This is an automated email from the ASF dual-hosted git repository.
ocket8888 pushed a commit to branch 5.1.x
in repository https://gitbox.apache.org/repos/asf/trafficcontrol.git
The following commit(s) were added to refs/heads/5.1.x by this push:
new c37533d Fix email content injection (#6108)
c37533d is described below
commit c37533d4001532f5a3633905be3e4a8ac315cc59
Author: ocket8888 <[email protected]>
AuthorDate: Mon Aug 16 16:57:59 2021 -0600
Fix email content injection (#6108)
* Disallow newlines in customer name
* Update documentation
* Updated changelog
(cherry picked from commit 133fa748d5fe2d963fd6dfbdb1421d0a6f0f1775)
---
CHANGELOG.md | 4 ++++
docs/source/api/v2/deliveryservices_request.rst | 10 +++++++---
docs/source/api/v3/deliveryservices_request.rst | 10 +++++++---
lib/go-tc/deliveryservice_requests.go | 17 +++++++++++++++--
4 files changed, 33 insertions(+), 8 deletions(-)
diff --git a/CHANGELOG.md b/CHANGELOG.md
index d727704..1a94e1a 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -3,6 +3,10 @@ All notable changes to this project will be documented in this
file.
The format is based on [Keep a Changelog](http://keepachangelog.com/en/1.0.0/).
+## [5.1.3] - 2021-10-05
+### Changed
+- Customer names in payloads sent to the `/deliveryservices/request` Traffic
Ops API endpoint can no longer contain characters besides alphanumerics, @, !,
#, $, %, ^, &, *, (, ), [, ], '.', ' ', and '-'. This fixes a vulnerability
that allowed email content injection.
+
## [5.1.2] - 2021-04-07
### Fixed
- Fixed the return error for GET api `cdns/routing` to avoid incorrect success
response.
diff --git a/docs/source/api/v2/deliveryservices_request.rst
b/docs/source/api/v2/deliveryservices_request.rst
index 42bc0a7..f376056 100644
--- a/docs/source/api/v2/deliveryservices_request.rst
+++ b/docs/source/api/v2/deliveryservices_request.rst
@@ -33,7 +33,11 @@ Request Structure
-----------------
:details: An object describing the actual parameters for the Delivery Service
request
- :customer: Name of the customer associated with the
:term:`Delivery Service`
+ :customer: Name of the customer associated with the :term:`Delivery
Service` - must only contain alphanumeric characters and the characters
:kbd:`@`, :kbd:`!`, :kbd:`#`, :kbd:`$`, :kbd:`%`, :kbd:`^`, :kbd:`&`, :kbd:`*`,
:kbd:`(`, :kbd:`)`, :kbd:`[`, :kbd:`]`, :kbd:`.`, :kbd:` `, and :kbd:`-`
+
+ .. versionchanged:: ATCv6
+ Prior to ATC version 6, this field had no restrictions.
+
:deepCachingType: An optional string describing when to do Deep Caching
for this :term:`Delivery Service` - one of:
NEVER
@@ -112,8 +116,8 @@ Request Structure
"hasNegativeCachingCustomization": false,
"negativeCachingCustomizationNote": "",
"serviceAliases": [],
- "rateLimitingGBPS": "less than 50",
- "rateLimitingTPS": "no more than 5000",
+ "rateLimitingGBPS": 50,
+ "rateLimitingTPS": 5000,
"overflowService": null,
"headerRewriteEdge": "",
"headerRewriteMid": "",
diff --git a/docs/source/api/v3/deliveryservices_request.rst
b/docs/source/api/v3/deliveryservices_request.rst
index 9761fbd..fa02415 100644
--- a/docs/source/api/v3/deliveryservices_request.rst
+++ b/docs/source/api/v3/deliveryservices_request.rst
@@ -33,7 +33,11 @@ Request Structure
-----------------
:details: An object describing the actual parameters for the Delivery Service
request
- :customer: Name of the customer associated with the
:term:`Delivery Service`
+ :customer: Name of the customer associated with the :term:`Delivery
Service` - must only contain alphanumeric characters and the characters
:kbd:`@`, :kbd:`!`, :kbd:`#`, :kbd:`$`, :kbd:`%`, :kbd:`^`, :kbd:`&`, :kbd:`*`,
:kbd:`(`, :kbd:`)`, :kbd:`[`, :kbd:`]`, :kbd:`.`, :kbd:` `, and :kbd:`-`
+
+ .. versionchanged:: ATCv6
+ Prior to ATC version 6, this field had no restrictions.
