[CKAN-Security] cross-site scriping issue with email fields

Jörg-Thomas Vogt joerg-thomas.vogt at yourdata.de
Thu Feb 26 10:03:28 UTC 2015 

Hello everybody,

I'm using CKAN 2.2.1 and evaluating CKAN 2.3.
A penetration test raised the following issue:

after specifying the following code e.g. in the author or maintainer 
email field for a resource

"><script>alert(document.cookie)</script>

this code will be executed after navigating to the resource (opening a 
popup with cookie informations).
Putting above code into the field for maintainer name or author name 
does not lead to
code execution.

I'm neither a CKAN expert nor a python developer but I suggest to check 
at least the email
fields for proper addresses.

I've added some code to ckan/logic/schema.py and 
ckan/logic/validators.py to perform some
basic checks. After these modifications it's not possible anymore to 
provide above script code
in an email field but I'm not sure whether the code will cover all 
possible  XSS attacks.

Kind regards

Thomas


=================== ckan/logic/schema.py ===========
*** schema_2.3.py       2015-02-26 09:56:39.741258600 +0100
--- schema_2.3_patched.py       2015-02-26 10:26:05.493253800 +0100
***************
*** 35,40 ****
--- 35,41 ----
                                      is_positive_integer,
                                      boolean_validator,
                                      user_about_validator,
+                                    email_validator,
vocabulary_name_validator,
vocabulary_id_not_changed,
                                      vocabulary_id_exists,
***************
*** 142,150 ****
           'name': [not_empty, unicode, name_validator, 
package_name_validator],
           'title': [if_empty_same_as("name"), unicode],
           'author': [ignore_missing, unicode],
!         'author_email': [ignore_missing, unicode],
           'maintainer': [ignore_missing, unicode],
!         'maintainer_email': [ignore_missing, unicode],
           'license_id': [ignore_missing, unicode],
           'notes': [ignore_missing, unicode],
           'url': [ignore_missing, unicode],#, URL(add_http=False)],
--- 143,151 ----
           'name': [not_empty, unicode, name_validator, 
package_name_validator],
           'title': [if_empty_same_as("name"), unicode],
           'author': [ignore_missing, unicode],
!         'author_email': [ignore_missing, email_validator, unicode],
           'maintainer': [ignore_missing, unicode],
!         'maintainer_email': [ignore_missing, email_validator, unicode],
           'license_id': [ignore_missing, unicode],
           'notes': [ignore_missing, unicode],
           'url': [ignore_missing, unicode],#, URL(add_http=False)],
***************
*** 428,434 ****
           'name': [not_empty, name_validator, user_name_validator, 
unicode],
           'fullname': [ignore_missing, unicode],
           'password': [user_password_validator, 
user_password_not_empty, ignore_missing, unicode],
!         'email': [not_empty, unicode],
           'about': [ignore_missing, user_about_validator, unicode],
           'created': [ignore],
           'openid': [ignore_missing],
--- 429,435 ----
           'name': [not_empty, name_validator, user_name_validator, 
unicode],
           'fullname': [ignore_missing, unicode],
           'password': [user_password_validator, 
user_password_not_empty, ignore_missing, unicode],
!         'email': [not_empty, email_validator, unicode],
           'about': [ignore_missing, user_about_validator, unicode],
           'created': [ignore],
           'openid': [ignore_missing],
***************
*** 473,479 ****

   def default_user_invite_schema():
       schema = {
!         'email': [not_empty, unicode],
           'group_id': [not_empty],
           'role': [not_empty],
       }
--- 474,480 ----

   def default_user_invite_schema():
       schema = {
!         'email': [not_empty, email_validator, unicode],
           'group_id': [not_empty],
           'role': [not_empty],
       }
=================== ckan/logic/schema.py ===========

=================== ckan/logic/validators.py ===========
*** validators_2.3.py   2015-02-26 09:57:09.279948100 +0100
--- validators_2.3_patched.py   2015-02-26 10:28:37.267934800 +0100
***************
*** 1,5 ****
--- 1,6 ----
   import collections
   import datetime
+ from email.utils import parseaddr
   from itertools import count
   import re
   import mimetypes
***************
*** 621,626 ****
--- 622,632 ----

       return value

+ def email_validator(value,context):
+     if value and not '@' in parseaddr(value)[1]:
+         raise Invalid(_('Invalid mail address.'))
+     return value
+
   def vocabulary_name_validator(name, context):
       model = context['model']
       session = context['session']
=================== ckan/logic/validators.py ===========

-- 
Joerg-Thomas Vogt

yourdata GmbH, Büchsenstr. 28, 70174 Stuttgart
Tel +49 711 490 448 24, Fax +49 711 490 448 36
joerg-thomas.vogt at yourdata.de, http://www.yourdata.de/
Geschäftsführer: Jörg Vogler, Dr. Markus Eberspächer
Sitz Stuttgart, AG Stuttgart, HRB 725115

More information about the Security mailing list