You are viewing a plain text version of this content. The canonical link for it is here.
Posted to notifications@skywalking.apache.org by GitBox <gi...@apache.org> on 2022/10/07 10:47:37 UTC
[GitHub] [skywalking] michaelzangl opened a new issue, #9734: [Bug] Malicious / misconfigured client
michaelzangl opened a new issue, #9734:
URL: https://github.com/apache/skywalking/issues/9734
### Search before asking
- [X] I had searched in the [issues](https://github.com/apache/skywalking/issues?q=is%3Aissue) and found no similar issues.
### Apache SkyWalking Component
UI (apache/skywalking-booster-ui)
### What happened
When opening the "browser" dashboard:
```
Exception while fetching data (/browser_app_page_pv0) : Can't split endpoint id into 2 parts, Base64AppName.1_
```
The Trace-View cannot be used any more.
### What you expected to happen
The trace-View should not be unusable, an empty page path should be handled correctly.
### How to reproduce
Insert a trace that has an empty pagePath.
Instantiate a JS client with:
```
const getCollectorProps = () => ({
collector: 'https://your-collector/'
service: 'xxx',
serviceVersion: '1.0',
pagePath: '' // < this is the important part
});
```
The endpoint to add this trace is usually not protected by authentication (would not make sense, since then clients could not send their traces). So any JS page using skywalking can be affected by this, since requests can be crafted by attackers.
### Anything else
This problem is reproducible easily. Version 9.2.0
#9269 has a similar error message, but does not seem to be related.
### Are you willing to submit PR?
- [ ] Yes I am willing to submit a PR!
### Code of Conduct
- [X] I agree to follow this project's [Code of Conduct](https://www.apache.org/foundation/policies/conduct)
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@skywalking.apache.org.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [skywalking] michaelzangl commented on issue #9734: [Bug] Malicious / misconfigured client can cause inaccessible trace view
Posted by GitBox <gi...@apache.org>.
michaelzangl commented on issue #9734:
URL: https://github.com/apache/skywalking/issues/9734#issuecomment-1271481770
Always the same thing: An empty pagePath is crashing your UI. So short. I just wanted to make you aware of the security impacts to availability this may have.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@skywalking.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [skywalking] michaelzangl commented on issue #9734: [Bug] Malicious / misconfigured client can cause inaccessible trace view
Posted by GitBox <gi...@apache.org>.
michaelzangl commented on issue #9734:
URL: https://github.com/apache/skywalking/issues/9734#issuecomment-1271530017
> Why ask this again? I have replied at least THREE TIMES. There is nothing more I could say.
Sorry, this was just a question unrelated to the issue stated above and I should have marked it as such.
We'll probably discuss this in private, I sent a mail to the security list about a different issue.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@skywalking.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [skywalking] michaelzangl commented on issue #9734: [Bug] Malicious / misconfigured client can cause inaccessible trace view
Posted by GitBox <gi...@apache.org>.
michaelzangl commented on issue #9734:
URL: https://github.com/apache/skywalking/issues/9734#issuecomment-1271508655
@wu-sheng
Can you confirm that the endpoint `/browser/perfData` is intended for this use and can be accessed without authentication (or at least by more users that can normally access the monitoring UI)?
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@skywalking.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [skywalking] wu-sheng commented on issue #9734: [Bug] Malicious / misconfigured client can cause inaccessible trace view
Posted by GitBox <gi...@apache.org>.
wu-sheng commented on issue #9734:
URL: https://github.com/apache/skywalking/issues/9734#issuecomment-1271438379
I just have replied to Apache security team, this should be protected by you.
Quoted again
> This is not a security issue.
We documented this very clearly, and we recommend users set up a
security gateway on their own.
https://skywalking.apache.org/docs/main/next/en/ui/readme/#login-and-authentication
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@skywalking.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [skywalking] wu-sheng commented on issue #9734: [Bug] Malicious / misconfigured client can cause inaccessible trace view
Posted by GitBox <gi...@apache.org>.
wu-sheng commented on issue #9734:
URL: https://github.com/apache/skywalking/issues/9734#issuecomment-1271473535
> Created a PR to document this behavior in the client JS package.
>
>
>
> https://github.com/apache/skywalking-client-js/pull/96
Replied, if this is your asking, it is a backend bug.
