Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[radar-gateway] Configure radar-gataway to mitigate XSS attack vector #253

Closed
wants to merge 1 commit into from
Closed

[radar-gateway] Configure radar-gataway to mitigate XSS attack vector #253

wants to merge 1 commit into from

Conversation

pvannierop
Copy link

Background

Nginx decodes the uri before passing it to the backend server. This is dangerous because it can allow for XSS attacks. Grizzly servers have a bug where they send the decoded uri as part of error messages (see Graylog2/graylog2-server#3171).

Change

To prevent XSS attacks, we need to re-encode the uri ($request_uri is the original encoded request) before passing it to the Grizzly server.

@pvannierop
Add path rewrite to radar_gateway
a9919fe 
Nginx decodes the uri before passing it to the backend server. This is dangerous because it can allow for XSS attacks. Grizzly servers have a bug where they send the decoded uri as part of error messages (see Graylog2/graylog2-server#3171). To prevent this, we need to re-encode the uri ($request_uri is the original encoded request) before passing it to the Grizzly server.
@pvannierop pvannierop self-assigned this Apr 11, 2024
@pvannierop pvannierop changed the base branch from main to dev April 11, 2024 10:12
Bdegraaf1234
Bdegraaf1234 approved these changes Apr 11, 2024
View reviewed changes
Copy link
Member

@Bdegraaf1234 Bdegraaf1234 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good work, lets keep track of the XSS stuff in an issue as we do quite some rewrites?

@yatharthranjan
Copy link
Member

do we need this in other services which use Grizzly (push-endpoint, rest-source-auth, etc)?

@keyvaann
Copy link
Collaborator

keyvaann commented May 2, 2024

@pvannierop Could we implement this in the radar-gateway helm chart instead of this repository?

@pvannierop
Copy link
Author

do we need this in other services which use Grizzly (push-endpoint, rest-source-auth, etc)?

@yatharthranjan I was not aware of these other components using Grizzly. But yes, if there is Grizzly in use, here the fix should also better be applied.

@pvannierop pvannierop requested a review from keyvaann May 29, 2024 09:08
keyvaann
keyvaann reviewed May 29, 2024
View reviewed changes
Copy link
Collaborator

@keyvaann keyvaann left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Could we implement this in the radar-gateway helm chart instead of this repository?

@pvannierop
Copy link
Author

@keyvaann Yes, we can do this. I will make the PR and close this one.

@pvannierop pvannierop closed this May 29, 2024
@pvannierop
Copy link
Author

New PR is here

@Bdegraaf1234 Bdegraaf1234 deleted the fix_rewrite_vulnerability branch June 13, 2024 09:33
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@keyvaann keyvaann keyvaann left review comments

@Bdegraaf1234 Bdegraaf1234 Bdegraaf1234 approved these changes

@mpgxvii mpgxvii Awaiting requested review from mpgxvii

Assignees

@pvannierop pvannierop

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@pvannierop @yatharthranjan @keyvaann @Bdegraaf1234