+
:deepCachingType: An optional string describing when to do Deep Caching
for this :term:`Delivery Service` - one of:
NEVER
@@ -112,8 +116,8 @@ Request Structure
"hasNegativeCachingCustomization": false,
"negativeCachingCustomizationNote": "",
"serviceAliases": [],
- "rateLimitingGBPS": "less than 50",
- "rateLimitingTPS": "no more than 5000",
+ "rateLimitingGBPS": 50,
+ "rateLimitingTPS": 5000,
"overflowService": null,
"headerRewriteEdge": "",
"headerRewriteMid": "",
diff --git a/lib/go-tc/deliveryservice_requests.go
b/lib/go-tc/deliveryservice_requests.go
index b156564..28e35d9 100644
--- a/lib/go-tc/deliveryservice_requests.go
+++ b/lib/go-tc/deliveryservice_requests.go
@@ -21,6 +21,7 @@ import (
"errors"
"fmt"
"html/template"
+ "regexp"
"strconv"
"strings"
@@ -34,6 +35,10 @@ import (
// EmailTemplate is an html/template.Template for formatting
DeliveryServiceRequestRequests into
// text/html email bodies. Its direct use is discouraged, instead use
// DeliveryServiceRequestRequest.Format.
+//
+// Deprecated: Delivery Services Requests have been deprecated in favor of
+// Delivery Service Requests, and will be removed from the Traffic Ops API at
+// some point in the future.
var EmailTemplate = template.Must(template.New("Email
Template").Parse(`<!DOCTYPE html>
<html lang="en-US">
<head>
@@ -157,6 +162,10 @@ pre {
type IDNoMod int
// DeliveryServiceRequestRequest is a literal request to make a Delivery
Service.
+//
+// Deprecated: Delivery Services Requests have been deprecated in favor of
+// Delivery Service Requests, and will be removed from the Traffic Ops API at
+// some point in the future.
type DeliveryServiceRequestRequest struct {
// EmailTo is the email address that is ultimately the destination of a
formatted DeliveryServiceRequestRequest.
EmailTo string `json:"emailTo"`
@@ -166,6 +175,10 @@ type DeliveryServiceRequestRequest struct {
// DeliveryServiceRequestDetails holds information about what a user is trying
// to change, with respect to a delivery service.
+//
+// Deprecated: Delivery Services Requests have been deprecated in favor of
+// Delivery Service Requests, and will be removed from the Traffic Ops API at
+// some point in the future.
type DeliveryServiceRequestDetails struct {
// ContentType is the type of content to be delivered, e.g. "static",
"VOD" etc.
ContentType string `json:"contentType"`
@@ -253,7 +266,7 @@ func (d DeliveryServiceRequestDetails) Format() (string,
error) {
b := &strings.Builder{}
if err := EmailTemplate.Execute(b, d); err != nil {
- return "", fmt.Errorf("Failed to apply template: %v", err)
+ return "", fmt.Errorf("Failed to apply template: %w", err)
}
return b.String(), nil
}
@@ -273,7 +286,7 @@ func (d *DeliveryServiceRequestRequest) Validate() error {
details := d.Details
err = validation.ValidateStruct(&details,
validation.Field(&details.ContentType, validation.Required),
- validation.Field(&details.Customer, validation.Required),
+ validation.Field(&details.Customer, validation.Required,
validation.Match(regexp.MustCompile(`^[\w@!#$%^&\*\(\)\[\]\. -]+$`))),
validation.Field(&details.DeepCachingType, validation.By(
func(t interface{}) error {
if t != (*DeepCachingType)(nil) &&
*t.(*DeepCachingType) == DeepCachingTypeInvalid {
