-
Type:
Bug
-
Resolution: Fixed
-
Priority:
Medium
-
Affects Version/s: 5.0.3
-
Component/s: Application Links
-
5
-
4.3
The AddConsumerReciprocalServlet servlet has an open redirect vulnerability in the doGet method that will allow phishers to lure users away from legitimate JIRA hosted sites. An open redirect vulnerability is caused by an attacker having control over a request parameter that hasn’t been validated before redirect. Using a relative URL or validating the argument before use should fix the issue.
File: applinks-plugin\src\main\java\com\atlassian\applinks\core\auth\oauth\servlets\Serviceprovider\AddConsumerReciprocalServlet.java
AddConsumerReciprocalServlet.java
@Override protected void doGet(final HttpServletRequest request, final HttpServletResponse resp) throws ServletException, IOException { try { // Enable web sudo protection if needed and if the app we are running in supports it webSudoManager.willExecuteWebSudoRequest(request); final ApplicationLink applicationLink; try { applicationLink = getRequiredApplicationLink(request); } catch(NotFoundException ex) { resp.sendRedirect(createRedirectUrl(request, true, null)); return; } private String createRedirectUrl(final HttpServletRequest req, final boolean success, final String message) { String callbackUrl = getRequiredParameter(req, CALLBACK_PARAM); if (callbackUrl.indexOf("?") == -1) { callbackUrl += "?"; } String redirectUrl = String.format("%s&" + SUCCESS_PARAM + "=%s", callbackUrl, success); if (!StringUtils.isBlank(message)) { redirectUrl += "&" + MESSAGE_PARAM + "=" + URIUtil.utf8Encode(message); } return redirectUrl; }
