This is an automated email from the ASF dual-hosted git repository.
zrhoffman pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/trafficcontrol.git
The following commit(s) were added to refs/heads/master by this push:
new 133fa74 Fix email content injection (#6108)
133fa74 is described below
commit 133fa748d5fe2d963fd6dfbdb1421d0a6f0f1775
Author: ocket8888 <[email protected]>
AuthorDate: Mon Aug 16 16:57:59 2021 -0600
Fix email content injection (#6108)
* Disallow newlines in customer name
* Update documentation
* Updated changelog
---
CHANGELOG.md | 1 +
docs/source/api/v2/deliveryservices_request.rst | 10 +++++++---
docs/source/api/v3/deliveryservices_request.rst | 10 +++++++---
lib/go-tc/deliveryservice_requests.go | 17 +++++++++++++++--
4 files changed, 30 insertions(+), 8 deletions(-)
diff --git a/CHANGELOG.md b/CHANGELOG.md
index f8649ef..b4539b7 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -121,6 +121,7 @@ The format is based on [Keep a
Changelog](http://keepachangelog.com/en/1.0.0/).
- lib/go-atscfg Make funcs to take Opts, to reduce future breaking changes.
- CDN in a Box now uses `t3c` for cache configuration.
- CDN in a Box now uses Apache Traffic Server 8.1.
+- Customer names in payloads sent to the `/deliveryservices/request` Traffic
Ops API endpoint can no longer contain characters besides alphanumerics, @, !,
#, $, %, ^, &, *, (, ), [, ], '.', ' ', and '-'. This fixes a vulnerability
that allowed email content injection.
### Deprecated
- The Riak Traffic Vault backend is now deprecated and its support may be
removed in a future release. It is highly recommended to use the new PostgreSQL
backend instead.
diff --git a/docs/source/api/v2/deliveryservices_request.rst
b/docs/source/api/v2/deliveryservices_request.rst
index 006587b..05d91b9 100644
--- a/docs/source/api/v2/deliveryservices_request.rst
+++ b/docs/source/api/v2/deliveryservices_request.rst
@@ -36,7 +36,11 @@ Request Structure
-----------------
:details: An object describing the actual parameters for the Delivery Service
request
- :customer: Name of the customer associated with the
:term:`Delivery Service`
+ :customer: Name of the customer associated with the :term:`Delivery
Service` - must only contain alphanumeric characters and the characters
:kbd:`@`, :kbd:`!`, :kbd:`#`, :kbd:`$`, :kbd:`%`, :kbd:`^`, :kbd:`&`, :kbd:`*`,
:kbd:`(`, :kbd:`)`, :kbd:`[`, :kbd:`]`, :kbd:`.`, :kbd:` `, and :kbd:`-`
+
+ .. versionchanged:: ATCv6
+ Prior to ATC version 6, this field had no restrictions.
+
:deepCachingType: An optional string describing when to do Deep Caching
for this :term:`Delivery Service` - one of:
NEVER
@@ -115,8 +119,8 @@ Request Structure
"hasNegativeCachingCustomization": false,
"negativeCachingCustomizationNote": "",
"serviceAliases": [],
- "rateLimitingGBPS": "less than 50",
- "rateLimitingTPS": "no more than 5000",
+ "rateLimitingGBPS": 50,
+ "rateLimitingTPS": 5000,
"overflowService": null,
"headerRewriteEdge": "",
"headerRewriteMid": "",
diff --git a/docs/source/api/v3/deliveryservices_request.rst
b/docs/source/api/v3/deliveryservices_request.rst
index d4c3a46..d00bac1 100644
--- a/docs/source/api/v3/deliveryservices_request.rst
+++ b/docs/source/api/v3/deliveryservices_request.rst
@@ -36,7 +36,11 @@ Request Structure
-----------------
:details: An object describing the actual parameters for the Delivery Service
request
- :customer: Name of the customer associated with the
:term:`Delivery Service`
+ :customer: Name of the customer associated with the :term:`Delivery
Service` - must only contain alphanumeric characters and the characters
:kbd:`@`, :kbd:`!`, :kbd:`#`, :kbd:`$`, :kbd:`%`, :kbd:`^`, :kbd:`&`, :kbd:`*`,
:kbd:`(`, :kbd:`)`, :kbd:`[`, :kbd:`]`, :kbd:`.`, :kbd:` `, and :kbd:`-`
+
+ .. versionchanged:: ATCv6
+ Prior to ATC version 6, this field had no restrictions.
