Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

XSS vulnerability in NotFoundExceptionMapper #7248

Closed
blxbrgld opened this issue Feb 18, 2020 · 10 comments · Fixed by #8207
Closed

XSS vulnerability in NotFoundExceptionMapper #7248

blxbrgld opened this issue Feb 18, 2020 · 10 comments · Fixed by #8207
Assignees
Labels
area/security kind/bug Something isn't working
Milestone

Comments

@blxbrgld
Copy link

Description
The no resource endpoint HTML page which is rendered on 404 errors introduces XSS vulnerability. Given as an example a GET endpoint which accepts a paging parameter in the form "start,offset" (i.e. 0,10). A request like:

/users?paging=0%2c-1sp137%3Cscript%3Ealert(1)%3C%2fscript%3Emzx4u

would lead to the following exception, and the 404 page in turn would execute the script (alert in our case).

RESTEASY003870: Unable to extract parameter from http request: javax.ws.rs.QueryParam("paging") value is '0,-1sp137<script>alert(1)</script>mzx4u'

Implementation ideas
Enable the 404 HTML page only in DEV mode.

@blxbrgld blxbrgld added the area/housekeeping Issue type for generalized tasks not related to bugs or enhancements label Feb 18, 2020
@gsmet gsmet added kind/bug Something isn't working and removed area/housekeeping Issue type for generalized tasks not related to bugs or enhancements labels Feb 18, 2020
@gsmet gsmet added this to the 1.3.0 milestone Feb 18, 2020
@geoand
Copy link
Contributor

geoand commented Feb 18, 2020

Thanks for the report!

Isn't NotFoundExceptionMapper only enabled in dev-mode anyway?

@gsmet
Copy link
Member

gsmet commented Feb 21, 2020

@gastaldi would you have the cycles to check out this one?

Make sure this thing is only available in dev mode. And also, we should probably deal with escaping better than we currently do.

If you don't have the time, please say so. Thanks!

@gastaldi
Copy link
Contributor

Sure, I can have a look

@gastaldi gastaldi self-assigned this Feb 21, 2020
@gastaldi
Copy link
Contributor

The NotFoundExceptionMapper is only enabled in dev-mode indeed. The 404 page that this issue refers to is the one handled by Resteasy containing the error.

@gastaldi
Copy link
Contributor

gastaldi commented Feb 21, 2020

Remark: I am not even sure why a 404 is returned. It would be better to return 400 (Bad Request) instead.

EDIT: It's part of the spec:

A WebApplicationException thrown during construction of field or property values using 3 or 4 above
is processed directly as described in Section 3.3.4. Other exceptions thrown during construction of field
or property values using 3 or 4 above are treated as client errors: if the field or property is annotated with
@MatrixParam, @QueryParam or @PathParam then an implementation MUST generate an instance of NotFoundException (404 status) that wraps the thrown exception and no entity; if the field or property is
annotated with @HeaderParam or @CookieParam then an implementation MUST generate an instance of
BadRequestException (400 status) that wraps the thrown exception and no entity.

@gastaldi
Copy link
Contributor

Using @Encoded together with the @QueryParam annotation solves the problem.

@gsmet
Copy link
Member

gsmet commented Mar 5, 2020

@gastaldi can we have a clear status on that one? I understand the culprit is not Quarkus but RESTEasy? If so, we need to involve @asoldano .

@gsmet gsmet modified the milestones: 1.3.0.CR1, 1.3.0.Final Mar 5, 2020
@gastaldi
Copy link
Contributor

gastaldi commented Mar 5, 2020

@gsmet yes, AFAIR RESTEasy handles the exception and returns that unencoded error message.

IMHO RESTEasy's error messages containing input values should always be encoded, no matter if @Encoded is specified or not.

I'll create a ticket in RESTEasy to track that.

Cc @asoldano

@gsmet
Copy link
Member

gsmet commented Mar 5, 2020

OK, thanks.

@gastaldi
Copy link
Contributor

gastaldi commented Mar 5, 2020

Ticket created in https://issues.redhat.com/browse/RESTEASY-2519

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
area/security kind/bug Something isn't working
Projects
None yet
Development

Successfully merging a pull request may close this issue.

5 participants