Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-31616

"Safe HTML" vulnerable to protocol-relative form action

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Resolved (View Workflow)
    • Priority: Minor
    • Resolution: Fixed
    • Labels:
    • Environment:
    • Similar Issues:

      Description

      With "safe html" enabled for user text entry, a form with an external action URI is scrubbed. However, is it possible to write a form having a protocol-relative action URI that could be used to leak sensitive data to an external service.

      For example, this HTML is scrubbed correctly with the form action removed:

      <form action="https://malicious.com">
      <input type="submit">
      </form>

      The form action in this example is not scrubbed and it is possible for a user to create a form that directs to an external site:

      <form action="//malicious.com">
      <input type="submit">
      </form>

        Attachments

          Issue Links

            Activity

            Hide
            danielbeck Daniel Beck added a comment -

            Can't be critical if you cannot be bothered to report this privately.

            Show
            danielbeck Daniel Beck added a comment - Can't be critical if you cannot be bothered to report this privately.
            Hide
            jec Josh Cook added a comment -

            Thank you for the feedback Daniel. I read the instructions for "How to report an issue" <https://wiki.jenkins-ci.org/display/JENKINS/How+to+report+an+issue> however I overlooked the line instructing that this ticket should have been reported to the "Security Issues" project.

            Do you think it would be helpful to add more prominent instructions to that page specifically relating to reporting security issues?

            Show
            jec Josh Cook added a comment - Thank you for the feedback Daniel. I read the instructions for "How to report an issue" < https://wiki.jenkins-ci.org/display/JENKINS/How+to+report+an+issue > however I overlooked the line instructing that this ticket should have been reported to the "Security Issues" project. Do you think it would be helpful to add more prominent instructions to that page specifically relating to reporting security issues?
            Hide
            danielbeck Daniel Beck added a comment -

            Everything is kind of important. That's why the page is as long as it is and stuff easy to overlook

            We're also mentioning how to do this e.g. here which is linked from every wiki page's menu… so… I don't know.

            FWIW for the upcoming site design I want to make both the advisories and instructions how to report more accessible.


            Still, how serious is this, really? I'd actually expect it to be fairly minor. You submit a form, it goes… somewhere. Is there an expectation that forms cannot go elsewhere?

            Show
            danielbeck Daniel Beck added a comment - Everything is kind of important. That's why the page is as long as it is and stuff easy to overlook We're also mentioning how to do this e.g. here which is linked from every wiki page's menu… so… I don't know. FWIW for the upcoming site design I want to make both the advisories and instructions how to report more accessible. Still, how serious is this, really? I'd actually expect it to be fairly minor. You submit a form, it goes… somewhere. Is there an expectation that forms cannot go elsewhere?
            Hide
            jec Josh Cook added a comment -

            My corporate Information Security team reported this to me as a "High" severity vulnerability, requiring executive-level approval for an exemption. It is very important to my team that we get Jenkins passing their security audits with as few exceptions as possible.

            My understanding of the "Safe HTML" policy is that form actions should be disallowed from having an offsite action URL, so even if you consider this a minor security vulnerability, it remains a bug in the policy.

            I don't know what all possible exploits this opens, but presumably it could be used by a malicious user to implement a phishing attack by directing other users to an offsite page that looks like Jenkins but is actually not.

            Show
            jec Josh Cook added a comment - My corporate Information Security team reported this to me as a "High" severity vulnerability, requiring executive-level approval for an exemption. It is very important to my team that we get Jenkins passing their security audits with as few exceptions as possible. My understanding of the "Safe HTML" policy is that form actions should be disallowed from having an offsite action URL, so even if you consider this a minor security vulnerability, it remains a bug in the policy. I don't know what all possible exploits this opens, but presumably it could be used by a malicious user to implement a phishing attack by directing other users to an offsite page that looks like Jenkins but is actually not.
            Hide
            danielbeck Daniel Beck added a comment -

            It looks like we inherited this issue from upstream (OWASP AntiSamy's Myspace policy definition).

            Show
            danielbeck Daniel Beck added a comment - It looks like we inherited this issue from upstream (OWASP AntiSamy's Myspace policy definition).
            Hide
            jglick Jesse Glick added a comment -

            Workaround would be to use the plain text formatter and so just disable all user-entered HTML.

            Show
            jglick Jesse Glick added a comment - Workaround would be to use the plain text formatter and so just disable all user-entered HTML.
            Hide
            scm_issue_link SCM/JIRA link daemon added a comment -

            Code changed in jenkins
            User: Daniel Beck
            Path:
            src/main/java/hudson/markup/MyspacePolicy.java
            src/test/java/hudson/markup/MyspacePolicyTest.java
            http://jenkins-ci.org/commit/antisamy-markup-formatter-plugin/bf3758df15828bec772322fd7ad629df1d40571c
            Log:
            [FIX JENKINS-31616] Prohibit scheme-relative URLs

            Show
            scm_issue_link SCM/JIRA link daemon added a comment - Code changed in jenkins User: Daniel Beck Path: src/main/java/hudson/markup/MyspacePolicy.java src/test/java/hudson/markup/MyspacePolicyTest.java http://jenkins-ci.org/commit/antisamy-markup-formatter-plugin/bf3758df15828bec772322fd7ad629df1d40571c Log: [FIX JENKINS-31616] Prohibit scheme-relative URLs
            Hide
            scm_issue_link SCM/JIRA link daemon added a comment -

            Code changed in jenkins
            User: Steven Christou
            Path:
            src/main/java/hudson/markup/MyspacePolicy.java
            src/test/java/hudson/markup/MyspacePolicyTest.java
            http://jenkins-ci.org/commit/antisamy-markup-formatter-plugin/3f7c587cde27d59d4d549f5a5a5c15ddf66631e4
            Log:
            Merge pull request #4 from daniel-beck/JENKINS-31616

            [FIX JENKINS-31616] Prohibit scheme-relative URLs

            Compare: https://github.com/jenkinsci/antisamy-markup-formatter-plugin/compare/d4c35338718a...3f7c587cde27

            Show
            scm_issue_link SCM/JIRA link daemon added a comment - Code changed in jenkins User: Steven Christou Path: src/main/java/hudson/markup/MyspacePolicy.java src/test/java/hudson/markup/MyspacePolicyTest.java http://jenkins-ci.org/commit/antisamy-markup-formatter-plugin/3f7c587cde27d59d4d549f5a5a5c15ddf66631e4 Log: Merge pull request #4 from daniel-beck/ JENKINS-31616 [FIX JENKINS-31616] Prohibit scheme-relative URLs Compare: https://github.com/jenkinsci/antisamy-markup-formatter-plugin/compare/d4c35338718a...3f7c587cde27

              People

              • Assignee:
                danielbeck Daniel Beck
                Reporter:
                jec Josh Cook
              • Votes:
                0 Vote for this issue
                Watchers:
                4 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: