Open kamuffe opened 2 years ago
What you describe sounds like another case for https://vaadin.com/labs/csp. While the mechanism is slightly different (CSP vs ModSecurity), the core of it is that all the JS that needs to be run should be known at compile time rather than assembled by the server.
Seems like the long JS string is used as an ID of the shortcut triggered on the client. The solution might be to make a map of shortcuts on the server (and somehow synchronised with the client) and then the client can only send an ID of the shortcut. Needs a design.
Also, this looks to be more as a major
issue as it prevents using server-side API for shortcuts with proxies.
As a simpler workaround, we could maybe just create a built-in JS function for that particular case so that the whole expression wouldn't have to be sent back and forth. That would have the additional benefit of reducing payload sizes regardless of this particular issue.
Description of the bug
Hi Vaadin Team.
When creating a Button with a ClickShortcut, the request to the server is intercepted by the ModSecurity WAF.
Setup: Client Browser <-> Apache (with ModeSecurity) as Proxy <-> Vaadin Server Application
Current Behavior: Vaddin Client Side sends a request with the following content to the server.
Because of the JavaScript in the json, a ModSecurity rule is triggered, and the request is blocked.
ModSecurity Error (snipped):
"Warning. Pattern match \"(?i)[\\\"\\\\'][ ]*(?:[^a-z0-9~_:\\\\' ]|in).+?[.].+?=\" at ARGS_NAMES:rpc.rpc.data.(['Enter'].indexOf(event.code) !== -1 || ['Enter'].indexOf(event.key) !== -1) && !event.getModifierState('Shift') && !event.getModifierState('Control') && !event.getModifierState('Alt') && !event.getModifierState('AltGraph') && !event.getModifierState('Meta') && (event.stopPropagation() || true). [file \"/usr/local/apache2/conf/coreruleset-3.3.2/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf\"] [line \"829\"] [id \"941340\"] [msg \"IE XSS Filters - Attack Detected\"] [data \"Matched Data: '].indexOf(event.code) != found within ARGS_NAMES:rpc.rpc.data.(['Enter'].indexOf(event.code) !== -1 || ['Enter'].indexOf(event.key) !== -1) && !event.getModifierState('Shift') && !event.getModifierState('Control') && !event.getModifierState('Alt') && !event.getModifierState('AltGraph') && !event.getModifierState('Meta') && (event.stopPropagation() || true): rpc.rpc.data.(['Enter'].indexOf(event.code) !== -1 || ['Enter'].indexOf(event",
Best, Kamuffe
Expected behavior
Minimal reproducible example
STR: Create a Vaadin application with a primary button with a click shortcut like:
Versions
Vaadin / Flow version: 14.8.6
Java version: 11
OS version: CentOS 7
Browser version (if applicable): does not matter
Application Server (if applicable): does not matter
IDE (if applicable): does not matter
ModSecurity CoreRuleset 3.3.2