moresandeep opened a new pull request #70: KNOX-1817 - Fix XSS issues with Alias API URL: https://github.com/apache/knox/pull/70 ## What changes were proposed in this pull request? The Alias API was passing user input back in some cases as response without encoding, this was when an error was thrown or when a response message saying 'alias' for a 'topology' was created. This opens up the API for XSS attacks. The PR: 1. Adds encoding to the data that is going out as response. 2. Decodes the user inputs - since the api uses application/x-www-form-urlencoded ## How was this patch tested? The patch was tested manually e.g. `curl -iku admin:admin-password -H "Content-Type: application/json" -d "value=mysecret" -X PUT 'https://localhost:8443/gateway/admin/api/v1/aliases/sandbox/somelongreallylongalias<>' HTTP/1.1 201 Created Date: Tue, 12 Mar 2019 19:54:00 GMT Set-Cookie: KNOXSESSIONID=node0tb9bz05vhh6k1xpp0ti2p0vqh2.node0;Path=/gateway/admin;Secure;HttpOnly Expires: Thu, 01 Jan 1970 00:00:00 GMT Set-Cookie: rememberMe=deleteMe; Path=/gateway/admin; Max-Age=0; Expires=Mon, 11-Mar-2019 19:54:00 GMT Content-Type: application/json Content-Length: 85 Server: Jetty(9.4.15.v20190215) { "created" : { "topology": "sandbox", "alias": "somelongreallylongalias<>" } }`
---------------------------------------------------------------- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: [email protected] With regards, Apache Git Services
