OpenDaylight JIRA https://jira.opendaylight.org This file is an XML representation of an issue en-us 8.20.10 820010 22-06-2022 [AAA-265] RESTCONF path segment with encoded forward slash returns 400 https://jira.opendaylight.org/browse/AAA-265 aaa <p>The RESTCONF request URI with encoded forward slash (<tt>/</tt>) returns the status code of 400 and the request is not processed.</p> <p>For example,</p> <div class="preformatted panel" style="border-width: 1px;"><div class="preformattedContent panelContent"> <pre>{ "servlet": "org.glassfish.jersey.servlet.ServletContainer", "message": "Invalid request", "url": "/rests/data/network-topology:network-topology/topology=topology-netconf/node=XPDR-A1/yang-ext:mount/org-openroadm-device:org-openroadm-device/circuit-packs=1%2F0%2F1-PLUG-NET", "status": "400" } </pre> </div></div> <p>This appears to be caused by <a href="https://git.opendaylight.org/gerrit/c/aaa/+/107607" class="external-link" target="_blank" rel="nofollow noopener">Shiro 0.12.1 adopted by AAA</a>. <a href="https://shiro.apache.org/blog/2023/07/18/apache-shiro-1120-released.html" class="external-link" target="_blank" rel="nofollow noopener">The version</a> addresses a path traversal attack (<a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-34478" class="external-link" target="_blank" rel="nofollow noopener">CVE-2023-34478</a>) by <a href="https://github.com/apache/shiro/commit/c3ede3f94efb442acb0795714a022c2c121d1da0" class="external-link" target="_blank" rel="nofollow noopener">rejecting URIs with an encoded forward slash</a>.</p> AAA-265 RESTCONF path segment with encoded forward slash returns 400 Bug Highest Resolved Done Robert Varga Sangwook Ha Mon, 11 Sep 2023 18:47:05 +0000 Thu, 18 Jan 2024 17:59:07 +0000 Mon, 18 Sep 2023 15:03:24 +0000 0.18.1 0.16.10 0.17.12 0.18.2 0 6 <p>The attached log shows execution of this request.<br/> This is definitely a Not Nice interaction between Shiro and Jersey. We are receiving the request based as @Encoded, hence Jersey knows this is okay, but there is no API surface to communicate this to and from Shiro.</p> <p>We should be able to disable this filter quirk in a reasonable scope... but that needs further investigation.</p> <p>So this is fixable at deployment time by putting an "invalidRequest.blockTraversal=false" entry into aaa-app-config.yang's /shiro-configuration/main list.</p> <p>Also see <a href="https://stackoverflow.com/a/77091599" class="external-link" target="_blank" rel="nofollow noopener">https://stackoverflow.com/a/77091599</a></p> <p>shouldn't we disable invlidrequest from aaa by default?</p> <p>There is one remaining check and that is harmless. RESTCONF is moving away from JAX-RS anyway, so the issue is quite moot.</p> Relates AAA-264 Development Rank 0|i046hr: