Uploaded image for project: 'Jira Data Center'
  1. Jira Data Center
  2. JRASERVER-40793

"Content injection" issue in gadgets

XMLWordPrintable

      NOTE: This bug report is for JIRA Server. Using JIRA Cloud? See the corresponding bug report.

      I'm filing this in JRA because it looks like atlassian-gadgets is mainly maintained through JIRA project

      If someone goes to plugins/servlet/gadgets/ifr with a broken url query parameter such as

      https://wh.atlassian.net/plugins/servlet/gadgets/ifr?container=atlassian&mid=1&country=US&lang=en&view=default&view-params={%22writable%22%3A%22false%22}&st=atlassian%3A99BsRDeg7EUdtS2P7WSYdXbvuyZl6RUJ71WH%2BhmLowxMr8BVSEdJdYLyVzO81%2FVi1ffVkF%2BUdW9D68zEvlbauTfgDMhjP0L0JCtW5RThr3AwvoXV0s8MUfVeLtNPN%2FbC5iBPuOUykXCKoYKZTXP9ayRCG1H3l5abZOrL7kCq7mHhlgyH0130%2FdVhDebkcxcQLlsOGrZ8mNsmGMoqkjO3Y2Lt98XWYduI1mfQT2AHCfd1ofIlP95cKzVXQD83khHDTB1U4ifDi2f8FhfsVjcna0V4%2FZu7JA%2Fqx%2FCtIP0%2F9eZqCNaaoJbMXvDRLiPhbXnES92TOq7Y4VKUPhp3wTEhjIlnTNQ%3D&up_isConfigured=true&up_isReallyConfigured=false&up_title=Activity+Stream&up_titleRequired=false&up_numofentries=10&up_refresh=false&up_maxProviderLabelCharacters=50&up_rules=&up_renderingContext=&up_keys=&up_itemKeys=&up_username=testing4%40whitehatsec.com&url=the%20query%20as%20a%20URI.%20WARNING:%20Unauthorized%20activity%20detected.%20Email%20testing@whitehatsec.com%20to%20obtain%20the%20proper%20security%20token.%20Message:%20Null;%20unable%20to%20part%20%20&libs=auth-refresh

      Then the whole url value gets reflected in the error message. This can be used to produce rather ridiculous but still misleading pages, see the screenshot.

      Perhaps validate url query parameter before trying to parse it.

      This has been reported externally and we need to fix it.

        1. Screen Shot 2014-11-12 at 3.14.33 pm.png
          Screen Shot 2014-11-12 at 3.14.33 pm.png
          128 kB

            [JRASERVER-40793] "Content injection" issue in gadgets

            Owen made changes -
            Component/s New: Dashboard & Gadgets [ 43416 ]
            Owen made changes -
            Component/s Original: Dashboards & Reports - Gadgets [ 12923 ]
            Owen made changes -
            Workflow Original: JAC Bug Workflow v2 [ 2841336 ] New: JAC Bug Workflow v3 [ 2920002 ]
            Status Original: Resolved [ 5 ] New: Closed [ 6 ]
            Owen made changes -
            Workflow Original: JIRA Bug Workflow w Kanban v7 - Restricted [ 2572870 ] New: JAC Bug Workflow v2 [ 2841336 ]
            Ignat (Inactive) made changes -
            Workflow Original: JIRA Bug Workflow w Kanban v6 - Restricted [ 1542662 ] New: JIRA Bug Workflow w Kanban v7 - Restricted [ 2572870 ]
            jonah (Inactive) made changes -
            Description Original: I'm filing this in JRA because it looks like atlassian-gadgets is mainly [maintained through JIRA project |https://extranet.atlassian.com/display/DEV/2014/07/01/Atlassian+Gadgets+3.5.4%2C+3.5.5%2C+3.7.4+and+3.7.5+released]

            If someone goes to {{plugins/servlet/gadgets/ifr}} with a broken {{url}} query parameter such as

            {noformat}
            https://wh.atlassian.net/plugins/servlet/gadgets/ifr?container=atlassian&mid=1&country=US&lang=en&view=default&view-params={%22writable%22%3A%22false%22}&st=atlassian%3A99BsRDeg7EUdtS2P7WSYdXbvuyZl6RUJ71WH%2BhmLowxMr8BVSEdJdYLyVzO81%2FVi1ffVkF%2BUdW9D68zEvlbauTfgDMhjP0L0JCtW5RThr3AwvoXV0s8MUfVeLtNPN%2FbC5iBPuOUykXCKoYKZTXP9ayRCG1H3l5abZOrL7kCq7mHhlgyH0130%2FdVhDebkcxcQLlsOGrZ8mNsmGMoqkjO3Y2Lt98XWYduI1mfQT2AHCfd1ofIlP95cKzVXQD83khHDTB1U4ifDi2f8FhfsVjcna0V4%2FZu7JA%2Fqx%2FCtIP0%2F9eZqCNaaoJbMXvDRLiPhbXnES92TOq7Y4VKUPhp3wTEhjIlnTNQ%3D&up_isConfigured=true&up_isReallyConfigured=false&up_title=Activity+Stream&up_titleRequired=false&up_numofentries=10&up_refresh=false&up_maxProviderLabelCharacters=50&up_rules=&up_renderingContext=&up_keys=&up_itemKeys=&up_username=testing4%40whitehatsec.com&url=the%20query%20as%20a%20URI.%20WARNING:%20Unauthorized%20activity%20detected.%20Email%20testing@whitehatsec.com%20to%20obtain%20the%20proper%20security%20token.%20Message:%20Null;%20unable%20to%20part%20%20&libs=auth-refresh
            {noformat}

            Then the whole {{url}} value gets reflected in the error message. This can be used to produce rather ridiculous but still misleading pages, see the screenshot.

            Perhaps validate {{url}} query parameter before trying to parse it.

            This has been reported externally and we need to fix it.             		New: {panel:bgColor=#e7f4fa}
              *NOTE:* This bug report is for *JIRA Server*. Using *JIRA Cloud*? [See the corresponding bug report|http://jira.atlassian.com/browse/JRACLOUD-40793].
              {panel}

            I'm filing this in JRA because it looks like atlassian-gadgets is mainly [maintained through JIRA project |https://extranet.atlassian.com/display/DEV/2014/07/01/Atlassian+Gadgets+3.5.4%2C+3.5.5%2C+3.7.4+and+3.7.5+released]

            If someone goes to {{plugins/servlet/gadgets/ifr}} with a broken {{url}} query parameter such as

            {noformat}
            https://wh.atlassian.net/plugins/servlet/gadgets/ifr?container=atlassian&mid=1&country=US&lang=en&view=default&view-params={%22writable%22%3A%22false%22}&st=atlassian%3A99BsRDeg7EUdtS2P7WSYdXbvuyZl6RUJ71WH%2BhmLowxMr8BVSEdJdYLyVzO81%2FVi1ffVkF%2BUdW9D68zEvlbauTfgDMhjP0L0JCtW5RThr3AwvoXV0s8MUfVeLtNPN%2FbC5iBPuOUykXCKoYKZTXP9ayRCG1H3l5abZOrL7kCq7mHhlgyH0130%2FdVhDebkcxcQLlsOGrZ8mNsmGMoqkjO3Y2Lt98XWYduI1mfQT2AHCfd1ofIlP95cKzVXQD83khHDTB1U4ifDi2f8FhfsVjcna0V4%2FZu7JA%2Fqx%2FCtIP0%2F9eZqCNaaoJbMXvDRLiPhbXnES92TOq7Y4VKUPhp3wTEhjIlnTNQ%3D&up_isConfigured=true&up_isReallyConfigured=false&up_title=Activity+Stream&up_titleRequired=false&up_numofentries=10&up_refresh=false&up_maxProviderLabelCharacters=50&up_rules=&up_renderingContext=&up_keys=&up_itemKeys=&up_username=testing4%40whitehatsec.com&url=the%20query%20as%20a%20URI.%20WARNING:%20Unauthorized%20activity%20detected.%20Email%20testing@whitehatsec.com%20to%20obtain%20the%20proper%20security%20token.%20Message:%20Null;%20unable%20to%20part%20%20&libs=auth-refresh
            {noformat}

            Then the whole {{url}} value gets reflected in the error message. This can be used to produce rather ridiculous but still misleading pages, see the screenshot.

            Perhaps validate {{url}} query parameter before trying to parse it.

            This has been reported externally and we need to fix it.
            jonah (Inactive) made changes -
            Link New: This issue relates to JRACLOUD-40793 [ JRACLOUD-40793 ]
            Owen made changes -
            Workflow Original: JIRA Bug Workflow w Kanban v6 [ 760417 ] New: JIRA Bug Workflow w Kanban v6 - Restricted [ 1542662 ]
            David Black made changes -
            Link New: This issue is related to JRA-43910 [ JRA-43910 ]
            VitalyA made changes -
            Labels Original: security to-publish New: security

              ohernandez@atlassian.com Oswaldo Hernandez (Inactive)
              vosipov VitalyA
              Affected customers:
              0 This affects my team
              Watchers:
              4 Start watching this issue

                Created:
                Updated:
                Resolved: