Uploaded image for project: 'Red Hat 3scale API Management'
  1. Red Hat 3scale API Management
  2. THREESCALE-4851

RHMI 3scale 2.8 Service Discovery - non-sanitized request parameters error

    XMLWordPrintable

Details

    • Task
    • Resolution: Done
    • Major
    • 2.9 GA
    • 2.8.2 CR1
    • System
    • 2
    • Not Started
    • Not Started
    • Not Started
    • Not Started
    • Not Started
    • Not Started
    • Engineering

    Description

      While testing an install of 3scale 2.8 using the 3scale operator / manifests as part of an RHMI operator install, an internal error was observed while trying to complete a service discovery when trying to sign in using IDP for the "Import from Openshift (Authenticate to enable this option)" portion.

      The following error was observed in the system-app pod

      Attempting to generate a URL from non-sanitized request parameters! An attacker can inject malicious data into the generated URL, such as changing the host. Whitelist and sanitize passed parameters to be secure.

      Full error:

      [551cfb67-a499-4931-9032-be547b6429a3] [master.apps.chfan.l9a9.s1.devshift.org] [80.233.33.153] Started GET "/auth/service-discovery/callback?code=MT_yUQujPcrluu39DVcn-oKeEA19Pmt1JiUDK08U_gA&referrer=%2Fapiconfig%2Fservices%2Fnew&self_domain=3scale-admin.apps.chfan.l9a9.s1.devshift.org&state=" for 80.233.33.153 at 2020-03-31 07:20:32 +0000
[551cfb67-a499-4931-9032-be547b6429a3] [master.apps.chfan.l9a9.s1.devshift.org] [80.233.33.153] Processing by Master::ServiceDiscovery::AuthController#show as HTML
[551cfb67-a499-4931-9032-be547b6429a3] [master.apps.chfan.l9a9.s1.devshift.org] [80.233.33.153]   Parameters: {"code"=>"MT_yUQujPcrluu39DVcn-oKeEA19Pmt1JiUDK08U_gA", "referrer"=>"/apiconfig/services/new", "self_domain"=>"3scale-admin.apps.chfan.l9a9.s1.devshift.org", "state"=>""}
[551cfb67-a499-4931-9032-be547b6429a3] [master.apps.chfan.l9a9.s1.devshift.org] [80.233.33.153] Completed 500 Internal Server Error in 1ms (ActiveRecord: 0.0ms)
Exception -- [551cfb67-a499-4931-9032-be547b6429a3] [master.apps.chfan.l9a9.s1.devshift.org] [80.233.33.153] {:exception=>{:class=>ArgumentError, :message=>"Attempting to generate a URL from non-sanitized request parameters! An attacker can inject malicious data into the generated URL, such as changing the host. Whitelist and sanitize passed parameters to be secure.", :backtrace=>["/opt/system/vendor/bundle/ruby/2.5.0/gems/actionpack-5.0.7.2/lib/action_dispatch/routing/url_for.rb:176:in `url_for'", "/opt/system/app/controllers/master/service_discovery/auth_controller.rb:15:in `self_domain_url'", "/opt/system/app/controllers/master/service_discovery/auth_controller.rb:8:in `show'", "/opt/system/vendor/bundle/ruby/2.5.0/gems/actionpack-5.0.7.2/lib/action_controller/metal/basic_implicit_render.rb:4:in `send_action'"]}, :parameters=>{}}
[551cfb67-a499-4931-9032-be547b6429a3] [master.apps.chfan.l9a9.s1.devshift.org] [80.233.33.153]   
[551cfb67-a499-4931-9032-be547b6429a3] [master.apps.chfan.l9a9.s1.devshift.org] [80.233.33.153] ArgumentError (Attempting to generate a URL from non-sanitized request parameters! An attacker can inject malicious data into the generated URL, such as changing the host. Whitelist and sanitize passed parameters to be secure.):
[551cfb67-a499-4931-9032-be547b6429a3] [master.apps.chfan.l9a9.s1.devshift.org] [80.233.33.153]   
[551cfb67-a499-4931-9032-be547b6429a3] [master.apps.chfan.l9a9.s1.devshift.org] [80.233.33.153] app/controllers/master/service_discovery/auth_controller.rb:15:in `self_domain_url'
[551cfb67-a499-4931-9032-be547b6429a3] [master.apps.chfan.l9a9.s1.devshift.org] [80.233.33.153] app/controllers/master/service_discovery/auth_controller.rb:8:in `show'
[551cfb67-a499-4931-9032-be547b6429a3] [master.apps.chfan.l9a9.s1.devshift.org] [80.233.33.153] app/lib/three_scale/middleware/multitenant.rb:113:in `_call'
[551cfb67-a499-4931-9032-be547b6429a3] [master.apps.chfan.l9a9.s1.devshift.org] [80.233.33.153] app/lib/three_scale/middleware/multitenant.rb:108:in `call'
80.233.33.153 - - [31/Mar/2020:07:20:32 +0000] "GET /500?code=MT_yUQujPcrluu39DVcn-oKeEA19Pmt1JiUDK08U_gA&referrer=%2Fapiconfig%2Fservices%2Fnew&self_domain=3scale-admin.apps.chfan.l9a9.s1.devshift.org&state= HTTP/1.1" 500 - 0.0057
80.233.33.153 - - [31/Mar/2020:07:20:32 +0000] "GET /assets/error.css HTTP/1.1" 200 15575 0.0025

      The same configuration was previously working on a 3scale 2.7 install

      Relevant RHMI Operator PR for installing 3scale 2.8:

      Relevant chat thread link:

      Dev note

      This was caused by the Rails upgrade and not using strong params in the master controller that handles the callback requests of the oauth flow. The fix consists on explicitly permitting the allowed params or even the easy (and unsafe) params.permit! for now.

      Attachments

        Activity

          People

            Unassigned Unassigned
            chfan@redhat.com Kevin Chi Keen Fan
            Jakub Smolár Jakub Smolár
            Srijita Mukherjee Srijita Mukherjee (Inactive)
            Votes:
            0 Vote for this issue
            Watchers:
            11 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: