[AAA-265] RESTCONF path segment with encoded forward slash returns 400 Created: 11/Sep/23  Updated: 18/Jan/24  Resolved: 18/Sep/23

Status: Resolved
Project: aaa
Component/s: None
Affects Version/s: 0.18.1
Fix Version/s: 0.16.10, 0.17.12, 0.18.2

Type: Bug Priority: Highest
Reporter: Sangwook Ha Assignee: Robert Varga
Resolution: Done Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Attachments: File karaf-debug.log.xz    
Issue Links:
Relates
relates to AAA-264 Upgrade shiro to 1.12.0 Resolved

 Description   

The RESTCONF request URI with encoded forward slash (/) returns the status code of 400 and the request is not processed.

For example,

{
    "servlet": "org.glassfish.jersey.servlet.ServletContainer",
    "message": "Invalid request",
    "url": "/rests/data/network-topology:network-topology/topology=topology-netconf/node=XPDR-A1/yang-ext:mount/org-openroadm-device:org-openroadm-device/circuit-packs=1%2F0%2F1-PLUG-NET",
    "status": "400"
}

This appears to be caused by Shiro 0.12.1 adopted by AAA. The version addresses a path traversal attack (CVE-2023-34478) by rejecting URIs with an encoded forward slash.

 Comments   
Comment by Robert Varga [ 11/Sep/23 ]

The attached log shows execution of this request.
This is definitely a Not Nice interaction between Shiro and Jersey. We are receiving the request based as @Encoded, hence Jersey knows this is okay, but there is no API surface to communicate this to and from Shiro.

We should be able to disable this filter quirk in a reasonable scope... but that needs further investigation.

Comment by Robert Varga [ 16/Sep/23 ]

So this is fixable at deployment time by putting an "invalidRequest.blockTraversal=false" entry into aaa-app-config.yang's /shiro-configuration/main list.

Comment by Robert Varga [ 16/Sep/23 ]

Also see https://stackoverflow.com/a/77091599

Comment by Venkatrangan Govindarajan [ 21/Sep/23 ]

shouldn't we disable invlidrequest from aaa by default?

Comment by Robert Varga [ 01/Oct/23 ]

There is one remaining check and that is harmless. RESTCONF is moving away from JAX-RS anyway, so the issue is quite moot.

Generated at Wed Feb 07 19:09:05 UTC 2024 using Jira 8.20.10#820010-sha1:ace47f9899e9ee25d7157d59aa17ab06aee30d3d.