Open jfredrickson5 opened 3 years ago
We'd love to have an update here for our compliance purposes, at the least. Thanks!
Hi again - OWASP ZAP misidentifies this as Medium impact "Format String Error"-type vulnerability, so it would help Stratos customers conform to vulnerability scans by clearing this issue, if you can. Thanks, Peter
sorry to spam you, but I'm obliged to ask this periodically:
Hi again - OWASP ZAP misidentifies this as Medium impact "Format String Error"-type vulnerability, so it would help Stratos customers conform to vulnerability scans by clearing this issue, if you can. Thanks, Peter
Stratos Version
3.2.1
Frontend Deployment type
Backend (Jet Stream) Deployment type
Expected behaviour
Stratos should be able to gracefully handle invalid input in the
state
param upon SSO logout. Relevant line here for 3.2.1 and the same line is also present in the current version.Actual behaviour
Parse error is unhandled, resulting in
runtime error: invalid memory address or nil pointer dereference
, resulting in a HTTP 500 server error.Steps to reproduce the behavior
Attempt a SSO logout where an invalid
state
value is given, e.g.:https://stratos.example.com/pp/v1/auth/sso_logout?state=Hello%0A
Log output covering before error and any error statements