FISH-10521 Escape HTTP Characters in REST Interface

[Pandrex247]

Description

Escapes HTTP characters in the REST interface, to help lock down any XSS attempts someone may try if they have access to the application server's filesystem.

Most config which would be displayed here is protected by validation of the domain.xml, as that prevents you from having the "<" or ">" characters as values. The key files however don't have this validation, and so we must escape them.

Important Info

Blockers

None

Testing

New tests

None

Testing Performed

On a clean domain:

• Add the following to the admin-keyfile file under domain config: user3<img src=x onerror=alert('XSS')>;{SSHA256}qXV9vLHbkJRoMaJkGsNUrz5jSHDzMTR0CyFmZjUt8HJQVlIi2X8XaA==;asadmin
• Add the following to the keyfile file under domain config: wibbles<img src=x onerror=alert('XSS')>;{SSHA256}6v8s3F0zGwF9bi9s1tygCvTz+az/Im55nS6Z3Z1sCIS9ng9aLAykCQ==;
• Ping the REST interface http://localhost:4848/management/domain/configs/config/server-config/security-service/auth-realm/file/list-users - no message box should appear
• Ping the REST interface http://localhost:4848/management/domain/configs/config/server-config/security-service/auth-realm/admin-realm/list-users
• Create a standalone instance called Elated-Whalefish
• From the admin console, edit the value of its ASADMIN_LISTENER_PORT property to 24848<img src=x onerror=alert(1)> - Instances > Elated-Whalefish > Properties
  • This was previously fixed in FISH-9553 Sanitise properties in admin console #6943
• Load this page in the REST interface, no message box should appear - http://localhost:4848/management/domain/servers/server/Elated-Whalefish/system-property/ASADMIN_LISTENER_PORT

Testing Environment

Windows 11, Maven 3.9.9, Zulu JDK 11.0.26

Documentation

payara/Payara-Documentation#552

Notes for Reviewers

None

[breakponchito]

@Pandrex247 same is happening with Payara 6, I tried to test and it seems something is missing because after editing the admin-keyfile and including an script I'm still seeing the message when loading the server:

Content of file:
admin<img src=x onerror=alert('XSS')>;{SSHA256}Q3p+X8y0tC4olXfIFMAmKXq+19eFXaDm+C8tBucgdZGfIIM3gl5mNA==;asadmin

on the other cases it seems that is working as expected, just the case with the file admin-keyfile

I tested on windows 11, zulu jdk 11 and maven 3.9.5

[Pandrex247]

I just tried again, it worked for me.
Are you sure you built my branch and were testing against that build?
I recommend using private browsing to ensure nothing is cached

Your URL doesn't look correct either? http://localhost:4848/common/index.jsf is the admin console, not the REST management interface

If you've found another vulnerability in the admin console that would be a separate issue/CVE

[Pandrex247]

after editing the admin-keyfile and including an script

What script are you referring to? There's no reference to editing a script in the reproducer

[luiseufrasio]

LGTM!

[breakponchito]

@Pandrex247 with latest's changes now I can't see the dialog after injecting javascript code from the key files

[breakponchito]

LGTM