The browser perf analyzer should not generate this illegal endpoint metric.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@skywalking.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [skywalking] michaelzangl commented on issue #9734: [Bug] Malicious / misconfigured client can cause inaccessible trace view
Posted by GitBox <gi...@apache.org>.
michaelzangl commented on issue #9734:
URL: https://github.com/apache/skywalking/issues/9734#issuecomment-1271485250
No, security issue is: Illegal data can be sent to Server by User A, which will make User B not be able to use the app any more.
And this is a problem in your App.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@skywalking.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [skywalking] wu-sheng commented on issue #9734: [Bug] Malicious / misconfigured client can cause inaccessible trace view
Posted by GitBox <gi...@apache.org>.
wu-sheng commented on issue #9734:
URL: https://github.com/apache/skywalking/issues/9734#issuecomment-1271440492
Various team has different security policies.
Some systems are internal browser app, which don't need extra cost to do similar security authentication check.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@skywalking.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [skywalking] michaelzangl commented on issue #9734: [Bug] Malicious / misconfigured client can cause inaccessible trace view
Posted by GitBox <gi...@apache.org>.
michaelzangl commented on issue #9734:
URL: https://github.com/apache/skywalking/issues/9734#issuecomment-1271457252
I don't think you understand me.
So in short for anyone else reading here (since I believe this won't be fixed):
**WORKAROUND**
In the proxy that you have before the `/browser/perfData` endpoint of OAP, reject all requests that have a pagePath of "".
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@skywalking.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [skywalking] wu-sheng commented on issue #9734: [Bug] Malicious / misconfigured client can cause inaccessible trace view
Posted by GitBox <gi...@apache.org>.
wu-sheng commented on issue #9734:
URL: https://github.com/apache/skywalking/issues/9734#issuecomment-1271483856
I only would confirm this is a bug
> pagePath: '' // < this is the important part
Others security things you mentioned are as same as any browser app. Illegal data could be sent to server. This is not our program to be resolved. How you protrct you browser app, we could set up similar things to protect SkyWalking backend, we just use a simpe URI for client side.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@skywalking.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [skywalking] wu-sheng commented on issue #9734: [Bug] Malicious / misconfigured client can cause inaccessible trace view
Posted by GitBox <gi...@apache.org>.
wu-sheng commented on issue #9734:
URL: https://github.com/apache/skywalking/issues/9734#issuecomment-1271488409
> No, security issue is: Illegal data can be sent to Server by User A, which will make User B not be able to use the app any more.
>
>
>
> And this is a problem in your App.
I wouldn't keep arguing as I have replied. One bug could be confirmed. And we don't provide security solution, as it is not project scope.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@skywalking.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [skywalking] wu-sheng commented on issue #9734: [Bug] Malicious / misconfigured client can cause inaccessible trace view
Posted by GitBox <gi...@apache.org>.
wu-sheng commented on issue #9734:
URL: https://github.com/apache/skywalking/issues/9734#issuecomment-1271443000
This has nothing relative about should or shouldn't.
This is an open source project to adopt general usage.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@skywalking.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [skywalking] michaelzangl commented on issue #9734: [Bug] Malicious / misconfigured client can cause inaccessible trace view
Posted by GitBox <gi...@apache.org>.
michaelzangl commented on issue #9734:
URL: https://github.com/apache/skywalking/issues/9734#issuecomment-1271441126
As far as I understand, that endpoint should not be protected.
I am using https://github.com/apache/skywalking-client-js to report the traces - this libraray is intended to be bundled with the client and it is intended to set up a proxy to pass on the requests by that client to skywalking.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@skywalking.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [skywalking] wu-sheng commented on issue #9734: [Bug] Malicious / misconfigured client can cause inaccessible trace view
Posted by GitBox <gi...@apache.org>.
wu-sheng commented on issue #9734:
URL: https://github.com/apache/skywalking/issues/9734#issuecomment-1271451251
What do you want to protect? From our understanding, you could limit format, field value check, HTTPS protection, request frequency, etc.
Security is an endless topic. Those you prefer in general are also working for this case.
