Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Cannot disable HTTP OPTIONS Method #5909

Closed
somayedubati opened this issue Jan 22, 2021 · 16 comments
Closed

Cannot disable HTTP OPTIONS Method #5909

somayedubati opened this issue Jan 22, 2021 · 16 comments

Comments

@somayedubati
Copy link

Please assist us for Disable HTTP OPTIONS Method in Jetty-9.4.18.20190429. We are getting this as a Moderate Vulnerability in the scans. Jetty is part of the product we are using the Job Scheduler JOC Cockpit Version 1.13.8.

Thanks and appreciate your help!

@joakime
Copy link
Contributor

joakime commented Jan 22, 2021

Specify the constraints in the WEB-INF/web.xml to disable OPTIONS.

  <!-- ==================================================================== -->
  <!-- Disable OPTIONS method with security constraint                      -->
  <!-- ==================================================================== -->
  <security-constraint>
    <web-resource-collection>
      <web-resource-name>Disable OPTIONS</web-resource-name>
      <url-pattern>/</url-pattern>
      <http-method>OPTIONS</http-method>
    </web-resource-collection>
    <auth-constraint/>
  </security-constraint>

@somayedubati
Copy link
Author

thanks a lot for your assistance! I will update the web.xml and let you know if any issues.

@sbordet
Copy link
Contributor

sbordet commented Jan 22, 2021

@somayedubati please note that OPTIONS is a required method to support CORS for browsers -- make sure applications deployed in Jetty does not need to support CORS.

@somayedubati
Copy link
Author

somayedubati commented Jan 22, 2021

@sbordet Thanks for your inputs! We will review and make sure that CORS support needed or not before deployment.

@somayedubati
Copy link
Author

@joakime, I updated the web.xml file but still showing the HTTP OPTIONS as a Vulnerability. do you have any suggestions?
Thanks for your assistance!

@janbartel
Copy link
Contributor

janbartel commented Jan 25, 2021

@somayedubati the url-pattern should probably be /*, not just /: /* will cover all urls in your webapp, whilst / will only apply to the root page.

@gregw
Copy link
Contributor

gregw commented Jan 25, 2021

The problem could be with a OPTIONS * HTTP/1.1 request. We pass this first to a Server.handleOptions method and if that does nothing, then we do try to handle normally, but I'm not sure how a URI of * will be routed. Testing now.

@somayedubati
Copy link
Author

@janbartel and @gregw , thanks for your assistance!
I tried to give both / and /* options and did not help.
@gregw , thanks for testing on your end.

@gregw
Copy link
Contributor

gregw commented Jan 25, 2021

@somayedubati Do you know if the check is sending an OPTIONS * HTTP/1.0 request?
Currently I see that we will route such a request to the root context. Not sure how we could match *? Investigating more....

@gregw
Copy link
Contributor

gregw commented Jan 25, 2021

@somayedubati can you try with no url-pattern element at all?

@gregw
Copy link
Contributor

gregw commented Jan 25, 2021

@somayedubati We have tested the suggestion of @joakime and it is working for us, but it must be on the root context.
However, we have found some other problem with uncovered path warnings.

So perhaps you can try just adding:

  <security-constraint>
    <web-resource-collection>
      <web-resource-name>Disable OPTIONS</web-resource-name>
      <url-pattern>/</url-pattern>
      <http-method>OPTIONS</http-method>
    </web-resource-collection>
    <auth-constraint/>
  </security-constraint>

This may deploy with a warning, but should work.

@sbordet
Copy link
Contributor

sbordet commented Jan 25, 2021

@somayedubati I would also question the tool you are using that reports OPTIONS as a moderate vulnerability.

OPTIONS is a legit HTTP method, it is heavily used in CORS and therefore important and necessary.

Reporting OPTIONS as moderate vulnerability would be like reporting GET as a moderate vulnerability, in general.

Maybe OPTIONS is reported as moderate vulnerability because your application responds to OPTIONS requests in the wrong way?

@somayedubati
Copy link
Author

@gregw , I was using the following based upon application of context. I was getting Forbidden if I use "/" as a context. I will try the new snippet and let you know.

<security-constraint>
<web-resource-collection>
  <web-resource-name>Disable OPTIONS</web-resource-name>
  <url-pattern>/api/*</url-pattern>
  <http-method>OPTIONS</http-method>
</web-resource-collection>
<auth-constraint/>
</security-constraint>
<security-constraint>
<web-resource-collection>
  <web-resource-name>Enable everything but OPTIONS</web-resource-name>
  <url-pattern>/api/*</url-pattern>
  <http-method-omission>OPTIONS</http-method-omission>
 </web-resource-collection>
</security-constraint>

@somayedubati
Copy link
Author

@sbordet , I will find out HTTP OPTIONS using. Thanks

@joakime
Copy link
Contributor

joakime commented Jan 25, 2021

It could be a misinterpretation of the report from your security tool.

The OPTIONS method is very much a required feature for nearly all modern browsers.
Please dig into the reason for that report, as it's probably something the tool is expecting in the response headers that isn't present.

@gregw
Copy link
Contributor

gregw commented Jan 26, 2021

@janbartel and I have found an issue with this. The main constraint to block OPTIONS works fine, but there is a problem combining the omitted methods as we already have the following in defaultweb.xml:

  <security-constraint>
    <web-resource-collection>
      <url-pattern>/</url-pattern>
      <http-method-omission>TRACE</http-method-omission>
    </web-resource-collection>
  </security-constraint>

There is some strangeness in how the TRACE and OPTIONS omission constraints are merged. However, we do believe that the following will be sufficient to block all OPTIONS methods unless matched by some other more specific constraint that includes OPTIONS:

  <security-constraint>
    <web-resource-collection>
      <web-resource-name>Disable OPTIONS</web-resource-name>
      <url-pattern>/</url-pattern>
      <http-method>OPTIONS</http-method>
    </web-resource-collection>
    <auth-constraint/>
  </security-constraint>

gregw added a commit that referenced this issue Jan 26, 2021
Test to reproduce #5909
gregw added a commit that referenced this issue Jan 26, 2021
Fix #5909 Better handle merged RoleInfo
janbartel added a commit that referenced this issue Feb 2, 2021
Signed-off-by: Jan Bartel <janb@webtide.com>
@joakime joakime changed the title Disable HTTP OPTIONS Method in Jetty-9.4.18.20190429 Cannot disable HTTP OPTIONS Method Feb 19, 2021
This was referenced Mar 10, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

5 participants