Conversation
bogdanmariusc10
requested review from
brian-hussey and
crivetimihai
as code owners
bogdanmariusc10
added
security
bogdanmariusc10
added
api
jonpspri
force-pushed
the
4318-icacf-19-securitypen-testingtighten-url-and-path-input-validation-on-the-gateway-test-endpoint
branch
from
77e5b5b to
6c454e2
Compare
…te_url() Decode URLs before security checks to prevent bypasses via URL encoding. Addresses CRLF injection, XSS, JavaScript protocol, and other attack vectors that could be hidden using percent-encoding (%0d%0a, %3Cscript%3E, etc.). Changes: - Add urllib.parse.unquote() at start of validate_url() - Use decoded_value for all pattern-based security checks: - CRLF injection detection - XSS/HTML tag detection - JavaScript protocol detection - Space validation - Dangerous URL pattern matching Structural checks (scheme, IPv6, protocol-relative, length) remain on original value as they validate URL structure, not content. All 27 injection test vectors now blocked. Fixes ICACF-19. Signed-off-by: Jonathan Springer <jps@s390x.com>
…injection bypass Extend percent-encoding defense to all SecurityValidator entry points (validate_no_xss, validate_uri, sanitize_display_text, validate_sql_parameter) and mirror hardening in the plugin framework standalone validator. Block double-encoded payloads, IIS %uXXXX escapes, JS \uXXXX/\xXX escapes, and invalid UTF-8 overlong sequences. Add _parse_ip_network_cached for CIDR parsing performance. Comprehensive regression tests for both core and plugin validators. Closes #4318 Signed-off-by: Jonathan Springer <jps@s390x.com>
jonpspri
force-pushed
the
4318-icacf-19-securitypen-testingtighten-url-and-path-input-validation-on-the-gateway-test-endpoint
branch
from
6c454e2 to
9d3d113
Compare
jonpspri
deleted the
4318-icacf-19-securitypen-testingtighten-url-and-path-input-validation-on-the-gateway-test-endpoint
branch
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
🔗 Related Issue
Closes #4318
Jira Issue: https://jsw.ibm.com/browse/ICACF-19
📝 Summary
This PR fixes a security vulnerability in
SecurityValidator.validate_url()where URL-encoded injection patterns could bypass security checks. The gateway test endpoint and 6 other endpoints were vulnerable to CRLF injection, XSS, and JavaScript protocol injection via percent-encoding.Root Cause: Security pattern checks operated on the original URL string before decoding, allowing attackers to hide malicious patterns using URL encoding (e.g.,
%0d%0afor CRLF,%3Cscript%3Efor XSS).Fix: Added
urllib.parse.unquote()to decode URLs before all pattern-based security checks while preserving structural validation on the original URL.Impact: Protects all 7 endpoints using
SecurityValidator.validate_url()across the codebase from injection attacks.🏷️ Type of Change
🧪 Verification
make lintmake testmake coverageSecurity Testing: All 27 injection test vectors now blocked:
\r\nand encoded%0d%0a)<script>and%3Cscript%3E)javascript:andjavascript%3A)user:passanduser%3Apass)✅ Checklist
make black isort pre-commit)📓 Notes
Security Impact: This vulnerability allowed attackers to bypass URL validation using percent-encoding. For example:
http://example.com/%0d%0aInjected-Header:Exploit(CRLF injection)http://example.com/%3Cscript%3Ealert(1)%3C/script%3E(XSS)Protected Endpoints:
/admin/gateways/test)Implementation Details:
validate_url()usingurllib.parse.unquote()decoded_valuefor all pattern-based security checksBackward Compatibility: ✅ No breaking changes - all valid URLs continue to work as before.