[GeoNetwork-devel] Questions about AngularJS vulnaribilities

Hi everyone,
We are trying to deploy GeoNetwork 3.10.2 to production but need to pass the Acunetix security scan.One of the high risks that we receive is AngularJS client-side template injection risk (See below report). This is kind of a known issue in AngularJS. I’m wondering if anyone have encountered this before or have ideas how to resolve this, Any ideas are appreciated. Thank you.

/geonetwork/srv/eng/catalog.signin
Alert group AngularJS client-side template injection
Severity High
Description This web application is vulnerable to AngularJS client-side template injection vulnerability. AngularJS client-side template injection vulnerabilities occur when user-input is dynamically embedded on a page where AngularJS client-side templating is used. By using curly braces it’s possible to inject AngularJS expressions in the AngularJS client-side template that is being used by the application.These expressions will be evaluated on the client-side by AngularJS and when combined with a sandbox escape they allow an attacker to execute arbitrary JavaScript code.
Recommendations It should not be possible for an attacker to inject AngularJS expressions by using curly braces. The application needs to either treat curly braces in user input as highly dangerous or avoid server-side reflection of user input entirely. Alert variants
Details URL encoded GET input view was set to 1me3tq{{1==1}}asgo4. The input was reflected inside an AngularJS template.
GET /geonetwork/srv/eng/catalog.signin?view=1me3tq{{1==1}}asgo4 HTTP/1.1

···

Zhuoyue Zhou

Hi Zhuoyue

I have tested in a test instance with 3.10.3-SNAPSHOT and I get a 400 error page:

HTTP Status 400 – Bad Request

Type Exception Report

Message Invalid character found in the request target. The valid characters are defined in RFC 7230 and RFC 3986

Description The server cannot or will not process the request due to something that is perceived to be a client error (e.g., malformed request syntax, invalid request message framing, or deceptive request routing).

Exception

java.lang.IllegalArgumentException: Invalid character found in the request target. The valid characters are defined in RFC 7230 and RFC 3986

org.apache.coyote.http11.Http11InputBuffer.parseRequestLine(Http11InputBuffer.java:479)

org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:684)

But indeed in other previous versions at least I get the template code injected, but seem not evaluated:

It’s done a request to /geonetwork/static/gn_login_1me3tq%7B%7B1==1%7D%7Dasgo4.css ( I would expect 1==1 being evaluated to TRUE)

In any case, something to review better, I would suggest to open an issue in GitHub to track it.

Thanks for reporting this.

Regards,
Jose García

···

Vriendelijke groeten / Kind regards,

Jose García


Veenderweg 13
6721 WD Bennekom
The Netherlands
T: +31 (0)318 416664

Please consider the environment before printing this email.

Hi Jose,
Thanks for your reply.
I checked our application, it was trying to load both the /geonetwork/static/gn_login_1me3tq%7B%7B1==1%7D%7Dasgo4.css and /geonetwork/static/gn_login_1me3tqtrueasgo4.css.

image.png

I’ll create an issue in github.
All the best,

···

Zhuoyue Zhou