Uploaded image for project: 'Apache NiFi'
  1. Apache NiFi
  2. NIFI-5442

Message Page uses raw X-ProxyContextPath

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 1.6.0
    • Fix Version/s: 1.8.0
    • Component/s: Core Framework
    • Labels:
      None

      Description

      It looks like message-page.jsp uses X-ProxyContextPath verbatim without sanitizing it or anything. See 

      https://github.com/apache/nifi/blob/66783c18b24b1c6b1cfd662c58ca9df1e60b866e/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-ui/src/main/webapp/WEB-INF/pages/message-page.jsp#L21

       

      I verified this by hitting /nifi-api/access/oidc/callback on an unsecured NiFi host to get the User authentication/authorization is only supported when running over HTTPS message page.

       

      $ curl http://hostname/nifi-api/access/oidc/callback
      ...
      <link rel="stylesheet" href="/nifi/assets/reset.css/reset.css" type="text/css" />
      ...
      
      $ curl --header "X-ProxyContextPath: /nifi/assets/reset.css/reset.css\" type=\"text/css\" /><script type=\"text/javascript\">alert(\"omg\");</script><link rel=\"stylesheet\" href=\"" http://hostname/nifi-api/access/oidc/callback
      ...
      <link rel="stylesheet" href="/nifi/assets/reset.css/reset.css" type="text/css" /><script type="text/javascript">alert("omg");</script><link rel="stylesheet" href="/nifi/assets/reset.css/reset.css" type="text/css" />
      ...

       

      Presumably we want to do something like this: https://github.com/apache/nifi/commit/5d643edfaba4f5369c94ee1b4eaa5c59e3a9f37a#diff-91119fe15bb6f3b931662093e367b671R20

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                alopresto Andy LoPresto
                Reporter:
                danfike Dan Fike
              • Votes:
                0 Vote for this issue
                Watchers:
                5 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: