status-im
/
consul
mirror of https://github.com/status-im/consul.git
2
0
Fork 0
Code Issues Projects Releases Wiki Activity

[Security] Fix XSS Vulnerability where content-type header wasn't explicitly set (#21704) 

* explicitly add content-type anywhere possible and add middleware to set and warn

* added tests, fixed typo

* clean up unused constants

* changelog

* fix call order in middleware
This commit is contained in:
sarahalsmiller 2024-09-11 14:23:21 -05:00 committed by GitHub
parent 876a0a7778
commit 07fae7bb0b
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
3 changed files with 65 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
.changelog/21704.txt Normal file
View File

@ -0,0 +1,3 @@
```release-note:security
Explicitly set 'Content-Type' header to mitigate XSS vulnerability.
```

35
agent/http.go
View File

@ -6,6 +6,7 @@ package agent
import ( import (
"encoding/json" "encoding/json"
"fmt" "fmt"
"github.com/hashicorp/go-hclog"
"io" "io"
"net" "net"
"net/http" "net/http"
@ -43,6 +44,11 @@ import (
"github.com/hashicorp/consul/proto/private/pbcommon" "github.com/hashicorp/consul/proto/private/pbcommon"
) )
const (
contentTypeHeader = "Content-Type"
plainContentType = "text/plain; charset=utf-8"
)
var HTTPSummaries = []prometheus.SummaryDefinition{ var HTTPSummaries = []prometheus.SummaryDefinition{
{ {
Name: []string{"api", "http"}, Name: []string{"api", "http"},
@ -220,6 +226,7 @@ func (s *HTTPHandlers) handler() http.Handler {
// If enableDebug register wrapped pprof handlers // If enableDebug register wrapped pprof handlers
if !s.agent.enableDebug.Load() && s.checkACLDisabled() { if !s.agent.enableDebug.Load() && s.checkACLDisabled() {
resp.WriteHeader(http.StatusNotFound) resp.WriteHeader(http.StatusNotFound)
resp.Header().Set(contentTypeHeader, plainContentType)
return return
} }
@ -228,6 +235,7 @@ func (s *HTTPHandlers) handler() http.Handler {
authz, err := s.agent.delegate.ResolveTokenAndDefaultMeta(token, nil, nil) authz, err := s.agent.delegate.ResolveTokenAndDefaultMeta(token, nil, nil)
if err != nil { if err != nil {
resp.Header().Set(contentTypeHeader, plainContentType)
resp.WriteHeader(http.StatusForbidden) resp.WriteHeader(http.StatusForbidden)
return return
} }
@ -237,6 +245,7 @@ func (s *HTTPHandlers) handler() http.Handler {
// TODO(partitions): should this be possible in a partition? // TODO(partitions): should this be possible in a partition?
// TODO(acl-error-enhancements): We should return error details somehow here. // TODO(acl-error-enhancements): We should return error details somehow here.
if authz.OperatorRead(nil) != acl.Allow { if authz.OperatorRead(nil) != acl.Allow {
resp.Header().Set(contentTypeHeader, plainContentType)
resp.WriteHeader(http.StatusForbidden) resp.WriteHeader(http.StatusForbidden)
return return
} }
@ -317,6 +326,8 @@ func (s *HTTPHandlers) handler() http.Handler {
} }
h = withRemoteAddrHandler(h) h = withRemoteAddrHandler(h)
h = ensureContentTypeHeader(h, s.agent.logger)
s.h = &wrappedMux{ s.h = &wrappedMux{
mux: mux, mux: mux,
handler: h, handler: h,
@ -337,6 +348,20 @@ func withRemoteAddrHandler(next http.Handler) http.Handler {
}) })
} }
// Injects content type explicitly if not already set into response to prevent XSS
func ensureContentTypeHeader(next http.Handler, logger hclog.Logger) http.Handler {
return http.HandlerFunc(func(resp http.ResponseWriter, req *http.Request) {
next.ServeHTTP(resp, req)
val := resp.Header().Get(contentTypeHeader)
if val == "" {
resp.Header().Set(contentTypeHeader, plainContentType)
logger.Debug("warning: content-type header not explicitly set.", "request-path", req.URL)
}
})
}
// nodeName returns the node name of the agent // nodeName returns the node name of the agent
func (s *HTTPHandlers) nodeName() string { func (s *HTTPHandlers) nodeName() string {
return s.agent.config.NodeName return s.agent.config.NodeName
@ -380,6 +405,8 @@ func (s *HTTPHandlers) wrap(handler endpoint, methods []string) http.HandlerFunc
"from", req.RemoteAddr, "from", req.RemoteAddr,
"error", err, "error", err,
) )
//set response type to plain to prevent XSS
resp.Header().Set(contentTypeHeader, plainContentType)
resp.WriteHeader(http.StatusInternalServerError) resp.WriteHeader(http.StatusInternalServerError)
return return
} }
@ -406,6 +433,8 @@ func (s *HTTPHandlers) wrap(handler endpoint, methods []string) http.HandlerFunc
"from", req.RemoteAddr, "from", req.RemoteAddr,
"error", errMsg, "error", errMsg,
) )
//set response type to plain to prevent XSS
resp.Header().Set(contentTypeHeader, plainContentType)
resp.WriteHeader(http.StatusForbidden) resp.WriteHeader(http.StatusForbidden)
fmt.Fprint(resp, errMsg) fmt.Fprint(resp, errMsg)
return return
@ -585,6 +614,8 @@ func (s *HTTPHandlers) wrap(handler endpoint, methods []string) http.HandlerFunc
resp.Header().Add("X-Consul-Reason", errPayload.Reason) resp.Header().Add("X-Consul-Reason", errPayload.Reason)
} }
} else { } else {
//set response type to plain to prevent XSS
resp.Header().Set(contentTypeHeader, plainContentType)
handleErr(err) handleErr(err)
return return
} }
@ -596,6 +627,8 @@ func (s *HTTPHandlers) wrap(handler endpoint, methods []string) http.HandlerFunc
if contentType == "application/json" { if contentType == "application/json" {
buf, err = s.marshalJSON(req, obj) buf, err = s.marshalJSON(req, obj)
if err != nil { if err != nil {
//set response type to plain to prevent XSS
resp.Header().Set(contentTypeHeader, plainContentType)
handleErr(err) handleErr(err)
return return
} }
@ -606,7 +639,7 @@ func (s *HTTPHandlers) wrap(handler endpoint, methods []string) http.HandlerFunc
} }
} }
} }
resp.Header().Set("Content-Type", contentType) resp.Header().Set(contentTypeHeader, contentType)
resp.WriteHeader(httpCode) resp.WriteHeader(httpCode)
resp.Write(buf) resp.Write(buf)
} }

