search

pingidentity / scim2

The UnboundID SCIM 2.0 SDK for Java
176 stars 72 forks source link

Prevent template variable injection into resource location URL #144

Closed lance-purple-unboundid closed 4 years ago

lance-purple-unboundid commented 4 years ago

JiraIssue: DS-40219

coulbeck commented 4 years ago

This looks good. I did a search for all usages of UriBuilder (I should have done that when I fixed DS-41106), and found one more possible trouble spot.

It's in AuthenticatedSubjectAliasFilter, lines 68-80. This is where we handle a request to /Me.

Could you also add a call to encodeTemplateNames on line 77 where we call UriBuilder#queryParam.

          UriBuilder newRequestUri =
              requestContext.getUriInfo().getBaseUriBuilder();
          newRequestUri.path(authSubjectPath +
              requestPath.substring(alias.length()));
          MultivaluedMap<String, String> queryParams =
              requestContext.getUriInfo().getQueryParameters();
          for (String key : queryParams.keySet())
          {
            List<String> values = queryParams.get(key);
            newRequestUri.queryParam(key, values.toArray()); <<<< Template Injection Problem??
          }

          requestContext.setRequestUri(newRequestUri.build());
lance-purple-unboundid commented 4 years ago

Updated AuthenticatedSubjectAliasFilter to encode the queryParams, and also the authSubjectPath (which can produce the IllegalArgumentException if /Me resolves to a resource containing curly braces)