search

esgf2-us / metagrid

ESGF Search UI
https://metagrid.readthedocs.io/en/latest/
MIT License
16 stars 6 forks source link

Cross Site Scripting in Search Backend/Proxy #678

Closed skremdwd closed 4 weeks ago

skremdwd commented 4 weeks ago

Describe the bug

It is possible to execute JavaScript that is put in the URL/GET Part of the HTTP Request which can lead to Cross-Site Scripting.

Desktop: Windows + Firefox 132.0

To Reproduce

Example URL:

https://<metagrid-instance>/metagrid-backend/proxy/search?project=r%3Cs%3Eevqui%3Cscript%3Ealert(1)%3C%2fscript%3Ery328&offset=0&limit=10&type=Dataset&format=application%2Fsolr%2Bjson&facets=project%2C

A "1" will be displayed with a JS alert box and the Content-Type is wrongly set to: text/html;

Expected behavior

Return of a correct Content Type like json or solr json. The esg-search is handling this correctly (Content-Type: text/json;) so it seems like the issue is within the metagrid backend service:

https://<esgf-instance>/esg-search/search?project=r%3Cs%3Eevqui%3Cscript%3Ealert(1)%3C%2fscript%3Ery328&offset=0&limit=10&type=Dataset&format=application%2Fsolr%2Bjson&facets=project%2C
sashakames commented 4 weeks ago

This should be a trivial change to correct. Aside from "parlour tricks" of running some Javascript in your own browser, are there specific security risks from this that an attacker could use? (that said, this is so trivial I'm inclined to patch at the LLNL production deployment. )

downiec commented 4 weeks ago

We have a patch included in the latest update.

skremdwd commented 4 weeks ago

Thanks for the fast fix! I am not to deep into that topic, but combined with a JS exploit and hidden in a redirect/link this may be a real problem/point of attack.

My "double tap" workaround for my Nginx rev. proxy if someone has no time to update in the near future:

      # After proxy_pass ...
      proxy_hide_header Content-Type;
      types { } default_type "text/json";
      add_header Content-Type "text/json";