Consumer Group Id is not html escaped in the UI

obsidiandynamics / kafdrop

Kafka Web UI

Apache License 2.0

5.44k stars 833 forks source link

Consumer Group Id is not html escaped in the UI #641

Closed davideicardi closed 1 month ago

davideicardi commented 4 months ago

I have received a bug report from "d.morozov" regarding how consumer group id is displayed inside the UI. It looks like it is not html escaped so potentially it can break the UI or we can have have security issues.

Verify if this is true and how we can fix it.

aakashthakare commented 3 months ago

Hey @davideicardi,

I tried to investigate this issue and following are my findings,

For consumer group ID with HTML content is being rendered by UI, html tags can be seen.
However going into consumer detail page it is failing due to NoResourceFoundException
Escaping HTML from groupId in topic response won't help as spring.url will again convert it as unescaped one.
It would be better to send it in post request rather then get, to solve this problem.

I started looking into the code recently, I could be wrong with my analysis. Feel free to correct me and guide for the same.

Looking forward to contribute more with this project. Let me know if any further investigation is required.

davideicardi commented 3 months ago

Thank you @aakashthakare! Regarding the resource not found, it is a problem of the id pased in the wrong way? Or maybe some other server side problems?

aakashthakare commented 3 months ago

Hello @davideicardi, thanks for the response. Yes, need to fix from server side. The URL consumer/my-second-consumer-group-<a>new</a> failing to reach the controller, We need to HTML encode it in URL, while on the server side we need to HTML decode the consumer id.

davideicardi commented 3 months ago

What if you pass it as URL encoded? (not HTML encoded ...)

aakashthakare commented 3 months ago

It will solve upto some extent, not completely.

For example, consumer group id is test-<a>it</a>, if URL encoded will become test-%3Ca%3Eit%3C%2Fa%3E, this we can do while returning the consumer group. However, it gets automatically decoded when clicked on consumer link consumer/test-%3Ca%3Eit%3C%2Fa%3E, and we get A 404 error has occurred: No static resource consumer/test-<a>it</a>.

One way is to do Bse64 encoding/decoding of the groupId, but need to see how we can decode it to display the readable consumer id. Check out this commit.

github-actions[bot] commented 2 months ago

This issue is stale because it has been open for 30 days with no activity.

github-actions[bot] commented 1 month ago

This issue is stale because it has been open for 30 days with no activity.

github-actions[bot] commented 1 month ago

This issue was closed because it has been inactive for 14 days since being marked as stale.