Information leakage on API errror

TheHive-Project / TheHive

TheHive: a Scalable, Open Source and Free Security Incident Response Platform

https://thehive-project.org

GNU Affero General Public License v3.0

3.33k stars 612 forks source link

Information leakage on API errror #937

Open davinerd opened 5 years ago

davinerd commented 5 years ago

Request Type

Bug

Work Environment

Question	Answer
OS version (server)	Ubuntu (AWS)
OS version (client)	Ubuntu (AWS)
TheHive version / git hash	3.2.1
Package Type	DEB
Browser type & version	N/A

Problem Description

On specific API errors, the response from the server leaks sensible information back to the user.

Specifically, the local IP of the machine and its hostname, along with some indices.

Steps to Reproduce

Same as stated here: https://github.com/TheHive-Project/TheHive/issues/936

Possible Solutions

More strict error handling.

Complementary information

Every time there is an Invalid search query error from the server, the hostname and the local IP of the machine is leaked back to the user.

Also some indices are exposed.

This is an example:

{"type":"SearchError","message":"Invalid search query ([<hostname>][<ip address>:9300][indices:data/read/search])"}

norgalades commented 5 years ago

Hello,

I was about to open a new issue, but since this seems to be related I will complement with my information.

Work Environment

Question	Answer
OS version (server)	Ubuntu 16.04
TheHive version / git hash	3.2.1-1
Package Type	DEB

Problem Description

In some cases, an error in a Cortex-Analyzer code can reveal the API keys, like shown in the following image.

Complementary information

{
  "name": "FalconSearchIOC",
  "author": "Norgalades",
  "license": "AGPL-V3",
  "url": "https://github.com/",
  "version": "1.0",
  "description": "Check if an IOC (IP, domain or hash) has been seen in your CrowdStike environment.",
  "dataTypeList": ["ip", "hash", "domain"],
  "baseConfig": "FalconSearchIOC",
  "command": "FalconSearchIOC/falcon_search_IOC.py",
  "configurationItems": [
    {
      "name": "cs_api_off",
      "description": "Office api",
      "type": "string",
      "multi": false,
      "required": true
    },
    {
      "name": "cs_api_aff",
      "description": "Aff api",
      "type": "string",
      "multi": false,
      "required": true
    }
  ]
}

nadouani commented 5 years ago

Hello, both issues are not related: the first one is a TheHive API thing, the second is Cortex-Analyzers related "issue".

We will improve the error messages of the APIs.
For the analyzers, cortex utils cannot know what config property is a secret. We already hide a list of hardcoded properties: password, key, apikey, api_key. We will improve this by allowing developers to flag a config as "Secret", so that cortexutils can hide it in error messages.

@norgalades can you please create this issue on Cortex-Analyzers repository?

Thanks

norgalades commented 5 years ago

Done @nadouani and thank you. If not already there, could you please also modify the page How to Write and Submit an Analyzer and specify that password, key, apikey, api_key are actually hidden config item? I was searching for this when writing the analyzer but I was not able to find the info in the docs.