cloudfoundry / stratos

Stratos: Web-based Management UI for Cloud Foundry and Kubernetes
Apache License 2.0
251 stars 132 forks source link

Gracefully handle invalid input during SSO logout #4836

Open jfredrickson5 opened 3 years ago

jfredrickson5 commented 3 years ago

Stratos Version

3.2.1

Frontend Deployment type

Backend (Jet Stream) Deployment type

Expected behaviour

Stratos should be able to gracefully handle invalid input in the state param upon SSO logout. Relevant line here for 3.2.1 and the same line is also present in the current version.

Actual behaviour

Parse error is unhandled, resulting in runtime error: invalid memory address or nil pointer dereference, resulting in a HTTP 500 server error.

Steps to reproduce the behavior

Attempt a SSO logout where an invalid state value is given, e.g.: https://stratos.example.com/pp/v1/auth/sso_logout?state=Hello%0A

Log output covering before error and any error statements

2020-12-09T11:19:39.43-0700 [APP/PROC/WEB/1] OUT {"time":"2020-12-09T18:19:39.437195643Z","level":"-","prefix":"echo","file":"recover.go","line":"73","message":"[PANIC RECOVER] runtime error: invalid memory address or nil pointer dereference goroutine 29167 [running]:\ngithub.com/labstack/echo/middleware.RecoverWithConfig.func1.1.1(0x109e2b0, 0x1000, 0xc0004b0000, 0x122d6e0, 0xc0003c8000)\n\t/home/vcap/go/pkg/mod/github.com/labstack/echo@v3.3.10+incompatible/middleware/recover.go:71 +0xee\npanic(0xf0ca80, 0x1a9a9c0)\n\t/tmp/go1.13.4/go/src/runtime/panic.go:679 +0x1b2\nmain.getSSORedirectURI(0xc0006ec448, 0x4, 0x104d3fe, 0x6, 0x0, 0x0, 0x10, 0xeb5260)\n\t/tmp/app/src/jetstream/authuaa.go:570 +0x52\nmain.(*portalProxy).ssoLogoutOfUAA(0xc000480000, 0x122d6e0, 0xc0003c8000, 0x1, 0xc0006eb8c0)\n\t/tmp/app/src/jetstream/authuaa.go:492 +0x15b\nmain.(*portalProxy).setSecureCacheContentMiddleware.func1(0x122d6e0, 0xc0003c8000, 0x6, 0x8)\n\t/tmp/app/src/jetstream/middleware.go:187 +0x217\ngithub.com/labstack/echo.(*Echo).Add.func1(0x122d6e0, 0xc0003c8000, 0x104a488, 0x3)\n\t/home/vcap/go/pkg/mod/github.com/labstack/echo@v3.3.10+incompatible/echo.go:490 +0x8a\nmain.(*portalProxy).urlCheckMiddleware.func1(0x122d6e0, 0xc0003c8000, 0x104cc48, 0x6)\n\t/tmp/app/src/jetstream/middleware.go:171 +0x159\nmain.(*portalProxy).setStaticCacheContentMiddleware.func1(0x122d6e0, 0xc0003c8000, 0xc00021f290, 0x24)\n\t/tmp/app/src/jetstream/middleware.go:179 +0x217\ngithub.com/cloudfoundry-incubator/stratos/src/jetstream/plugins/cloudfoundryhosting.(*CFHosting).SessionEchoMiddleware.func1(0x122d6e0, 0xc0003c8000, 0x11, 0xc0006ec440)\n\t/tmp/app/src/jetstream/plugins/cloudfoundryhosting/main.go:294 +0xa8\ngithub.com/cloudfoundry-incubator/stratos/src/jetstream/plugins/cloudfoundryhosting.(*CFHosting).EchoMiddleware.func1(0x122d6e0, 0xc0003c8000, 0x0, 0x0)\n\t/tmp/app/src/jetstream/plugins/cloudfoundryhosting/main.go:262 +0x2f4\nmain.retryAfterUpgradeMiddleware.func1(0x122d6e0, 0xc0003c8000, 0xc0004b3580, 0x1)\n\t/tmp/app/src/jetstream/middleware.go:244 +0x39\nmain.errorLoggingMiddleware.func1(0x122d6e0, 0xc0003c8000, 0x11, 0xc0006ec440)\n\t/tmp/app/src/jetstream/middleware.go:216 +0xb5\ngithub.com/labstack/echo/middleware.SecureWithConfig.func1.1(0x122d6e0, 0xc0003c8000, 0x106c43a, 0x20)\n\t/home/vcap/go/pkg/mod/github.com/labstack/echo@v3.3.10+incompatible/middleware/secure.go:113 +0x168\ngithub.com/labstack/echo/middleware.CORSWithConfig.func1.1(0x122d6e0, 0xc0003c8000, 0xffffffffffffff00, 0xc0004b3958)\n\t/home/vcap/go/pkg/mod/github.com/labstack/echo@v3.3.10+incompatible/middleware/cors.go:117 +0x407\ngithub.com/labstack/echo/middleware.RecoverWithConfig.func1.1(0x122d6e0, 0xc0003c8000, 0x0, 0x0)\n\t/home/vcap/go/pkg/mod/github.com/labstack/echo@v3.3.10+incompatible/middleware/recover.go:78 +0x10e\ngithub.com/labstack/echo/middleware.LoggerWithConfig.func2.1(0x122d6e0, 0xc0003c8000, 0x0, 0x0)\n\t/home/vcap/go/pkg/mod/github.com/labstack/echo@v3.3.10+incompatible/middleware/logger.go:118 +0x124\nmain.sessionCleanupMiddleware.func1(0x122d6e0, 0xc0003c8000, 0x3, 0xc0002b91a4)\n\t/tmp/app/src/jetstream/middleware.go:150 +0x9b\ngithub.com/labstack/echo.(*Echo).ServeHTTP(0xc00000c1e0, 0x1204fe0, 0xc00058a460, 0xc00022c200)\n\t/home/vcap/go/pkg/mod/github.com/labstack/echo@v3.3.10+incompatible/echo.go:593 +0x222\nnet/http.serverHandler.ServeHTTP(0xc0001d6000, 0x1204fe0, 0xc00058a460, 0xc00022c200)\n\t/tmp/go1.13.4/go/src/net/http/server.go:2802 +0xa4\nnet/http.(*conn).serve(0xc00045b900, 0x12093e0, 0xc0003f8b40)\n\t/tmp/go1.13.4/go/src/net/http/server.go:1890 +0x875\ncreated by net/http.(*Server).Serve\n\t/tmp/go1.13.4/go/src/net/http/server.go:2927 +0x38e\n\ngoroutine 1 [IO wait]:\ninternal/poll.runtime_pollWait(0x7f402d945d70, 0x72, 0x0)\n\t/tmp/go1.13.4/go/src/runtime/netpoll.go:184 +0x55\ninternal/poll.(*pollDesc).wait(0xc000576418, 0x72, 0x0, 0x0, 0x104e2fa)\n\t/tmp/go1.13.4/go/src/internal/poll/fd_poll_runtime.go:87 +0x45\ninternal/poll.(*pollDesc).waitRead(...)\n\t/tmp/go1.13.4/go/src/internal/poll/fd_poll_runtime.go:92\ninternal/poll.(*FD).Accept(0xc000576400, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0)\n\t/tmp/go1.13.4/go/src/internal/poll/fd_unix.go:384 +0x1f8\nnet.(*netFD).accept(0xc000576400, 0x203000, 0x203000, 0x203000)\n\t/tmp/go1.13.4/go/src/net/fd_unix.go:238 +0x42\nnet.(*TCPListener).accept(0xc00013f740, 0xc00030c088, 0xcaa2643, 0xb84a5a5432c87395)\n\t/tmp/go1.13.\n"}

