Project

General

Profile

Bug #12698

Insufficient URL validation for smart proxy and medium

Added by Daniel Lobato Garcia over 3 years ago. Updated about 1 year ago.

Status:
Closed
Priority:
Normal
Category:
Security
Target version:
Difficulty:
Triaged:
Bugzilla link:
Team Backlog:
Fixed in Releases:
Found in Releases:

Description

Problem: The regex that validates smart proxies URLs only matches 'beginning of text'. This allows us to add just \n after a valid URL and put anything after it. For instance, javascript:alert('hacked'). I haven't found any link to the Foreman proxy URL so the script would not trigger, but if we were to put link_to @smart_proxy.url somewhere (or a plugin did this) it would be unsafe.

Solution: Make the regex match the end of the URL with \Z


Related issues

Related to Foreman - Feature #12787: The url validator accepts bad urls like "https://"New2015-12-11
Has duplicate Foreman - Bug #12697: Insufficient validation for smart proxy URLDuplicate2015-12-04

Associated revisions

Revision 98f6ca54 (diff)
Added by Daniel Lobato Garcia over 3 years ago

Fixes #12698 - Insufficient URL validation Smart Proxy and Medium.

Problem: The regex that validates smart proxies URLs only matches
'beginning of text'. This allows us to add just \n after a valid URL and
put anything after it. For instance, javascript:alert('hacked'). I
haven't found any link to the Foreman proxy URL so the script would not
trigger, but if we were to put link_to @smart_proxy.url somewhere (or a
plugin did this) it would be unsafe. Same problem occurrs on Medium
path.

Solution: Make the regex match the end of the URL with \Z. I substituted
the regex by an standard one, URI.regexp so we don't have to maintain it
anymore.

Extra: I added one test for this, but other tests have been rearranged
to use stubs rather than building actual SmartProxy objects &
associations.

History

#1 Updated by Dominic Cleal over 3 years ago

  • Has duplicate Bug #12697: Insufficient validation for smart proxy URL added

#2 Updated by The Foreman Bot over 3 years ago

  • Status changed from New to Ready For Testing
  • Pull request https://github.com/theforeman/foreman/pull/2960 added

#3 Updated by Daniel Lobato Garcia over 3 years ago

  • Subject changed from Insufficient validation for smart proxy URL to Insufficient URL validation for smart proxy and medium

#4 Updated by Dominic Cleal over 3 years ago

  • Category set to Security
  • Legacy Backlogs Release (now unused) set to 71

#5 Updated by Daniel Lobato Garcia over 3 years ago

  • Status changed from Ready For Testing to Closed
  • % Done changed from 0 to 100

#6 Updated by David Davis over 3 years ago

  • Related to Feature #12787: The url validator accepts bad urls like "https://" added

Also available in: Atom PDF