SkyWalking doesn't have no point to rebuild those solutions.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@skywalking.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [skywalking] wu-sheng closed issue #9734: [Bug] Malicious / misconfigured client can cause inaccessible trace view
Posted by GitBox <gi...@apache.org>.
wu-sheng closed issue #9734: [Bug] Malicious / misconfigured client can cause inaccessible trace view
URL: https://github.com/apache/skywalking/issues/9734
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@skywalking.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [skywalking] michaelzangl commented on issue #9734: [Bug] Malicious / misconfigured client can cause inaccessible trace view
Posted by GitBox <gi...@apache.org>.
michaelzangl commented on issue #9734:
URL: https://github.com/apache/skywalking/issues/9734#issuecomment-1271448047
Are there any security recommendations on how to use the JS client / expose the HTTP access of skywalking for the JS client? Is Skywalking even considered "safe" for usage in a public accessible project?
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@skywalking.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [skywalking] wu-sheng commented on issue #9734: [Bug] Malicious / misconfigured client can cause inaccessible trace view
Posted by GitBox <gi...@apache.org>.
wu-sheng commented on issue #9734:
URL: https://github.com/apache/skywalking/issues/9734#issuecomment-1271487240
> Always the same thing: An empty pagePath is crashing your UI. So short. I just wanted to make you aware of the security impacts to availability this may have.
No, they are not same. That is legal from design, so it is a bug. Backend should accept the value, so I rejected your PR, which mentions the wrong thing.
But malicious attack is totally different. Security is security, boundaries are clear.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@skywalking.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [skywalking] wu-sheng commented on issue #9734: [Bug] Malicious / misconfigured client can cause inaccessible trace view
Posted by GitBox <gi...@apache.org>.
wu-sheng commented on issue #9734:
URL: https://github.com/apache/skywalking/issues/9734#issuecomment-1271515460
Why ask this again? I have replied at least THREE TIMES. There is nothing more I could say.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@skywalking.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [skywalking] michaelzangl commented on issue #9734: [Bug] Malicious / misconfigured client can cause inaccessible trace view
Posted by GitBox <gi...@apache.org>.
michaelzangl commented on issue #9734:
URL: https://github.com/apache/skywalking/issues/9734#issuecomment-1271461984
Created a PR to document this behavior in the client JS package.
https://github.com/apache/skywalking-client-js/pull/96
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@skywalking.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [skywalking] michaelzangl commented on issue #9734: [Bug] Malicious / misconfigured client can cause inaccessible trace view
Posted by GitBox <gi...@apache.org>.
michaelzangl commented on issue #9734:
URL: https://github.com/apache/skywalking/issues/9734#issuecomment-1271478231
> You keep mentioning security issue. Now, you mentioned about pagePath can't be null.
Sorry, clarified that 'empty' value of type String means an empty string and not null.
> Could you confirm what is your asking directly?
I am not asking anything. I just made the following assumptions
1. The [skywalking-client-js](https://github.com/apache/skywalking-client-js) package is intended to be used by "normal" websites that are accessible to the public (or e.g. after a client registration, but any way, by clients that are outside the control of the server operator)
2. The endpoint `/browser/perfData` needs to be accessibly by that client (can be behind a https-proxy, but needs to be without authentication)-
3. Sending the data to that endpoint will make the UI not accessible any more
This is a Denail of Service / dara corruption by an unauthorized attacker. I don't see it as that relevant to security (just taking down some monitoring system), but it might even get a pretty high [CVE score](https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L&version=3.1)
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@skywalking.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [skywalking] wu-sheng commented on issue #9734: [Bug] Malicious / misconfigured client can cause inaccessible trace view
Posted by GitBox <gi...@apache.org>.
wu-sheng commented on issue #9734:
URL: https://github.com/apache/skywalking/issues/9734#issuecomment-1271479889
See, you are back to another thing again.
I am not sure why you keep switching two things. The PR you created is not about these points at all.
This is a bad practice to discuss things like this.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@skywalking.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [skywalking] wu-sheng commented on issue #9734: [Bug] Malicious / misconfigured client can cause inaccessible trace view
Posted by GitBox <gi...@apache.org>.
wu-sheng commented on issue #9734:
URL: https://github.com/apache/skywalking/issues/9734#issuecomment-1271466959
You keep mentioning security issue. Now, you mentioned about pagePath can't be null.
Could you confirm what is your asking directly?
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@skywalking.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org