You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@knox.apache.org by "ASF GitHub Bot (JIRA)" <ji...@apache.org> on 2019/03/12 20:27:00 UTC

[jira] [Work logged] (KNOX-1817) Fix XSS issues with AliasResource

     [ https://issues.apache.org/jira/browse/KNOX-1817?focusedWorklogId=212009&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-212009 ]

ASF GitHub Bot logged work on KNOX-1817:
----------------------------------------

                Author: ASF GitHub Bot
            Created on: 12/Mar/19 20:26
            Start Date: 12/Mar/19 20:26
    Worklog Time Spent: 10m 
      Work Description: moresandeep commented on pull request #70: KNOX-1817 - Fix XSS issues with Alias API
URL: https://github.com/apache/knox/pull/70
 
 
   ## What changes were proposed in this pull request?
   The Alias API was passing user input back in some cases as response without encoding, this was when an error was thrown or when a response message saying 'alias' for a 'topology' was created. This opens up the API for XSS attacks. The PR:
   
   1. Adds encoding to the data that is going out as response. 
   2. Decodes the user inputs - since the api uses application/x-www-form-urlencoded
   
   ## How was this patch tested?
   The patch was tested manually e.g.
   
   `curl -iku admin:admin-password -H "Content-Type: application/json"  -d "value=mysecret" -X PUT  'https://localhost:8443/gateway/admin/api/v1/aliases/sandbox/somelongreallylongalias<>'
   HTTP/1.1 201 Created
   Date: Tue, 12 Mar 2019 19:54:00 GMT
   Set-Cookie: KNOXSESSIONID=node0tb9bz05vhh6k1xpp0ti2p0vqh2.node0;Path=/gateway/admin;Secure;HttpOnly
   Expires: Thu, 01 Jan 1970 00:00:00 GMT
   Set-Cookie: rememberMe=deleteMe; Path=/gateway/admin; Max-Age=0; Expires=Mon, 11-Mar-2019 19:54:00 GMT
   Content-Type: application/json
   Content-Length: 85
   Server: Jetty(9.4.15.v20190215)
   
   { "created" : { "topology": "sandbox", "alias": "somelongreallylongalias&lt;&gt;" } }`
   
 
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
users@infra.apache.org


Issue Time Tracking
-------------------

            Worklog Id:     (was: 212009)
            Time Spent: 10m
    Remaining Estimate: 0h

> Fix XSS issues with AliasResource
> ---------------------------------
>
>                 Key: KNOX-1817
>                 URL: https://issues.apache.org/jira/browse/KNOX-1817
>             Project: Apache Knox
>          Issue Type: Bug
>          Components: Server
>            Reporter: Sandeep More
>            Assignee: Sandeep More
>            Priority: Major
>             Fix For: 1.3.0
>
>          Time Spent: 10m
>  Remaining Estimate: 0h
>




--
This message was sent by Atlassian JIRA
(v7.6.3#76005)