Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Sanitize HTML in HTTP error messages #3453

Closed
AMoo-Miki opened this issue May 26, 2022 · 3 comments · Fixed by #3459
Closed

Sanitize HTML in HTTP error messages #3453

AMoo-Miki opened this issue May 26, 2022 · 3 comments · Fixed by #3459
Assignees
@tlfeng
Labels
enhancement Enhancement or improvement to existing feature or request security Anything security related Severity-Minor

Comments

@AMoo-Miki
Copy link

AMoo-Miki commented May 26, 2022
edited
Loading

Describe the bug
Some HTTP error responses include unsanitized user inputs. Since the responses are JSON objects with content-type: application/json, this is not a security vulnerability but common security scanners raise a false-positive.

To Reproduce
Steps to reproduce the behavior:

  1. Run curl "https://.../<script>cross_site_scripting.nasl</script>.asp" --verbose
  2. See <script>cross_site_scripting.nasl</script>

Expected behavior
%3Cscript%3Ecross_site_scripting.nasl%3C/script%3E or at the very least, cross_site_scripting.nasl.

Additional context

  • This false-positive is raised by a Nessus plugin.
  • There could be other instances of such unsanitized inputs in the HTTP output which I did not come across.
@AMoo-Miki AMoo-Miki added bug Something isn't working untriaged labels May 26, 2022
@tlfeng
Copy link
Collaborator

tlfeng commented May 26, 2022
edited
Loading

Got understand the problem after looking through an old issue for Elasticsearch: https://github.com/elastic/elasticsearch/issues/ 4474
As said above, the error message is return as mine-type application/json, which can't contain active (script) content, so it's not a vulnerability. Besides, no browsers are going to render as html when the mine-type is that.
So the solution only aims to satisfy the common security scanners.

@tlfeng tlfeng mentioned this issue May 27, 2022
Merged
5 tasks
@tlfeng tlfeng added Severity-Minor security Anything security related enhancement Enhancement or improvement to existing feature or request and removed untriaged bug Something isn't working labels May 27, 2022
@tlfeng
Copy link
Collaborator

tlfeng commented May 27, 2022

Hi @AMoo-Miki , I created a PR #3459 to resolve the issue, please take a look when you have time. 😁

@tlfeng
Copy link
Collaborator

tlfeng commented Jun 2, 2022

The solution:
In the comment #3459 (comment), it's found that invalid HTTP method from user input can contains HTML script as well.

The PR #3459 filtered out the unescaped HTML special characters in both URI and HTTP method.
If the URI is valid, the error message remains.
If the URI is not valid, the change is:
old error message: {"error":"no handler found for uri [/<script>cross_site_scripting.nasl</script>.asp] and method [GET]"}
new error message: {"error":"invalid uri has been requested"}

If the HTTP method is not defined in the enum: https://github.com/opensearch-project/OpenSearch/blob/2.0.0/server/src/main/java/org/opensearch/rest/RestRequest.java#L236, the change is:
old error message: {"error":"Unexpected http method: <script>alert(\"!\")</script>","status":405}
new error message: {"error":"Unexpected http method","status":405}

@tlfeng tlfeng mentioned this issue Jun 2, 2022
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@tlfeng tlfeng

Labels
enhancement Enhancement or improvement to existing feature or request security Anything security related Severity-Minor
Projects
None yet
Milestone
No milestone
2 participants
@AMoo-Miki @tlfeng