2020-12-09T11:19:39.44-0700 [APP/PROC/WEB/1] OUT {"time":"2020-12-09T18:19:39.443108272Z","level":"ERROR","prefix":"echo","file":"main.go","line":"1071","message":"runtime error: invalid memory address or nil pointer dereference"}

2020-12-09T11:19:39.44-0700 [APP/PROC/WEB/1] OUT Request: [2020-12-09T18:19:39Z] Remote-IP:"[IP address redacted]" Method:"GET" Path:"/pp/v1/auth/sso_logout" Status:500 Latency:6.689445ms Bytes-In:0 Bytes-Out:21

2020-12-09T11:19:39.44-0700 [RTR/1] OUT stratos.example.com - [2020-12-09T18:19:39.435871540Z] "GET /pp/v1/auth/sso_logout?state=ZAP%0A HTTP/1.1" 500 0 21 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36" "127.0.0.1:58512" "[IP address redacted]:61124" x_forwarded_for:"[IP address redacted], 127.0.0.1" x_forwarded_proto:"https" vcap_request_id:"578fd0a1-d135-40eb-4a7c-a6289215476b" response_time:0.007495 gorouter_time:0.000113 app_id:"[redacted]" app_index:"1" x_cf_routererror:"-" x_b3_traceid:"20da311b9c568050" x_b3_spanid:"20da311b9c568050" x_b3_parentspanid:"-" b3:"20da311b9c568050-20da311b9c568050"
pburkholder commented 3 years ago

hello We'd love to have an update here for our compliance purposes, at the least. Thanks!

pburkholder commented 3 years ago

Hi again - OWASP ZAP misidentifies this as Medium impact "Format String Error"-type vulnerability, so it would help Stratos customers conform to vulnerability scans by clearing this issue, if you can. Thanks, Peter

pburkholder commented 3 years ago

sorry to spam you, but I'm obliged to ask this periodically:

Hi again - OWASP ZAP misidentifies this as Medium impact "Format String Error"-type vulnerability, so it would help Stratos customers conform to vulnerability scans by clearing this issue, if you can. Thanks, Peter