[jira] [Work logged] (KNOX-3039) Vulnerability Disclosure: IP Address Exposure in HTTP 500 Error Message

[ASF GitHub Bot (Jira)]

     [ 
https://issues.apache.org/jira/browse/KNOX-3039?focusedWorklogId=921982&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-921982
 ]

ASF GitHub Bot logged work on KNOX-3039:
----------------------------------------

                Author: ASF GitHub Bot
            Created on: 04/Jun/24 14:25
            Start Date: 04/Jun/24 14:25
    Worklog Time Spent: 10m 
      Work Description: moresandeep commented on code in PR #914:
URL: https://github.com/apache/knox/pull/914#discussion_r1626113580


##########
gateway-server/src/main/java/org/apache/knox/gateway/GatewayServlet.java:
##########
@@ -277,4 +278,34 @@ public Enumeration<String> getInitParameterNames() {
       return config.getInitParameterNames();
     }
   }
+
+  private Exception sanitizeException(Exception e) {
+    if (e == null || e.getMessage() == null) {
+      return e;
+    }
+    if (!isErrorMessageSanitizationEnabled || e.getMessage() == null) {
+      return e;
+    }
+    String sanitizedMessage = 
e.getMessage().replaceAll("\\b(?:\\d{1,3}\\.){3}\\d{1,3}\\b", "[hidden]");
+    return createNewException(e, sanitizedMessage);

Review Comment:
   Suggestion: Instead of `createNewException` function we can perhaps create a 
SanatizedKnoxException class that does sanitizing and logging and we can then 
wrap original exception with this new SanatizedKnoxException. So less code 
changes in the original class and logic can be changed later without touching 
these classes. 



##########
gateway-server/src/main/java/org/apache/knox/gateway/GatewayServlet.java:
##########
@@ -277,4 +278,34 @@ public Enumeration<String> getInitParameterNames() {
       return config.getInitParameterNames();
     }
   }
+
+  private Exception sanitizeException(Exception e) {
+    if (e == null || e.getMessage() == null) {
+      return e;
+    }
+    if (!isErrorMessageSanitizationEnabled || e.getMessage() == null) {
+      return e;
+    }
+    String sanitizedMessage = 
e.getMessage().replaceAll("\\b(?:\\d{1,3}\\.){3}\\d{1,3}\\b", "[hidden]");
+    return createNewException(e, sanitizedMessage);

Review Comment:
   We need to log the original error in gateway logs else it would be difficult 
to debug.



##########
gateway-server/src/main/java/org/apache/knox/gateway/GatewayServlet.java:
##########
@@ -277,4 +278,34 @@ public Enumeration<String> getInitParameterNames() {
       return config.getInitParameterNames();
     }
   }
+
+  private Exception sanitizeException(Exception e) {
+    if (e == null || e.getMessage() == null) {
+      return e;
+    }
+    if (!isErrorMessageSanitizationEnabled || e.getMessage() == null) {
+      return e;
+    }
+    String sanitizedMessage = 
e.getMessage().replaceAll("\\b(?:\\d{1,3}\\.){3}\\d{1,3}\\b", "[hidden]");

Review Comment:
   Suggestion: It would be good to create a variable for the pattern. 
   Also, what does this expression catch? I am assuming IP address. It would be 
cool if we can create a gateway attribute variable like 
`isErrorMessageSanitizationEnabled` so users can specify custom regex in case 
they want to override. In which case a List of pattens would be nice to have!





Issue Time Tracking
-------------------

    Worklog Id:     (was: 921982)
    Time Spent: 20m  (was: 10m)

> Vulnerability Disclosure: IP Address Exposure in HTTP 500 Error Message
> -----------------------------------------------------------------------
>
>                 Key: KNOX-3039
>                 URL: https://issues.apache.org/jira/browse/KNOX-3039
>             Project: Apache Knox
>          Issue Type: Bug
>          Components: Server
>            Reporter: Guillermo Kardolus
>            Priority: Major
>          Time Spent: 20m
>  Remaining Estimate: 0h
>
> A potential security vulnerability has been identified in Apache Knox where 
> internal IP addresses are exposed in HTTP 500 error messages. This issue can 
> occur when a user modifies the URL for one of the proxy services, leading to 
> an error page that includes the IP address of the internal service.
> *Steps to Reproduce:*
>  # Navigate to a proxy service URL, for example:
> {{<[https://example.com:8443/gateway/proxy/service?scheme=https&host=example.com&port=8051]>}}
>  # Modify the {{port}} parameter to an invalid port, such as:
> {{<[https://example.com:8443/gateway/proxy/service?scheme=https&host=example.com&port=9999]>}}
>  # Observe the resulting HTTP 500 error message which includes the internal 
> IP address.
> *Observed Behavior:* The error message reveals the internal IP address in the 
> stack trace, which can be used by an attacker for port scanning and other 
> malicious activities.
> *Example:*
> {code:java}
> HTTP ERROR 500 java.io.IOException: java.io.IOException: Service connectivity 
> error.
> MESSAGE: java.io.IOException: java.io.IOException: Service connectivity error.
> ...
> CAUSED BY: java.io.IOException: Connect to example.com:9996 
> [example.com/10.140.190.10] failed: Connection refused (Connection refused)
> ... {code}
> *Expected Behavior:* Error messages should not expose internal IP addresses. 
> Instead, they should be sanitized to prevent the disclosure of sensitive 
> information.
> *Proposed Solution:*
>  # *Sanitization Mechanism:* Implement a mechanism to sanitize error messages 
> before they are sent to the client. This can include replacing IP addresses 
> with placeholders such as {{{}[hidden]{}}}.
>  # *Configuration Options:* Provide configuration options for users to enable 
> or disable this sanitization based on their security needs. By default, users 
> should opt-in to this new sanitization functionality, with an option to 
> opt-out if necessary.
>  # *Knox-specific Error Page:* Alternatively, consider implementing a 
> Knox-specific error page that displays an error message without revealing any 
> sensitive information.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)