[CKAN-Security] Possible security issues

SANDBERG David david.sandberg at soprasteria.com
Mon Apr 30 13:42:43 UTC 2018


Dear CKAN security team,

I am working as a consultant developer for a customer in Stockholm, Sweden and using CKAN as my primary platform for storing data. When our security team scanned the applications currently used, they found two potential security issues in the CKAN platform that I would like to ask you about. I am currently using CKAN 2.6.2 but have not seen any release notes for later versions mentioning fixes to these issues. I have also tried searching the Github issues regarding these questions but have not found any answers. Perhaps you can help me clarify some things?


  1.  HTML Injection: The api_info.html file in /ajax_snippets is susceptible to HTML Injection. Example request: http://localhost/api/1/util/snippet/api_info.html?resource_id=00000000-0000-0000-0000-000000000000. Is this file really necessary, since all the API:s are described in detail on the CKAN webpage?
  2.  External links using target=’_blank’: For example, the Social links present under each dataset has the target=’_blank’, which poses a security risk. I was wondering if there are any plans to provide the possibility to configure this attribute in the config file (or by default add the ‘rel=noopener’ attribute to tags containing the target=’_blank’ attribute), or if it’s up to the developer to create new templates that override this functionality?

I look forward to your response. Thank you in advance.

Best regards

David SANDBERG
Developer

[Sopra Steria]

Sopra Steria
Vasagatan 38
SE-111 20 Stockholm - Sweden
Phone: +46 8 587 650 00
david.sandberg at soprasteria.com<mailto:david.sandberg at soprasteria.com> - www.soprasteria.se<http://www.soprasteria.se/>


[cid:image002.png at 01D3E099.DFB49BD0]<https://www.linkedin.com/company/soprasteria> [cid:image003.png at 01D3E099.DFB49BD0] <https://www.facebook.com/soprasteria.se>  [cid:image004.png at 01D3E099.DFB49BD0] <https://twitter.com/SopraSteria_se>  [cid:image005.png at 01D3E099.DFB49BD0] <http://blog.soprasteria.com/>
The content of this message may be confidential, legally privileged and protected by law. Unauthorized use, copying or disclosure of any of it may be unlawful. If you are not the intended recipient please notify the sender and remove it from your system. While attachments to this e-mail are checked for viruses, we do not accept any liability for any damage sustained by viruses.
Before printing, think about the environment.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.okfn.org/mailman/private/security/attachments/20180430/c6a7fa11/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.png
Type: image/png
Size: 4959 bytes
Desc: image001.png
URL: <https://lists.okfn.org/mailman/private/security/attachments/20180430/c6a7fa11/attachment.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image002.png
Type: image/png
Size: 559 bytes
Desc: image002.png
URL: <https://lists.okfn.org/mailman/private/security/attachments/20180430/c6a7fa11/attachment-0001.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image003.png
Type: image/png
Size: 470 bytes
Desc: image003.png
URL: <https://lists.okfn.org/mailman/private/security/attachments/20180430/c6a7fa11/attachment-0002.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image004.png
Type: image/png
Size: 482 bytes
Desc: image004.png
URL: <https://lists.okfn.org/mailman/private/security/attachments/20180430/c6a7fa11/attachment-0003.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image005.png
Type: image/png
Size: 694 bytes
Desc: image005.png
URL: <https://lists.okfn.org/mailman/private/security/attachments/20180430/c6a7fa11/attachment-0004.png>


More information about the Security mailing list