Loading...

XML

Word

Printable

Type: Bug
Resolution: Done-Errata
Priority: Normal
Fix Version/s: 4.18.0
Affects Version/s: 4.14.z, 4.15.z, 4.17.z, 4.16.z, 4.18.0
Component/s: HyperShift
Labels:
- no-qe
- snyk
- triaged

Activity Type:
Quality / Stability / Reliability
Blocked:
False
Blocked Reason:

Hide

None

Show
None
Story Points:
None
Severity:
Moderate
Regression:
None

Target Backport Versions:
None
Target Version:

4.18.0
Release Blocker:
None
Sprint:
Hypershift Sprint 259
sprint_count:
1

SFDC Cases Counter:
SFDC Cases Open:
SFDC Cases Links:

Release Note Status:
None
Release Note Type:
None
Release Note Text:
None

Escape Reason:
None
Escape Impact:
None
Corrective Measures:
None
SDLC stage when should've been found:
None

The error bellow was solved in this PR https://github.com/openshift/hypershift/pull/4723, but we can do a better sanitisation of the IgnitionServer payload. This is the suggestion from Alberto in Slack: https://redhat-internal.slack.com/archives/G01QS0P2F6W/p1726257008913779?thread_ts=1726241321.475839&cid=G01QS0P2F6W

✗ [High] Cross-site Scripting (XSS) 
  Path: ignition-server/cmd/start.go, line 250 
  Info: Unsanitized input from an HTTP header flows into Write, where it is used to render an HTML page returned to the user. This may result in a Reflected Cross-Site Scripting attack (XSS).

clones

OCPBUGS-41935 Unsanitized input into IgnitionServer from HTTP header

Closed

links to

openshift/hypershift#4735: OCPBUGS-41992: Sanitize ignition payload

RHEA-2024:6122 OpenShift Container Platform 4.18.z bug fix update

Assignee:: Juan Manuel Parrilla Madrid

Reporter:: Juan Manuel Parrilla Madrid

Need Info From:: None

Contributors:: None

QA Contact:: Jie Zhao

Doc Contact:: None

Votes:: 0 Vote for this issue

Watchers:: 5 Start watching this issue

Created:: 2024/09/16 10:20 AM

Updated:: 2025/07/21 5:25 PM

Resolved:: 2025/02/25 4:44 AM