Tapestry 5
  1. Tapestry 5
  2. TAP5-2008

Serialized object data stored on the client should be HMAC signed and validated

    Details

      Description

      Tapestry encodes serialized objects into Base64 encoded strings that are stored on the client; primarily, this is for form submissions, to encode the set of operations needed to process the form when it is submitted.

      However, Tapestry does not use any form of validation to ensure that the encoded data has not been tampered with. It is relatively easy to create a DOS attack by exploiting this.

      Tapestry should use some form of HMAC (hash-based message authentication) to ensure that the contents of such data are valid; the signing and validation should occur after writing GZipped content, and before GZip decoding (it is very easy to provide a small gzipped payload that expands to an enormous size, for example; this is one form of DOS).

        Activity

        Hide
        Hudson added a comment -

        Integrated in tapestry-trunk-freestyle #977 (See https://builds.apache.org/job/tapestry-trunk-freestyle/977/)
        TAP5-2008: Implement HMAC signatures on object streams stored on the client (Revision 95846b173d83c2eb42db75dae3e7d5e13a633946)

        Result = FAILURE
        hlship :
        Files :

        • tapestry-core/src/main/java/org/apache/tapestry5/internal/util/TeeOutputStream.java
        • tapestry-core/src/main/java/org/apache/tapestry5/internal/services/ClientDataSinkImpl.java
        • tapestry-core/src/main/java/org/apache/tapestry5/SymbolConstants.java
        • tapestry-core/src/main/java/org/apache/tapestry5/services/ClientDataEncoder.java
        • tapestry-core/src/test/java/org/apache/tapestry5/integration/app1/services/AppModule.java
        • tapestry-core/src/main/java/org/apache/tapestry5/services/TapestryModule.java
        • tapestry-core/src/main/java/org/apache/tapestry5/internal/util/MacOutputStream.java
        • tapestry-core/src/main/java/org/apache/tapestry5/internal/services/ClientDataEncoderImpl.java
        • tapestry-core/src/test/groovy/org/apache/tapestry5/internal/services/ClientDataEncoderImplTest.groovy
        Show
        Hudson added a comment - Integrated in tapestry-trunk-freestyle #977 (See https://builds.apache.org/job/tapestry-trunk-freestyle/977/ ) TAP5-2008 : Implement HMAC signatures on object streams stored on the client (Revision 95846b173d83c2eb42db75dae3e7d5e13a633946) Result = FAILURE hlship : Files : tapestry-core/src/main/java/org/apache/tapestry5/internal/util/TeeOutputStream.java tapestry-core/src/main/java/org/apache/tapestry5/internal/services/ClientDataSinkImpl.java tapestry-core/src/main/java/org/apache/tapestry5/SymbolConstants.java tapestry-core/src/main/java/org/apache/tapestry5/services/ClientDataEncoder.java tapestry-core/src/test/java/org/apache/tapestry5/integration/app1/services/AppModule.java tapestry-core/src/main/java/org/apache/tapestry5/services/TapestryModule.java tapestry-core/src/main/java/org/apache/tapestry5/internal/util/MacOutputStream.java tapestry-core/src/main/java/org/apache/tapestry5/internal/services/ClientDataEncoderImpl.java tapestry-core/src/test/groovy/org/apache/tapestry5/internal/services/ClientDataEncoderImplTest.groovy

          People

          • Assignee:
            Howard M. Lewis Ship
            Reporter:
            Howard M. Lewis Ship
          • Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved:

              Development