-
Type:
Bug
-
Status: Resolved
-
Priority:
Major
-
Resolution: Fixed
-
Affects Version/s: 3.0.x, 3.1.x
-
Component/s: Web UI
-
Release Notes Summary:Added trusteddomain property in nuxeo.config file, Allows to specify a list of domains to which navigation is allowed when using a multi repository configuration. Takes a list of domains separated by a comma (e.g., hyland.com,hyland.net).
-
Epic Link:
-
Tags:
-
Sprint:UI - 2024-5, UI COOLDOWN - 2024-5, UI - 2024-6, UI - 2024-8
-
Story Points:3
MEDIUM - 1 Findings
CWE 601 URL Redirection to Untrusted Site ('Open Redirect')
Flaw Category: Insufficient Input Validation
Description: A web application accepts a untrusted input that specifies a link to an external site, and uses that link to generate a redirect. This enables phishing attacks.
Remediation: Always validate untrusted input to ensure that it conforms to the expected format, using centralized data validation routines when possible. Check the supplied URL against a whitelist of approved URLs or domains before redirecting.
Attached screenshot for the code details in WebUI
AC
- URLs are sanitized before using a redirect
- A nuxeo.conf property can be configured to setup an allowlist of domains Web UI can redirect to
- property is called nuxeo.web.ui.trustedDomains
- property takes a list of domains separated by commas, e.g. domain1,domain2
- when the value is empty / not configured, all domains are considered as allowed
- when the value is filled in, Web UI only allows to redirect to the external domains that have been configured
- subdomains from domains in the list are allowed as well (e.g., I don't have to configure both nuxeo.com and www.nuxeo.com but only nuxeo.com to allow both)
- is related to
-
NXDOC-2715 update nuxeo document for adding new property trustedDomain in nuxeo conf file
-
- Resolved
-
- links to
There are no Sub-Tasks for this issue.
