When the REST API is invoked with a path like GET />...attack... it returns a JSON message body which contains { "description": "org.freedesktop.DBus.Error.FileNotFound: object or path not found: />...attack..."}. Note that the attack string is repeated in the response. Some security scanning tools report this as evidence that the API is vulnerable to cross site scripting (XSS) attacks (that is, if the string would ever be executed as code).
As far as I can determine, the path is properly quoted (e.g., quotes are escaped), so the attack string is never treated as code, meaning the API does not have this vulnerability. However, security scanners will continue to report this false positive result.
I propose to change the error message to either (1) not repeat the path or (2) modify the path to make it so ugly the scan tools will not recognize it.
When the REST API is invoked with a path like
GET />...attack...it returns a JSON message body which contains{ "description": "org.freedesktop.DBus.Error.FileNotFound: object or path not found: />...attack..."}. Note that the attack string is repeated in the response. Some security scanning tools report this as evidence that the API is vulnerable to cross site scripting (XSS) attacks (that is, if the string would ever be executed as code).As far as I can determine, the path is properly quoted (e.g., quotes are escaped), so the attack string is never treated as code, meaning the API does not have this vulnerability. However, security scanners will continue to report this false positive result.
I propose to change the error message to either (1) not repeat the path or (2) modify the path to make it so ugly the scan tools will not recognize it.