Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Security] SECVULN-8621: Fix XSS Vulnerability where content-type header wasn't explicitly set in API requests #21930

Open
wants to merge 4 commits into
base: main
Choose a base branch
from

Conversation

NiniOak
Copy link
Contributor

@NiniOak NiniOak commented Nov 6, 2024

Description

  • Modified existing ensureContentTypeHeader middleware to set the response Content-Type to match the type of content that the server will process.

SOLUTION

ensureContentTypeHeader middleware is used to determine if the content-type set in the API request is the expected content type. If it's not a match:

  • A warning is logged in Consul
  • The appropriate contentType Header set before processing the request.
  • The same action is carried out for API response.
    NOTE: The same function is used in doRequest function which is used in processing CLI requests to the Consul API.

Testing & Reproduction steps

Updated unit tests to add additional checks for content-type header
Vercel should deploy UI with no errors

PR Checklist

  • updated test coverage
  • external facing docs updated
  • appropriate backport labels added
  • not a security concern

@github-actions github-actions bot added the theme/api Relating to the HTTP API interface label Nov 6, 2024
@NiniOak NiniOak marked this pull request as draft November 7, 2024 01:14
@NiniOak NiniOak force-pushed the SECVULN-8621_consul_api_validate_request_content_type branch from b16d7ef to 1144eec Compare November 7, 2024 22:55
@NiniOak NiniOak marked this pull request as ready for review November 7, 2024 22:56
@NiniOak NiniOak removed the request for review from sarahalsmiller November 19, 2024 00:12
@NiniOak NiniOak changed the title [Security] Fix XSS Vulnerability where content-type header wasn't explicitly set in API requests [Security] SECVULN-8621: Fix XSS Vulnerability where content-type header wasn't explicitly set in API requests Nov 20, 2024
@NiniOak NiniOak requested a review from a team November 20, 2024 19:37
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
theme/api Relating to the HTTP API interface
Projects
None yet
Development

Successfully merging this pull request may close these issues.

1 participant