[
https://issues.apache.org/jira/browse/KNOX-3039?focusedWorklogId=923511&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-923511
]
ASF GitHub Bot logged work on KNOX-3039:
----------------------------------------
Author: ASF GitHub Bot
Created on: 14/Jun/24 12:40
Start Date: 14/Jun/24 12:40
Worklog Time Spent: 10m
Work Description: kardolus commented on code in PR #914:
URL: https://github.com/apache/knox/pull/914#discussion_r1639761224
##########
gateway-server/src/main/java/org/apache/knox/gateway/GatewayServlet.java:
##########
@@ -282,33 +281,15 @@ public Enumeration<String> getInitParameterNames() {
}
}
- private Exception sanitizeException(Exception e) {
+ private SanitizedException logAndSanitizeException(Exception e) {
+ LOG.failedToExecuteFilter(e);
if (e == null || e.getMessage() == null) {
- return e;
+ return new SanitizedException(e.getMessage());
}
if (!isErrorMessageSanitizationEnabled || e.getMessage() == null) {
- return e;
+ return new SanitizedException(e.getMessage());
}
String sanitizedMessage =
e.getMessage().replaceAll(errorMessageSanitizationPattern, "[hidden]");
-
- return createSanitizedException(e, sanitizedMessage);
- }
-
- private <T extends Exception> T createSanitizedException(T e, String
sanitizedMessage) {
- try {
- Constructor<? extends Exception> constructor =
e.getClass().getConstructor(String.class, Throwable.class);
- T sanitizedException = (T) constructor.newInstance(sanitizedMessage,
e.getCause());
- sanitizedException.setStackTrace(e.getStackTrace());
- return sanitizedException;
- } catch (Exception ex) {
- Exception genericException = new Exception(sanitizedMessage,
e.getCause());
- genericException.setStackTrace(e.getStackTrace());
- return (T) genericException;
- }
- }
-
- private <T extends Exception> T logAndSanitizeException(Exception e) throws
T {
- LOG.failedToExecuteFilter(e);
- throw (T) sanitizeException(e);
+ return new SanitizedException(sanitizedMessage);
Review Comment:
@pzampino There are some downsides in moving the logic over to the
`SanitizationException` class. It makes the code less flexible and potentially
harder to maintain (e.g. what if other classes want to throw a
`SanitizedException` but with different logic?). It's also a bit of an effort
to refactor the tests. We haven't decided yet that this pattern is better than
keeping the original `Exception` type (see my previous comment). Finally, but
less important IMO, moving the logic over to `SanitizedException` can be seen
as a violation of the Single Responsibility Principle.
Issue Time Tracking
-------------------
Worklog Id: (was: 923511)
Time Spent: 4h 50m (was: 4h 40m)
> IP Address Exposure in HTTP 500 Error Message
> ---------------------------------------------
>
> Key: KNOX-3039
> URL: https://issues.apache.org/jira/browse/KNOX-3039
> Project: Apache Knox
> Issue Type: Bug
> Components: Server
> Reporter: Guillermo Kardolus
> Priority: Major
> Time Spent: 4h 50m
> Remaining Estimate: 0h
>
> A potential security vulnerability has been identified in Apache Knox where
> internal IP addresses are exposed in HTTP 500 error messages. This issue can
> occur when a user modifies the URL for one of the proxy services, leading to
> an error page that includes the IP address of the internal service.
> *Steps to Reproduce:*
> # Navigate to a proxy service URL, for example:
> {{<[https://example.com:8443/gateway/proxy/service?scheme=https&host=example.com&port=8051]>}}
> # Modify the {{port}} parameter to an invalid port, such as:
> {{<[https://example.com:8443/gateway/proxy/service?scheme=https&host=example.com&port=9999]>}}
> # Observe the resulting HTTP 500 error message which includes the internal
> IP address.
> *Observed Behavior:* The error message reveals the internal IP address in the
> stack trace, which can be used by an attacker for port scanning and other
> malicious activities.
> *Example:*
> {code:java}
> HTTP ERROR 500 java.io.IOException: java.io.IOException: Service connectivity
> error.
> MESSAGE: java.io.IOException: java.io.IOException: Service connectivity error.
> ...
> CAUSED BY: java.io.IOException: Connect to example.com:9996
> [example.com/10.140.190.10] failed: Connection refused (Connection refused)
> ... {code}
> *Expected Behavior:* Error messages should not expose internal IP addresses.
> Instead, they should be sanitized to prevent the disclosure of sensitive
> information.
> *Proposed Solution:*
> # *Sanitization Mechanism:* Implement a mechanism to sanitize error messages
> before they are sent to the client. This can include replacing IP addresses
> with placeholders such as {{{}[hidden]{}}}.
> # *Configuration Options:* Provide configuration options for users to enable
> or disable this sanitization based on their security needs. By default, users
> should opt-in to this new sanitization functionality, with an option to
> opt-out if necessary.
> # *Knox-specific Error Page:* Alternatively, consider implementing a
> Knox-specific error page that displays an error message without revealing any
> sensitive information.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