32
agent/http_test.go
View File

@ -639,14 +639,14 @@ func TestHTTPAPIResponseHeaders(t *testing.T) {
`) `)
defer a.Shutdown() defer a.Shutdown()
requireHasHeadersSet(t, a, "/v1/agent/self") requireHasHeadersSet(t, a, "/v1/agent/self", "application/json")
// Check the Index page that just renders a simple message with UI disabled // Check the Index page that just renders a simple message with UI disabled
// also gets the right headers. // also gets the right headers.
requireHasHeadersSet(t, a, "/") requireHasHeadersSet(t, a, "/", "text/plain; charset=utf-8")
} }
func requireHasHeadersSet(t *testing.T, a *TestAgent, path string) { func requireHasHeadersSet(t *testing.T, a *TestAgent, path string, contentType string) {
t.Helper() t.Helper()
resp := httptest.NewRecorder() resp := httptest.NewRecorder()
@ -661,6 +661,9 @@ func requireHasHeadersSet(t *testing.T, a *TestAgent, path string) {
require.Equal(t, "1; mode=block", hdrs.Get("X-XSS-Protection"), require.Equal(t, "1; mode=block", hdrs.Get("X-XSS-Protection"),
"X-XSS-Protection header value incorrect") "X-XSS-Protection header value incorrect")
require.Equal(t, contentType, hdrs.Get("Content-Type"),
"")
} }
func TestUIResponseHeaders(t *testing.T) { func TestUIResponseHeaders(t *testing.T) {
@ -680,7 +683,28 @@ func TestUIResponseHeaders(t *testing.T) {
`) `)
defer a.Shutdown() defer a.Shutdown()
requireHasHeadersSet(t, a, "/ui") //response header for the UI appears to be being handled by the UI itself.
requireHasHeadersSet(t, a, "/ui", "text/plain; charset=utf-8")
}
func TestErrorContentTypeHeaderSet(t *testing.T) {
if testing.Short() {
t.Skip("too slow for testing.Short")
}
t.Parallel()
a := NewTestAgent(t, `
http_config {
response_headers = {
"Access-Control-Allow-Origin" = "*"
"X-XSS-Protection" = "1; mode=block"
"X-Frame-Options" = "SAMEORIGIN"
}
}
`)
defer a.Shutdown()
requireHasHeadersSet(t, a, "/fake-path-doesn't-exist", "text/plain; charset=utf-8")
} }
func TestAcceptEncodingGzip(t *testing.T) { func TestAcceptEncodingGzip(t *testing.T) {