[
https://issues.apache.org/jira/browse/NIFI-5442?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16548602#comment-16548602
]
ASF GitHub Bot commented on NIFI-5442:
--------------------------------------
Github user alopresto commented on the issue:
https://github.com/apache/nifi/pull/2908
"Safe" (whitelisted) but inaccurate context path:
<img width="1920" alt="screen shot 2018-07-18 at 5 13 17 pm"
src="https://user-images.githubusercontent.com/798465/42914275-563f38aa-8aae-11e8-9d23-33c5ce1b3dcb.png";>
Malicious context path:
<img width="1920" alt="screen shot 2018-07-18 at 5 13 37 pm"
src="https://user-images.githubusercontent.com/798465/42914274-5625db44-8aae-11e8-9cc1-9895cacf49eb.png";>
> Message Page uses raw X-ProxyContextPath
> ----------------------------------------
>
> Key: NIFI-5442
> URL: https://issues.apache.org/jira/browse/NIFI-5442
> Project: Apache NiFi
> Issue Type: Bug
> Components: Core Framework
> Affects Versions: 1.6.0
> Reporter: Dan Fike
> Assignee: Andy LoPresto
> Priority: Major
>
> It looks like {{message-page.jsp}} uses {{X-ProxyContextPath}} verbatim
> without sanitizing it or anything. See
> [https://github.com/apache/nifi/blob/66783c18b24b1c6b1cfd662c58ca9df1e60b866e/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-ui/src/main/webapp/WEB-INF/pages/message-page.jsp#L21]
>
> I verified this by hitting {{/nifi-api/access/oidc/callback}} on an unsecured
> NiFi host to get the *User authentication/authorization is only supported
> when running over HTTPS* message page.
>
> {code:java}
> $ curl http://hostname/nifi-api/access/oidc/callback
> ...
> <link rel="stylesheet" href="/nifi/assets/reset.css/reset.css"
> type="text/css" />
> ...
> $ curl --header "X-ProxyContextPath: /nifi/assets/reset.css/reset.css\"
> type=\"text/css\" /><script
> type=\"text/javascript\">alert(\"omg\");</script><link rel=\"stylesheet\"
> href=\"" http://hostname/nifi-api/access/oidc/callback
> ...
> <link rel="stylesheet" href="/nifi/assets/reset.css/reset.css"
> type="text/css" /><script type="text/javascript">alert("omg");</script><link
> rel="stylesheet" href="/nifi/assets/reset.css/reset.css" type="text/css" />
> ...{code}
>
> Presumably we want to do something like this:
> [https://github.com/apache/nifi/commit/5d643edfaba4f5369c94ee1b4eaa5c59e3a9f37a#diff-91119fe15bb6f3b931662093e367b671R20]
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
![https://user-images.githubusercontent.com/798465/42914275-563f38aa-8aae-11e8-9d23-33c5ce1b3dcb.png"](https://user-images.githubusercontent.com/798465/42914275-563f38aa-8aae-11e8-9d23-33c5ce1b3dcb.png"){kind=link}
![https://user-images.githubusercontent.com/798465/42914274-5625db44-8aae-11e8-9cc1-9895cacf49eb.png"](https://user-images.githubusercontent.com/798465/42914274-5625db44-8aae-11e8-9cc1-9895cacf49eb.png"){kind=link}