← Back to team overview

yahoo-eng-team team mailing list archive

  1. yahoo-eng-team team
  2. Mailing list archive
  3. Message #28932

[Bug 1427135] [NEW] Neutron API reflects JavaScript/any input in error message

  Thread PreviousDate PreviousThread Next 
Public bug reported:

During security scan of Neutron API, Nessus raises the following
security alert about reflected XSS:

REQUEST:
<script>cross_site_scripting.nasl</script>

API RESPONSE :
HTTP/1.1 500 Internal Server Error
Content-Type: text/plain
Content-Length: 596
Date: Mon, 29 Dec 2014 09:50:52 GMT
Connection: close
File "/usr/lib/python2.7/dist-packages/paste/urlmap.py", line 119, [...]
"URL fragments must start with / or http:// (you gave %r)" % url)
AssertionError: URL fragments must start with / or http:// (you gave '<script>cross_site_scripting.nasl</script>')

My proposal is to modify API error response in a way that doesn't causes reflection of the original input - doesn't matter if JavaScript or not.
IMO error message should end at line "Connection: close"

** Affects: neutron
     Importance: Undecided
         Status: New

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1427135

Title:
  Neutron API reflects JavaScript/any input in error message

Status in OpenStack Neutron (virtual network service):
  New

Bug description:
  During security scan of Neutron API, Nessus raises the following
  security alert about reflected XSS:

  REQUEST:
  <script>cross_site_scripting.nasl</script>

  API RESPONSE :
  HTTP/1.1 500 Internal Server Error
  Content-Type: text/plain
  Content-Length: 596
  Date: Mon, 29 Dec 2014 09:50:52 GMT
  Connection: close
  File "/usr/lib/python2.7/dist-packages/paste/urlmap.py", line 119, [...]
  "URL fragments must start with / or http:// (you gave %r)" % url)
  AssertionError: URL fragments must start with / or http:// (you gave '<script>cross_site_scripting.nasl</script>')

  My proposal is to modify API error response in a way that doesn't causes reflection of the original input - doesn't matter if JavaScript or not.
  IMO error message should end at line "Connection: close"

To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1427135/+subscriptions

Follow ups

References

  Thread PreviousDate PreviousThread Next