Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Web Parameter Tampering on /login?errorMsg #20216

Closed
MauroEldritch opened this issue May 13, 2019 · 2 comments
Closed

Web Parameter Tampering on /login?errorMsg #20216

MauroEldritch opened this issue May 13, 2019 · 2 comments
Assignees
@westlywright @mrajashree @davidnuzik
Labels
area/api kind/bug Issues that are defects reported by users or that we know have reached a real release
Milestone
v2.2.4

Comments

@MauroEldritch
Copy link

What kind of request is this (question/bug/enhancement/feature request): Enhancement

Steps to reproduce (least amount of steps as possible):

/login?errorMsg=%68%74%74%70%73%3a%2f%2f%77%77%77%2e%6f%77%61%73%70%2e%6f%72%67%2f%69%6e%64%65%78%2e%70%68%70%2f%57%65%62%5f%50%61%72%61%6d%65%74%65%72%5f%54%61%6d%70%65%72%69%6e%67

Result: It will display a link to OWASP Wiki explaining Web Parameter Tampering.

Other details that may be helpful: Tags are effectively filtered.

Environment information

  • Rancher version (rancher/rancher/rancher/server image tag or shown bottom left in the UI): 2.1.4
  • Installation option (single install/HA): *

Cluster information

  • Cluster type (Hosted/Infrastructure Provider/Custom/Imported):
  • Machine type (cloud/VM/metal) and specifications (CPU/memory):
  • Kubernetes version (use kubectl version):
N/A
  • Docker version (use docker version): *
N/A
@vincent99 vincent99 added this to the v2.2.4 milestone May 15, 2019
@alena1108
Copy link

Based on @vincent99 input, the fix will be a combination of UI and the backend. There's one place the backend sends it that would need to be updated;

rancher/pkg/auth/providers/saml/saml_client.go

Line 279 in f966203

http.Redirect(w, r, redirectURL+"errorCode=422&errorMsg=Invalid saml attributes", http.StatusFound)

@alena1108 alena1108 added kind/bug Issues that are defects reported by users or that we know have reached a real release area/ui area/api labels May 15, 2019
westlywright added a commit to westlywright/ui that referenced this issue May 17, 2019
@westlywright
Check for err msg code instead of using string from login error
6acc856 
rancher/rancher#20216
@westlywright westlywright mentioned this issue May 17, 2019
Merged
@mrajashree mrajashree mentioned this issue May 21, 2019
Merged
westlywright added a commit to westlywright/ui that referenced this issue May 21, 2019
@westlywright
Check for err msg code instead of using string from login error
e4d1c28 
rancher/rancher#20216

More error message

Always display translation key in the query param
westlywright added a commit to westlywright/ui that referenced this issue May 21, 2019
@westlywright
Check for err msg code instead of using string from login error
592bfd1 
rancher/rancher#20216

More error message

Always display translation key in the query param
westlywright added a commit to westlywright/ui that referenced this issue May 21, 2019
@westlywright
Check for err msg code instead of using string from login error
c97eef7 
rancher/rancher#20216

More error message

Always display translation key in the query param
@zube zube bot removed the [zube]: Working label May 21, 2019
@davidnuzik
Copy link
Contributor

I validated the UI aspect of the fix.

Replication:
v2.2.3

Validation:
v2.2.4-rc8

I tried the same again to validate. For all cases I only get the generic login error message:
image

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@westlywright westlywright

@mrajashree mrajashree

@davidnuzik davidnuzik

Labels
area/api kind/bug Issues that are defects reported by users or that we know have reached a real release
Projects
None yet
Milestone
v2.2.4
Development

No branches or pull requests
7 participants
@vincent99 @westlywright @MauroEldritch @alena1108 @sangeethah @mrajashree @davidnuzik