+
:deepCachingType: An optional string describing when to do Deep Caching
for this :term:`Delivery Service` - one of:
NEVER
@@ -115,8 +119,8 @@ Request Structure
"hasNegativeCachingCustomization": false,
"negativeCachingCustomizationNote": "",
"serviceAliases": [],
- "rateLimitingGBPS": "less than 50",
- "rateLimitingTPS": "no more than 5000",
+ "rateLimitingGBPS": 50,
+ "rateLimitingTPS": 5000,
"overflowService": null,
"headerRewriteEdge": "",
"headerRewriteMid": "",
diff --git a/lib/go-tc/deliveryservice_requests.go
b/lib/go-tc/deliveryservice_requests.go
index 75ecdb9..eb64110 100644
--- a/lib/go-tc/deliveryservice_requests.go
+++ b/lib/go-tc/deliveryservice_requests.go
@@ -22,6 +22,7 @@ import (
"errors"
"fmt"
"html/template"
+ "regexp"
"strconv"
"strings"
"time"
@@ -36,6 +37,10 @@ import (
// EmailTemplate is an html/template.Template for formatting
DeliveryServiceRequestRequests into
// text/html email bodies. Its direct use is discouraged, instead use
// DeliveryServiceRequestRequest.Format.
+//
+// Deprecated: Delivery Services Requests have been deprecated in favor of
+// Delivery Service Requests, and will be removed from the Traffic Ops API at
+// some point in the future.
var EmailTemplate = template.Must(template.New("Email
Template").Parse(`<!DOCTYPE html>
<html lang="en-US">
<head>
@@ -159,6 +164,10 @@ pre {
type IDNoMod int
// DeliveryServiceRequestRequest is a literal request to make a Delivery
Service.
+//
+// Deprecated: Delivery Services Requests have been deprecated in favor of
+// Delivery Service Requests, and will be removed from the Traffic Ops API at
+// some point in the future.
type DeliveryServiceRequestRequest struct {
// EmailTo is the email address that is ultimately the destination of a
formatted DeliveryServiceRequestRequest.
EmailTo string `json:"emailTo"`
@@ -168,6 +177,10 @@ type DeliveryServiceRequestRequest struct {
// DeliveryServiceRequestDetails holds information about what a user is trying
// to change, with respect to a delivery service.
+//
+// Deprecated: Delivery Services Requests have been deprecated in favor of
+// Delivery Service Requests, and will be removed from the Traffic Ops API at
+// some point in the future.
type DeliveryServiceRequestDetails struct {
// ContentType is the type of content to be delivered, e.g. "static",
"VOD" etc.
ContentType string `json:"contentType"`
@@ -255,7 +268,7 @@ func (d DeliveryServiceRequestDetails) Format() (string,
error) {
b := &strings.Builder{}
if err := EmailTemplate.Execute(b, d); err != nil {
- return "", fmt.Errorf("Failed to apply template: %v", err)
+ return "", fmt.Errorf("Failed to apply template: %w", err)
}
return b.String(), nil
}
@@ -275,7 +288,7 @@ func (d *DeliveryServiceRequestRequest) Validate() error {
details := d.Details
err = validation.ValidateStruct(&details,
validation.Field(&details.ContentType, validation.Required),
- validation.Field(&details.Customer, validation.Required),
+ validation.Field(&details.Customer, validation.Required,
validation.Match(regexp.MustCompile(`^[\w@!#$%^&\*\(\)\[\]\. -]+$`))),
validation.Field(&details.DeepCachingType, validation.By(
func(t interface{}) error {
if t != (*DeepCachingType)(nil) &&
*t.(*DeepCachingType) == DeepCachingTypeInvalid {
