Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[radar-gateway] Configure radar-gataway to mitigate XSS attack vector #198

Merged
merged 1 commit into from
Jun 11, 2024
Merged

[radar-gateway] Configure radar-gataway to mitigate XSS attack vector #198

merged 1 commit into from
Jun 11, 2024

Conversation

pvannierop
Copy link
Collaborator

Background

Nginx decodes the uri before passing it to the backend server. This is dangerous because it can allow for XSS attacks. Grizzly servers have a bug where they send the decoded uri as part of error messages (see Graylog2/graylog2-server#3171).

Change

To prevent XSS attacks, we need to re-encode the uri ($request_uri is the original encoded request) before passing it to the Grizzly server.

@pvannierop pvannierop requested a review from keyvaann May 29, 2024 12:34
@pvannierop pvannierop self-assigned this May 29, 2024
@github-actions GitHub Actions
Copy link

github-actions bot commented May 29, 2024
edited
Loading

Great PR! Please pay attention to the following items before merging:

Files matching charts/*/values.yaml:

  • Is the PR adding a new container? Please reviewer, add it to the models (internal process)
  • Is the PR adding a new parameter? Please, ensure it’s documented in the README.md

This is an automatically generated QA checklist based on modified files.

@pvannierop pvannierop mentioned this pull request May 29, 2024
Closed
keyvaann
keyvaann requested changes May 29, 2024
View reviewed changes
Copy link
Collaborator

@keyvaann keyvaann left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please fix the build

@pvannierop
Add path rewrite to radar_gateway
c0fe577 
Nginx decodes the uri before passing it to the backend server. This is dangerous because it can allow for XSS attacks. Grizzly servers have a bug where they send the decoded uri as part of error messages (see Graylog2/graylog2-server#3171). To prevent this, we need to re-encode the uri ($request_uri is the original encoded request) before passing it to the Grizzly server.
@pvannierop pvannierop requested a review from keyvaann June 10, 2024 14:05
keyvaann
keyvaann approved these changes Jun 10, 2024
View reviewed changes
Copy link
Collaborator

@keyvaann keyvaann left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@keyvaann keyvaann merged commit 75c402e into main Jun 11, 2024
4 checks passed
@keyvaann keyvaann deleted the fix-xss-vulnerability branch June 11, 2024 07:57
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@keyvaann keyvaann keyvaann approved these changes

Assignees

@pvannierop pvannierop

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@pvannierop @keyvaann