[
https://issues.apache.org/jira/browse/NIFI-5442?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16548606#comment-16548606
]
ASF GitHub Bot commented on NIFI-5442:
--------------------------------------
Github user danfike commented on the issue:
https://github.com/apache/nifi/pull/2908
I actually also don't have an instance set up with a proxy either. I've
just been directly poking a simple unsecured NiFi instance (without a proxy)
using `curl`
I guess I'd expect it to work like `index.jsp`. Consider my simple
unsecured NiFi instance with no proxy set up. If I hit `http://hostname/`
(without a `/nifi` path), I get a simple page advising I probably meant to add
`/nifi` to the end (`index.jsp`). You can see this easily enough with `curl
http://hostname/`. Note the stylesheet paths all start with `/nifi/...`.
If I add `--header "X-ProxyContextPath: foo"` to my `curl` (note that I'm
still hitting NiFi directly; there is no actual proxy in place), you'll notice
there is *no change* to the stylesheet paths unless I "whitelist" the path
`foo` in `nifi.properties` at `nifi.web.proxy.context.path`. In that case, we'd
see the request response references stylesheet paths starting with
`/foo/nifi/...` This is what I'd expect given
https://nifi.apache.org/docs/nifi-docs/html/administration-guide.html#proxy_configuration
I'd expect requests that use `message-page.jsp` to do something similar.
I've been using `curl` to `GET /nifi-api/access/oidc/callback` on my unsecured
cluster with no proxy in front. It is just an easy way to land at the Message
Page and get it to render to test this behavior. I'd expect it to behave as
above.
(I'd embed the full shell text illustrating this but I don't have that
available at this moment).
I poked around this issue a bit earlier today. I *thought* I tried exactly
your fix (on top of 1.6.0 stable) and discovered that all message page renders
were failing because of `setAttribute("contextPath")` never being called in
this case. So no matter whether the header was absent, present and safe,
present and whitelisted, or present and unsafe, the requests all failed.
It looked to me like we'd need to add something to
https://github.com/apache/nifi/blob/46ce7aaa3298fa32d7f0c6beca9d45c5d43d3180/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/main/java/org/apache/nifi/web/api/AccessResource.java#L805
that is similar to
https://github.com/apache/nifi/blob/46ce7aaa3298fa32d7f0c6beca9d45c5d43d3180/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-error/src/main/java/org/apache/nifi/web/filter/CatchAllFilter.java#L52-L53
But I'm not sure. And perhaps there are other references to the message
page that this wouldn't address.
> Message Page uses raw X-ProxyContextPath
> ----------------------------------------
>
> Key: NIFI-5442
> URL: https://issues.apache.org/jira/browse/NIFI-5442
> Project: Apache NiFi
> Issue Type: Bug
> Components: Core Framework
> Affects Versions: 1.6.0
> Reporter: Dan Fike
> Assignee: Andy LoPresto
> Priority: Major
>
> It looks like {{message-page.jsp}} uses {{X-ProxyContextPath}} verbatim
> without sanitizing it or anything. See
> [https://github.com/apache/nifi/blob/66783c18b24b1c6b1cfd662c58ca9df1e60b866e/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-ui/src/main/webapp/WEB-INF/pages/message-page.jsp#L21]
>
> I verified this by hitting {{/nifi-api/access/oidc/callback}} on an unsecured
> NiFi host to get the *User authentication/authorization is only supported
> when running over HTTPS* message page.
>
> {code:java}
> $ curl http://hostname/nifi-api/access/oidc/callback
> ...
> <link rel="stylesheet" href="/nifi/assets/reset.css/reset.css"
> type="text/css" />
> ...
> $ curl --header "X-ProxyContextPath: /nifi/assets/reset.css/reset.css\"
> type=\"text/css\" /><script
> type=\"text/javascript\">alert(\"omg\");</script><link rel=\"stylesheet\"
> href=\"" http://hostname/nifi-api/access/oidc/callback
> ...
> <link rel="stylesheet" href="/nifi/assets/reset.css/reset.css"
> type="text/css" /><script type="text/javascript">alert("omg");</script><link
> rel="stylesheet" href="/nifi/assets/reset.css/reset.css" type="text/css" />
> ...{code}
>
> Presumably we want to do something like this:
> [https://github.com/apache/nifi/commit/5d643edfaba4f5369c94ee1b4eaa5c59e3a9f37a#diff-91119fe15bb6f3b931662093e367b671R20]
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
