[AAA-265] RESTCONF path segment with encoded forward slash returns 400 Created: 11/Sep/23 Updated: 18/Jan/24 Resolved: 18/Sep/23 |
|
| Status: | Resolved |
| Project: | aaa |
| Component/s: | None |
| Affects Version/s: | 0.18.1 |
| Fix Version/s: | 0.16.10, 0.17.12, 0.18.2 |
| Type: | Bug | Priority: | Highest |
| Reporter: | Sangwook Ha | Assignee: | Robert Varga |
| Resolution: | Done | Votes: | 0 |
| Labels: | None | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original Estimate: | Not Specified | ||
| Attachments: |
|
||||||||
| Issue Links: |
|
||||||||
| Description |
|
The RESTCONF request URI with encoded forward slash (/) returns the status code of 400 and the request is not processed. For example, {
"servlet": "org.glassfish.jersey.servlet.ServletContainer",
"message": "Invalid request",
"url": "/rests/data/network-topology:network-topology/topology=topology-netconf/node=XPDR-A1/yang-ext:mount/org-openroadm-device:org-openroadm-device/circuit-packs=1%2F0%2F1-PLUG-NET",
"status": "400"
}
This appears to be caused by Shiro 0.12.1 adopted by AAA. The version addresses a path traversal attack (CVE-2023-34478) by rejecting URIs with an encoded forward slash. |
| Comments |
| Comment by Robert Varga [ 11/Sep/23 ] |
|
The attached log shows execution of this request. We should be able to disable this filter quirk in a reasonable scope... but that needs further investigation. |
| Comment by Robert Varga [ 16/Sep/23 ] |
|
So this is fixable at deployment time by putting an "invalidRequest.blockTraversal=false" entry into aaa-app-config.yang's /shiro-configuration/main list. |
| Comment by Robert Varga [ 16/Sep/23 ] |
|
Also see https://stackoverflow.com/a/77091599 |
| Comment by Venkatrangan Govindarajan [ 21/Sep/23 ] |
|
shouldn't we disable invlidrequest from aaa by default? |
| Comment by Robert Varga [ 01/Oct/23 ] |
|
There is one remaining check and that is harmless. RESTCONF is moving away from JAX-RS anyway, so the issue is quite moot. |