[CKAN-Security] [ckan-dev] New patch releases, next Wednesday 3rd July

Cam Findlay Cam.Findlay at dia.govt.nz
Thu Jul 18 22:44:39 UTC 2019


Sure I’ll give you the issue and steps to reproduce (we have a patch also):

Precondition is CKAN + DCAT module that is adding json-ld into the markup.

Steps to reproduce is:

  1.  Log in to CKAN, add a dataset progress to adding a resource.
  2.  While filling in the resource in the file type add on of your standard XSS checks e.g. <script>alert(‘XSS’);</script>
  3.  Save so that the injectable js is now the file type.
  4.  Visit that dataset page
  5.  You’ll get the alert (or any other js you injected will be executed).

The patch we have put is simple and just escapes the json before its output to the page.

diff --git a/ckanext/dcat/utils.py b/ckanext/dcat/utils.py
index be619cb..79356f2 100644
--- a/ckanext/dcat/utils.py
+++ b/ckanext/dcat/utils.py
@@ -1,6 +1,7 @@
import logging
import uuid
import json
+import cgi
 from ckantoolkit import config, h
@@ -100,8 +101,8 @@ def structured_data(dataset_id, profiles=None, _format='jsonld'):
     # parse result again to prevent UnicodeDecodeError and add formatting
     try:
         json_data = json.loads(data)
-        return json.dumps(json_data, sort_keys=True,
-                          indent=4, separators=(',', ': '))
+        return cgi.escape(json.dumps(json_data, sort_keys=True,
+                          indent=4, separators=(',', ': ')))
     except ValueError:
         # result was not JSON, return anyway
         return data



Hopefully something you can fix easily just might need some comms about the exploit.


Cam Findlay | Lead Product Owner | Government Information Services
The Department of Internal Affairs Te Tari Taiwhenua
DDI: +64 4 819 8968 | Extn: 4351 | Mobile: +64 21 263 0351
www.data.govt.nz<http://www.data.govt.nz/>
[Logo-test]



From: Adrià Mercader <adria.mercader at okfn.org>
Sent: Thursday, 18 July 2019 10:26 PM
To: Cam Findlay <Cam.Findlay at dia.govt.nz>
Cc: security at ckan.org
Subject: Re: [ckan-dev] New patch releases, next Wednesday 3rd July

Sorry Cam, maybe your original message got lost in the moderation queue, would you mind submitting it again?


On Thu, 18 Jul 2019 at 06:55, Cam Findlay <Cam.Findlay at dia.govt.nz<mailto:Cam.Findlay at dia.govt.nz>> wrote:
Hi again Adrià,

Just to let you know I touched base with the security email you suggested but we've heard nothing back.

We have an XSS issue to raise in CKAN when used alongside the DCAT module and outputting json-ld into the markup.

Happy to share the steps to replicate if you like. We've put a fix in our product and happy to do a more coordinated disclosure with you folk to give people time to patch (literally a 1 line fix to escape the generated json).


Many thanks,

Cam Findlay | Lead Product Owner | Government Information Services
The Department of Internal Affairs Te Tari Taiwhenua
DDI: +64 4 819 8968 | Extn: 4351 | Mobile: +64 21 263 0351
www.data.govt.nz<http://www.data.govt.nz>






-----Original Message-----
From: Adrià Mercader <adria.mercader at okfn.org<mailto:adria.mercader at okfn.org>>
Sent: Thursday, 27 June 2019 7:54 PM
To: Cam Findlay <Cam.Findlay at dia.govt.nz<mailto:Cam.Findlay at dia.govt.nz>>
Subject: Re: [ckan-dev] New patch releases, next Wednesday 3rd July

Hi Cam,

Thanks for reaching out. The releases branches that will eventually become the patch releases are the dev-v2.X one. I can also provide debian packages for these if you'd like.

To discuss security related issues please reach out to security at ckan.org<mailto:security at ckan.org>, which forwards privately to the tech team

Best,

Adrià

On Thu, 27 Jun 2019 at 01:07, Cam Findlay <Cam.Findlay at dia.govt.nz<mailto:Cam.Findlay at dia.govt.nz>> wrote:
>
> Hi Adrià,
>
>
>
> Cam here from data.govt.nz<http://data.govt.nz> (been a while since we touched base via GitHub!).
>
>
>
> Are you staging these patch releases somewhere on a release candidate branch we can have a pre look at what’s in the box?
>
>
>
> Also, just to let you know we’ve just run a pen test over our implementation of CKAN and have found a potential vulnerability in ckan/ckan core.
>
>
>
> What is the best way to do a coordinated disclosure with you?
>
>
>
> C.
>
>
>
>
>
>
>
> From: Cam Findlay <cam at camfindlay.com<mailto:cam at camfindlay.com>>
> Sent: Thursday, 27 June 2019 11:03 AM
> To: Cam Findlay <Cam.Findlay at dia.govt.nz<mailto:Cam.Findlay at dia.govt.nz>>
> Subject: Fwd: [ckan-dev] New patch releases, next Wednesday 3rd July
>
>
>
>
>
> ---------- Forwarded message ---------
> From: Adrià Mercader <adria.mercader at okfn.org<mailto:adria.mercader at okfn.org>>
> Date: Wed, 26 Jun 2019 at 21:45
> Subject: [ckan-dev] New patch releases, next Wednesday 3rd July
> To: CKAN Development Discussions <ckan-dev at lists.okfn.org<mailto:ckan-dev at lists.okfn.org>>,
> <ckan-announce at lists.okfn.org<mailto:ckan-announce at lists.okfn.org>>
>
>
>
> Hi all,
>
> Next Wednesday 3rd July around 13:00 UTC (15:00 CEST, 09:00 EST) we
> will be releasing patch releases for the following previous versions:
>
> 2.8.x -> 2.8.3
> 2.7.x -> 2.7.6
> 2.6.x -> 2.6.8
>
> Users are strongly encouraged to always run on the latest patch
> release for their version, as these include important security and
> stability fixes. The latest patch release is the only one supported by
> the CKAN team (patch releases don't contain backwards incompatible
> changes and upgrading should be straightforward).
>
> More information about CKAN releases can be found here:
>
> http://docs.ckan.org/en/latest/maintaining/upgrading/index.html#ckan-r
> eleases
>
> Best,
>
> Adrià
> _______________________________________________
> ckan-dev mailing list
> ckan-dev at lists.okfn.org<mailto:ckan-dev at lists.okfn.org>
> https://lists.okfn.org/mailman/listinfo/ckan-dev
> Unsubscribe: https://lists.okfn.org/mailman/options/ckan-dev
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.okfn.org/mailman/private/security/attachments/20190718/a4c79de9/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image002.png
Type: image/png
Size: 6501 bytes
Desc: image002.png
URL: <https://lists.okfn.org/mailman/private/security/attachments/20190718/a4c79de9/attachment-0001.png>


More information about the Security mailing list