Proxy.jsp response HTML body with sensitive information

Question

Proxy.jsp response HTML body with sensitive information

gustavopalminha opened this issue 6 years ago · 5 comments

When issuing a request like ".../proxy.jsp?http://fakeserver/arcgis/rest/services/some_service/MapServer/" and passing along a valid Referer header to get a response, it will contain HTML which expose private or sensitive information, like the name of the intranet server, example, http://agserver.intranet.local:6080/....

This shouldn't be possible, unless the user really wants it but it's not the case.

To avoid it, there could be a sanitization of the input url by appending a f=json parameter or adding a config option to the proxy.config file blocking this.

This may be an issue for other proxy versions, like PHP and Dot.Net.

Answer 1 · 2019-04-11T22:01:31.000Z

This is certainly an issue with the .Net proxy too. It clearly shows the username that the proxy logged in as.

Answer 2 · 2019-04-11T22:51:19.000Z

Hi @gustavopalminha @lancegosby,
The resource-proxy does not look inside the proxied content, nor modify it. This is by design.

You might want to investigate other options than resource-proxy for better solutions, see for example https://developers.arcgis.com/documentation/core-concepts/security-and-authentication/

Answer 3 · 2019-04-12T14:55:47.000Z

The proxy here works well otherwise. It would be a shame if we had to redesign our applications.

The proxy wouldn't even need to look inside the content. @gustavopalminha had a good suggestion of validating the "f" parameter. For my limited scenarios, a proxy config setting of "allowHtmlResponse" could work. Then the proxy could ensure that none of the requests use f=html. I'm sure some of the endpoints use html as the default when the "f" parameter is missing so it would need to handle that too.

Answer 4 · 2019-04-12T16:39:57.000Z

Hi @lancegosby - thanks for explaining in more details.

If this is just to avoid the "html" being sent back, then there's a server setting for that - "Disable the Services Directory" that might achieve the same result:
http://enterprise.arcgis.com/en/server/latest/administer/linux/disabling-the-services-directory.htm

This still allows the REST API to work. See for example https://traffic.arcgis.com/arcgis/rest/services vs https://traffic.arcgis.com/arcgis/rest/services?f=json.

Answer 5 · 2019-04-15T16:04:46.000Z

Hi @bsvensson ,

I'm not sure if we can disable the services directory for all services. For most of our services, it is fine for anyone to browse them. We even browse them ourselves internally when troubleshooting so find it useful to be turned on. We have a couple of secured map services that we host publicly so only use the proxy to access them.

Would you be open to me submitting a PR with the following changes, or you could suggest some way to make it more universal.

add config setting "preventHtmlResponse" with default value of false so as not to force anyone to change their config. probably on the serverUrl node.
if preventHtmlResponse == true, then check the "f" param and update as needed

The only problem is I wouldn't have any way to develop/test the PHP or Java versions. I only have a .NET environment.

Lance