[ https://issues.apache.org/jira/browse/NIFI-5442?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16548602#comment-16548602 ]
ASF GitHub Bot commented on NIFI-5442: -------------------------------------- Github user alopresto commented on the issue: https://github.com/apache/nifi/pull/2908 "Safe" (whitelisted) but inaccurate context path: <img width="1920" alt="screen shot 2018-07-18 at 5 13 17 pm" src="https://user-images.githubusercontent.com/798465/42914275-563f38aa-8aae-11e8-9d23-33c5ce1b3dcb.png"> Malicious context path: <img width="1920" alt="screen shot 2018-07-18 at 5 13 37 pm" src="https://user-images.githubusercontent.com/798465/42914274-5625db44-8aae-11e8-9cc1-9895cacf49eb.png"> > Message Page uses raw X-ProxyContextPath > ---------------------------------------- > > Key: NIFI-5442 > URL: https://issues.apache.org/jira/browse/NIFI-5442 > Project: Apache NiFi > Issue Type: Bug > Components: Core Framework > Affects Versions: 1.6.0 > Reporter: Dan Fike > Assignee: Andy LoPresto > Priority: Major > > It looks like {{message-page.jsp}} uses {{X-ProxyContextPath}} verbatim > without sanitizing it or anything. See > [https://github.com/apache/nifi/blob/66783c18b24b1c6b1cfd662c58ca9df1e60b866e/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-ui/src/main/webapp/WEB-INF/pages/message-page.jsp#L21] > > I verified this by hitting {{/nifi-api/access/oidc/callback}} on an unsecured > NiFi host to get the *User authentication/authorization is only supported > when running over HTTPS* message page. > > {code:java} > $ curl http://hostname/nifi-api/access/oidc/callback > ... > <link rel="stylesheet" href="/nifi/assets/reset.css/reset.css" > type="text/css" /> > ... > $ curl --header "X-ProxyContextPath: /nifi/assets/reset.css/reset.css\" > type=\"text/css\" /><script > type=\"text/javascript\">alert(\"omg\");</script><link rel=\"stylesheet\" > href=\"" http://hostname/nifi-api/access/oidc/callback > ... > <link rel="stylesheet" href="/nifi/assets/reset.css/reset.css" > type="text/css" /><script type="text/javascript">alert("omg");</script><link > rel="stylesheet" href="/nifi/assets/reset.css/reset.css" type="text/css" /> > ...{code} > > Presumably we want to do something like this: > [https://github.com/apache/nifi/commit/5d643edfaba4f5369c94ee1b4eaa5c59e3a9f37a#diff-91119fe15bb6f3b931662093e367b671R20] -- This message was sent by Atlassian JIRA (v7.6.3#76005)