The following request payload,

{
   "url": "/address/<script>alert(2)</script>"
}

will result in the following error

{
"errors": [
"url must be a valid URL (was /address/<script>alert(2)</script>)"
]
}

We don't want the "was" part.

Based on the investigation we found that it is being appended in the ConstraintViolations.format() method.

public static <T> String format(ConstraintViolation<T> v) {
    if (v.getConstraintDescriptor().getAnnotation() instanceof ValidationMethod) {
        final ImmutableList<Path.Node> nodes = ImmutableList.copyOf(v.getPropertyPath());
        final ImmutableList<Path.Node> usefulNodes = nodes.subList(0, nodes.size() - 1);
        final String msg = v.getMessage().startsWith(".") ? "%s%s" : "%s %s";
        return String.format(msg,
                             Joiner.on('.').join(usefulNodes),
                             v.getMessage()).trim();
    } else {
        return String.format("%s %s (was %s)",
                             v.getPropertyPath(),
                             v.getMessage(),
                             v.getInvalidValue());
    }
}

Is there any way that we can avoid the invalidValue from being attached to the message?

If not can we have a feature switch for that?

@carlo-rtr carlo-rtr added this to the 0.9.0 milestone Mar 27, 2015
@prb
Copy link

prb commented Apr 1, 2015

See also #892.

@WarFox
Copy link
Author

WarFox commented Apr 3, 2015

The issue I reported could be rectified if the invalidValue is not printed.

Is it something that could be considered?

I don't see a point in printing out the value that was sent in the request payload.

@piefel
Copy link

piefel commented Apr 14, 2015

Funny, I was just about to prepare a patch that used that very function to log invalid messages on the server side. On the client, it probably is not as necessary, since the client might know what it just sent.

@WarFox
Copy link
Author

WarFox commented Apr 21, 2015

Please have a look at the pull request #1001
and advice if it is okay.

@joschi joschi closed this as completed in 9dabfaa Apr 25, 2015
joschi added a commit that referenced this issue Apr 25, 2015
Possible reflective cross site scripting in ConstraintViolation

Fixes #953
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

No branches or pull requests

5 participants