[NIFI-5442] Message Page uses raw X-ProxyContextPath - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Bug
Status: Resolved
Priority: Major
Resolution: Fixed
Affects Version/s: 1.6.0
Fix Version/s: 1.8.0
Component/s: Core Framework
Labels:
None

Description

It looks like message-page.jsp uses X-ProxyContextPath verbatim without sanitizing it or anything. See

https://github.com/apache/nifi/blob/66783c18b24b1c6b1cfd662c58ca9df1e60b866e/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-ui/src/main/webapp/WEB-INF/pages/message-page.jsp#L21

I verified this by hitting /nifi-api/access/oidc/callback on an unsecured NiFi host to get the User authentication/authorization is only supported when running over HTTPS message page.

$ curl http://hostname/nifi-api/access/oidc/callback
...
<link rel="stylesheet" href="/nifi/assets/reset.css/reset.css" type="text/css" />
...

$ curl --header "X-ProxyContextPath: /nifi/assets/reset.css/reset.css\" type=\"text/css\" /><script type=\"text/javascript\">alert(\"omg\");</script><link rel=\"stylesheet\" href=\"" http://hostname/nifi-api/access/oidc/callback
...
<link rel="stylesheet" href="/nifi/assets/reset.css/reset.css" type="text/css" /><script type="text/javascript">alert("omg");</script><link rel="stylesheet" href="/nifi/assets/reset.css/reset.css" type="text/css" />
...

Presumably we want to do something like this: https://github.com/apache/nifi/commit/5d643edfaba4f5369c94ee1b4eaa5c59e3a9f37a#diff-91119fe15bb6f3b931662093e367b671R20

Attachments

Issue Links

relates to

NIFI-7558 Context path filtering does not work when behind a reverse proxy with a context path

Resolved

links to

GitHub Pull Request #2908

Activity

People

Assignee:: Andy LoPresto

Reporter:: Dan Fike

Votes:: 0 Vote for this issue

Watchers:: 5 Start watching this issue

Dates

Created:: 18/Jul/18 18:09

Updated:: 18/Jun/20 18:18

Resolved:: 01/Aug/18 16:12