ht be less
elegant than if they were developed by the maintainers.
Justin
On Mon, Jun 15, 2020 at 3:34 PM Melinda Crane wrote:
>
>
> -- Forwarded message -
> From: Madhan Neethiraj
> Date: Mon, Jun 15, 2020 at 6:12 PM
> Subject:
From: Madhan Neethiraj
> Date: Mon, Jun 15, 2020 at 6:12 PM
> Subject: Re: Seeking advice on Atlas XSS vulnerabilities
> To: dev@atlas.apache.org , Bolke de Bruin <
> bdbr...@gmail.com>, Melinda Crane
>
>
> Bolke, Melinda,
>
> I think it will help to clarify what I mean
Bolke, Melinda,
I think it will help to clarify what I meant by "server-side" and "UI".
- server-side: Atlas REST APIs to perform various operations on
types/entities/glossaries/..
- UI: a web-application running in a browser which calls Atlas REST APIs to
fetch data, render and update data
Hi Keval
I'm happy that you will tackle the UI part of it. However, these are not mere
UI issues and need to be tackled server side IMHO. This opinion is supported by
what the experts say[1]
Can you elaborate on how you will approach this? I have not seen a discussion.
Cheers
Bolke
[1]
Hi Bolke,
Thanks for the details on the UI issues in rendering entity name and
incorrect value storied for user-defined attributes. I am working on
updating UI to address these issues, will send a patch shortly.
If you see further issues that require a server-side update, can you please
add
Hi Madhan,
A second order XSS (I.e. stored) can be executed against Atlas quite easily. If
you create an entity with a name like
“>
You will get an alert when clicking “edit” and you will get artifacts all over
the place stemming from the closing ‘“>’. And there are probably other areas
Hi Melinda,
Thanks for the details on the XSS issue; it helped to investigate and
verify the fix. This fix is now merged in master and branch-2.0 branches.
About the concerns with eval in requires.js: Atlas UI uses handlebar
templates to render HTML; requires.js gets the handlebar templates as a
I'm working on a POC that shows the need for server side escaping due to second
order XSS (stored XSS).
That's taking a bit of time.
B.
Sent from my iPhone
> On 11 Jun 2020, at 02:30, Madhan Neethiraj wrote:
>
> Melinda,
>
> As I said earlier, I don't agree on server side escaping HTML
Melinda,
As I said earlier, I don't agree on server side escaping HTML characters in its
input and output. Escaping must be handled by components that are prone to
issues in dealing with unescaped data. We are discussing potential XSS in UI
while dealing with data from user/server, which
Dear Madhan and Bolke,
Are there any updates on this topic? The discussion so far has been pretty
exciting to see and hear - having the sanitization feature as an optional
config like Bolke mentioned would be real useful to us (since we know our
data should never contain html characters), and it
Bolke,
> 1. Filtering input on arrival where the user cannot manipulate it anymore
> (i.e. server)
It's not clear what you expect the server to do here? Should HTML characters be
escaped in all inputs, before saving the data in its store? Can you give few
examples of server-side
Hi Madhan,
I don’t think solving this on the front-end is sufficient and the defense
should be more in-depth. The front-end is after all client side and can be
manipulated by the user. Typically one solves XSS vulnerabilities by:
1. Filtering input on arrival where the user cannot manipulate
Thanks, Melinda, for the detailed explanation. I am able to reproduce the
issue. wIll provide the patch for this.
On Tue, Jun 9, 2020 at 9:34 AM Madhan Neethiraj wrote:
> Melinda,
>
> Thank you for adding details. I think the frontend must take steps to
> prevent JavaScript execution while
Melinda,
Thank you for adding details. I think the frontend must take steps to prevent
JavaScript execution while handling values in REST API responses.
Server side escaping all HTML characters in all responses wouldn’t be the right
approach, as browser is not the only consumer of the
Apologies, looks like the second half of the email I just sent got
formatted weirdly (I was copying from a failed earlier email attempt that
got rejected for attaching images). Just to make sure it doesn’t get buried:
Of course this specific case can be patched on the frontend, but doing some
Dear Madhan,
Thank you kindly for your response and for offering to look into potential
solutions. I've been trying to step through how the ajax calls are handled,
I don't really see the AtlasJsonProvider being used much at all actually
for that. My concern is that the data from the ajax calls
Melinda,
Thank you for reaching out to Apache Atlas community.
As you noted, AtlasJsonProvider is used to deserialize/serialize REST API
requests and responses. In addition, methods in AtlasJson are used in to
convert to/from Json. It will help if you can add few examples of potential
issues
17 matches
Mail list logo
