[jira] [Created] (NIFI-5442) Message Page uses raw X-ProxyContextPath

Dan Fike (JIRA) Wed, 18 Jul 2018 11:10:05 -0700

Dan Fike created NIFI-5442:
------------------------------

             Summary: Message Page uses raw X-ProxyContextPath
                 Key: NIFI-5442
                 URL: https://issues.apache.org/jira/browse/NIFI-5442
             Project: Apache NiFi
          Issue Type: Bug
          Components: Core Framework
    Affects Versions: 1.6.0
            Reporter: Dan Fike



It looks like {{message-page.jsp}} uses {{X-ProxyContextPath}} verbatim without 
sanitizing it or anything. See 

[https://github.com/apache/nifi/blob/66783c18b24b1c6b1cfd662c58ca9df1e60b866e/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-ui/src/main/webapp/WEB-INF/pages/message-page.jsp#L21]

 

I verified this by hitting {{/nifi-api/access/oidc/callback}} on an unsecured 
NiFi host to get the *User authentication/authorization is only supported when 
running over HTTPS* message page.

 
{code:java}
$ curl http://hostname/nifi-api/access/oidc/callback
...
<link rel="stylesheet" href="/nifi/assets/reset.css/reset.css" type="text/css" 
/>
...

$ curl --header "X-ProxyContextPath: /nifi/assets/reset.css/reset.css\" 
type=\"text/css\" /><script 
type=\"text/javascript\">alert(\"omg\");</script><link rel=\"stylesheet\" 
href=\"" 
http://chestguessed.corp.ne1.yahoo.com:9999/nifi-api/access/oidc/callback
...
<link rel="stylesheet" href="/nifi/assets/reset.css/reset.css" type="text/css" 
/><script type="text/javascript">alert("omg");</script><link rel="stylesheet" 
href="/nifi/assets/reset.css/reset.css" type="text/css" />
...{code}
 

Presumably we want to do something like this: 
[https://github.com/apache/nifi/commit/5d643edfaba4f5369c94ee1b4eaa5c59e3a9f37a#diff-91119fe15bb6f3b931662093e367b671R20]



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

[jira] [Created] (NIFI-5442) Message Page uses raw X-ProxyContextPath

Reply via email to