[
https://issues.apache.org/jira/browse/NIFI-5442?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Dan Fike updated NIFI-5442:
---------------------------
Description:
It looks like {{message-page.jsp}} uses {{X-ProxyContextPath}} verbatim without
sanitizing it or anything. See
[https://github.com/apache/nifi/blob/66783c18b24b1c6b1cfd662c58ca9df1e60b866e/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-ui/src/main/webapp/WEB-INF/pages/message-page.jsp#L21]
I verified this by hitting {{/nifi-api/access/oidc/callback}} on an unsecured
NiFi host to get the *User authentication/authorization is only supported when
running over HTTPS* message page.
{code:java}
$ curl http://hostname/nifi-api/access/oidc/callback
...
<link rel="stylesheet" href="/nifi/assets/reset.css/reset.css" type="text/css"
/>
...
$ curl --header "X-ProxyContextPath: /nifi/assets/reset.css/reset.css\"
type=\"text/css\" /><script
type=\"text/javascript\">alert(\"omg\");</script><link rel=\"stylesheet\"
href=\"" http://hostname/nifi-api/access/oidc/callback
...
<link rel="stylesheet" href="/nifi/assets/reset.css/reset.css" type="text/css"
/><script type="text/javascript">alert("omg");</script><link rel="stylesheet"
href="/nifi/assets/reset.css/reset.css" type="text/css" />
...{code}
Presumably we want to do something like this:
[https://github.com/apache/nifi/commit/5d643edfaba4f5369c94ee1b4eaa5c59e3a9f37a#diff-91119fe15bb6f3b931662093e367b671R20]
was:
It looks like {{message-page.jsp}} uses {{X-ProxyContextPath}} verbatim without
sanitizing it or anything. See
[https://github.com/apache/nifi/blob/66783c18b24b1c6b1cfd662c58ca9df1e60b866e/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-ui/src/main/webapp/WEB-INF/pages/message-page.jsp#L21]
I verified this by hitting {{/nifi-api/access/oidc/callback}} on an unsecured
NiFi host to get the *User authentication/authorization is only supported when
running over HTTPS* message page.
{code:java}
$ curl http://hostname/nifi-api/access/oidc/callback
...
<link rel="stylesheet" href="/nifi/assets/reset.css/reset.css" type="text/css"
/>
...
$ curl --header "X-ProxyContextPath: /nifi/assets/reset.css/reset.css\"
type=\"text/css\" /><script
type=\"text/javascript\">alert(\"omg\");</script><link rel=\"stylesheet\"
href=\""
http://chestguessed.corp.ne1.yahoo.com:9999/nifi-api/access/oidc/callback
...
<link rel="stylesheet" href="/nifi/assets/reset.css/reset.css" type="text/css"
/><script type="text/javascript">alert("omg");</script><link rel="stylesheet"
href="/nifi/assets/reset.css/reset.css" type="text/css" />
...{code}
Presumably we want to do something like this:
[https://github.com/apache/nifi/commit/5d643edfaba4f5369c94ee1b4eaa5c59e3a9f37a#diff-91119fe15bb6f3b931662093e367b671R20]
> Message Page uses raw X-ProxyContextPath
> ----------------------------------------
>
> Key: NIFI-5442
> URL: https://issues.apache.org/jira/browse/NIFI-5442
> Project: Apache NiFi
> Issue Type: Bug
> Components: Core Framework
> Affects Versions: 1.6.0
> Reporter: Dan Fike
> Priority: Major
>
> It looks like {{message-page.jsp}} uses {{X-ProxyContextPath}} verbatim
> without sanitizing it or anything. See
> [https://github.com/apache/nifi/blob/66783c18b24b1c6b1cfd662c58ca9df1e60b866e/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-ui/src/main/webapp/WEB-INF/pages/message-page.jsp#L21]
>
> I verified this by hitting {{/nifi-api/access/oidc/callback}} on an unsecured
> NiFi host to get the *User authentication/authorization is only supported
> when running over HTTPS* message page.
>
> {code:java}
> $ curl http://hostname/nifi-api/access/oidc/callback
> ...
> <link rel="stylesheet" href="/nifi/assets/reset.css/reset.css"
> type="text/css" />
> ...
> $ curl --header "X-ProxyContextPath: /nifi/assets/reset.css/reset.css\"
> type=\"text/css\" /><script
> type=\"text/javascript\">alert(\"omg\");</script><link rel=\"stylesheet\"
> href=\"" http://hostname/nifi-api/access/oidc/callback
> ...
> <link rel="stylesheet" href="/nifi/assets/reset.css/reset.css"
> type="text/css" /><script type="text/javascript">alert("omg");</script><link
> rel="stylesheet" href="/nifi/assets/reset.css/reset.css" type="text/css" />
> ...{code}
>
> Presumably we want to do something like this:
> [https://github.com/apache/nifi/commit/5d643edfaba4f5369c94ee1b4eaa5c59e3a9f37a#diff-91119fe15bb6f3b931662093e367b671R20]
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
