Validation.Required.URL: Potential use of variable for URL detected
mahantsucf opened this issue · 1 comments
Stratos Version
Stratos Version 4.4.0
Frontend Deployment type
- Cloud Foundry Application (cf push)
- Kubernetes, using a helm chart
- Docker, single container deploying all components
- npm run start
- Other (please specify below)
Backend (Jet Stream) Deployment type
- Cloud Foundry Application (cf push)
- Kubernetes, using a helm chart
- Docker, single container deploying all components
- Other (please specify below)
Expected behaviour
When we do an AppScan static scan, the scanning results shouldn’t yield any vulnerabilities.
Actual behaviour
We ran Appscan and these vulnerabilities were marked as Medium Severity issues.
Steps to reproduce the behavior
AppScan Go: version 0.1.7
Steps
Open Appscan go application
Checkout the code of Stratos : release 4.4.0 (https://github.com/cloudfoundry/stratos.git) in your local machine.
Choose the type of scan i.e. Complete Security Scan
Click on Browse button and browse to the src folder(except test-e2e folder) of the stratos project that you checkout in step 2.
AppScan Go! retrieves appropriate files from the selected folder and lists them for review. No need to change anything on this just click on Continue button.
Click on Create a new scan button ---> Initiate scan : This will initiate the scan process.
When upload to AppScan on Cloud is complete, click the link review the status or results of the scan in the AppScan on Cloud service(there are lots of high severity issue you will see).
Reference : https://help.hcltechsw.com/appscan/ASoC/src_irx_gen_gui.html
Log output covering before error and any error statements
Detailed Description
Exact Location where the issue occurs:
src\jetstream\passthrough.go:478
src\jetstream\plugins\analysis\list.go:212
src\jetstream\plugins\analysis\main.go:122
src\jetstream\plugins\analysis\run.go:140
src\jetstream\plugins\analysis\status.go:66
src\jetstream\plugins\kubernetes\dashboard\configure.go:158
src\jetstream\plugins\userinfo\uaa_user.go:133
src\jetstream\plugins\analysis\list.go:194
Context
Cause
This API accepts a URL that is supplied by an outside source. If an attacker is able to manipulate the URL, that attacker could cause
legitimate users to fall victim to phishing attacks by redirecting the user to a seemingly legitimate website. If the user thinks that this
impostor website is valid, the user may be tricked into submitting login credentials or other type of user information. The impostor
website would then send this data to the attacker.
Another attack vector would be for an attacker to submit a URL that points to a website that hosts Trojans and other types of malware. If
a user is tricked into browsing to this URL, or somehow submitting an HTTP request to this URL, the user's computer may be infected
with the Trojans or other malware.
Possible Implementation
It is critical that the URL is validated to point to a legitimate resource. This can be accomplished with a hard coded whitelist of
acceptable url paths as well as sanitizing the URL query parameters.
If you took the time to look at the code instead of spamming this project with spurious issues from an automated test tool you'd see that using a variable in http.NewRequest does not mean there's a security flaw. Stratos acts as a proxy and creates url's given a number of reasons.