Bug 1475303 - Text Injection possible
Text Injection possible
Status: ON_QA
Product: Red Hat CloudForms Management Engine
Classification: Red Hat
Component: UI - OPS (Show other bugs)
5.8.0
Unspecified Unspecified
low Severity urgent
: GA
: 5.10.0
Assigned To: Martin Povolny
Yadnyawalk Tale
ui:flash_msg
: TestOnly
: 1486665 (view as bug list)
Depends On:
Blocks: 1515355 1520669
  Show dependency treegraph
 
Reported: 2017-07-26 08:15 EDT by Vatsal Parekh
Modified: 2018-06-18 01:26 EDT (History)
9 users (show)

See Also:
Fixed In Version: 5.10.0.0
Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
: 1515355 1520669 (view as bug list)
Environment:
Last Closed:
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: Bug
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: CFME Core


Attachments (Terms of Use)

  None (edit)
Comment 2 Martin Povolny 2017-09-25 13:13:07 EDT
*** Bug 1486665 has been marked as a duplicate of this bug. ***
Comment 3 Martin Povolny 2017-10-16 08:53:47 EDT
> Perform some action and flash message is shown

Sorry, but my crystal ball is broken this week

I did perform some action but saw no flash msg.

I believe there's an issue as you describe it SOMEWHERE but...
Comment 4 Martin Povolny 2017-10-16 09:04:11 EDT
Actually I did find an example in the DUP of this issue:

> Description of problem:
> After creating a VM creation request, the flash message shown is sent as a URL 
> parameter, and can be easily edited, and be misused

> Version-Release number of selected component (if applicable):
> Version master.20170830023715_aa4dab9

> How reproducible:
> 100%

> Steps to Reproduce:
> 1.Submit a request for VM creation
> 2.See the flash message

> Actual results:
> Flash message in the URL url parameter

If would be helpful if you could help me get all the places that you have found into one BZ but with a description that I would be able to reproduce (as the one above).

Thx!
Comment 5 Martin Povolny 2017-10-16 10:16:43 EDT
fixing one such place:

https://github.com/ManageIQ/manageiq-ui-classic/pull/2408
Comment 6 Martin Povolny 2017-10-16 13:15:47 EDT
One more such place: 

https://github.com/ManageIQ/manageiq-ui-classic/pull/2412

All places are see are using a Rails function for the redirect, no javascript injection is possible, I don't consider this a security issue.

We can fix all the places as a "hardening" task but afaik this should not be a priority.

The two fixes in this PR can be considered a pattern to fix all the other places.
Comment 7 Vatsal Parekh 2017-10-17 14:15:23 EDT
(In reply to Martin Povolny from comment #4)
> Actually I did find an example in the DUP of this issue:
> 
> > Description of problem:
> > After creating a VM creation request, the flash message shown is sent as a URL 
> > parameter, and can be easily edited, and be misused
> 
> > Version-Release number of selected component (if applicable):
> > Version master.20170830023715_aa4dab9
> 
> > How reproducible:
> > 100%
> 
> > Steps to Reproduce:
> > 1.Submit a request for VM creation
> > 2.See the flash message
> 
> > Actual results:
> > Flash message in the URL url parameter
> 
> If would be helpful if you could help me get all the places that you have
> found into one BZ but with a description that I would be able to reproduce
> (as the one above).
> 
> Thx!

To list such places,
Places where we provision/order VMs, delete/modify them, in general I see almost all the flash messages passed in as a url parameter.
Comment 8 Martin Povolny 2017-10-26 06:11:58 EDT
> In general I see almost all the flash messages passed in as a url parameter.

I don't.
Comment 10 Vatsal Parekh 2017-11-06 06:06:10 EST
I'm also not seeing them now, used to see them in previous builds.
Comment 11 Martin Povolny 2017-11-20 11:22:27 EST
Ok, moving this to POST. Some places where fixed.

Once we have more places found we can create new BZs.

The pattern for the fix is pretty straightforward once you see the place.
Comment 16 Martin Povolny 2017-12-04 14:10:48 EST
As I previously declared: If you show me such places, I can get it fixed.

Note You need to log in before you can comment on or make changes to this bug.