[NEV-84] [Arender] The request to create an annotation in Nuxeo from Arender is blocked by WAF because of XSS issues - Nuxeo Issue Tracker

XML

Word

Printable

Details

Type: Bug
Status: Resolved
Priority: Blocker
Resolution: Won't Fix
Affects Version/s: None
Fix Version/s: 1.0.2
Component/s: Nuxeo Connector

Tags:
- nbm
- nxcore
- security
Sprint:
nxcore 10.3.7, nxcore 10.3.8
Story Points:
2

Description

The POST request for : /nuxeo/api/v1/repo/default/id/da430f99-803e-4458-9930-2cfadf2a44fa/@annotation is blocked by the basic XSS Rule

{"timestamp":1537031619336,"formatVersion":1,"webaclId":"c3f25c4d-c27a-49f1-88ee-d1c89cf7ed34","terminatingRuleId":"845d8050-6789-4178-971a-59d097de3033","terminatingRuleType":"REGULAR","action":"BLOCK","httpSourceName":"CF","httpSourceId":"E1W5XNI8Y3L502","ruleGroupList":[],"rateBasedRuleList":[{"rateBasedRuleId":"24776fdc-c115-47fa-b737-e4a53bb08ee7","limitKey":"IP","maxRateAllowed":2000}],"nonTerminatingMatchingRules":[],"httpRequest":{"clientIp":"18.210.99.30","country":"US","headers":[{"name":"Host","value":"nbm-staging.nuxeo.io"},{"name":"Content-Length","value":"824"},{"name":"X-Authentication-Token","value":"f114bafc-fe3f-4c06-b726-c531fbec9ff9"},{"name":"User-Agent","value":"okhttp/3.1.1 NuxeoJavaClient/3.1.0"},{"name":"Content-Type","value":"application/json; charset=UTF-8"},{"name":"Accept-Encoding","value":"gzip"}],"uri":"/nuxeo/api/v1/repo/default/id/da430f99-803e-4458-9930-2cfadf2a44fa/@annotation","args":"","httpVersion":"HTTP/1.1","httpMethod":"POST","requestId":"k9w0rSGInaAY7VRyCVRP2MpoA_1S7Oh5w92KlK1wKjag-pzWllkx-Q=="}}

The rule is testing for following:

Body contains a cross-site scripting threat after decoding as URL.
Query string contains a cross-site scripting threat after decoding as HTML tags.
Body contains a cross-site scripting threat after decoding as HTML tags.
URI contains a cross-site scripting threat after decoding as HTML tags.
Header 'cookie' contains a cross-site scripting threat after decoding as HTML tags.
Query string contains a cross-site scripting threat after decoding as URL.
URI contains a cross-site scripting threat after decoding as URL.
Header 'cookie' contains a cross-site scripting threat after decoding as URL.

Looks like this happens because we sent the serialized arender entity back to Nuxeo:

{
 ...,
 "entity": "<xml>...</xml>"
}

and the xml is not escaped .

Attachments

Activity

People

Assignee:

Funsho David

Reporter:

Mariana Cedica

Participants:

Florent Guillaume, Funsho David, Mariana Cedica

Votes:

0 Vote for this issue

Watchers:

4 Start watching this issue

Dates

Created:

2018-09-17 16:36

Updated:

2019-09-02 14:47

Resolved:

2018-10-24 14:05

Time Tracking

Estimated:

Not Specified

Remaining:

Logged: