[CKAN-Security] [ckan-dev] New patch releases, next Wednesday 3rd July

Fri Jul 19 09:30:09 UTC 2019

Hi Cam,

Thanks for this. Luckily this needs to be fixed in ckanext-dcat so we can
patch it straight away. I'm CC'ing Stefan which is a fellow maintainer of
ckanext-dcat to keep him in the loop.

Adrià

On Fri, 19 Jul 2019 at 00:44, Cam Findlay <Cam.Findlay at dia.govt.nz> wrote:

> Sure I’ll give you the issue and steps to reproduce (we have a patch also):
>
>
>
> Precondition is CKAN + DCAT module that is adding json-ld into the markup.
>
>
>
> Steps to reproduce is:
>
>    1. Log in to CKAN, add a dataset progress to adding a resource.
>    2. While filling in the resource in the file type add on of your
>    standard XSS checks e.g. <script>alert(‘XSS’);</script>
>    3. Save so that the injectable js is now the file type.
>    4. Visit that dataset page
>    5. You’ll get the alert (or any other js you injected will be
>    executed).
>
>
>
> The patch we have put is simple and just escapes the json before its
> output to the page.
>
>
>
> diff --git a/ckanext/dcat/utils.py b/ckanext/dcat/utils.py
>
> index be619cb..79356f2 100644
>
> --- a/ckanext/dcat/utils.py
>
> +++ b/ckanext/dcat/utils.py
>
> *@@ -1,6 +1,7 @@*
>
> import logging
>
> import uuid
>
> import json
>
> +import cgi
>
>  from ckantoolkit import config, h
>
> *@@ -100,8 +101,8 @@* def structured_data(dataset_id, profiles=None,
> _format='jsonld'):
>
>      # parse result again to prevent UnicodeDecodeError and add formatting
>
>      try:
>
>          json_data = json.loads(data)
>
> -        return json.dumps(json_data, sort_keys=True,
>
> -                          indent=4, separators=(',', ': '))
>
> +        return cgi.escape(json.dumps(json_data, sort_keys=True,
>
> +                          indent=4, separators=(',', ': ')))
>
>      except ValueError:
>
>          # result was not JSON, return anyway
>
>          return data
>
>
>
>
>
>
>
> Hopefully something you can fix easily just might need some comms about
> the exploit.
>
>
>
>
>
> Cam Findlay | Lead Product Owner | Government Information Services
>
> The Department of Internal Affairs Te Tari Taiwhenua
>
> DDI: +64 4 819 8968 | Extn: 4351 | Mobile: +64 21 263 0351
>
> www.data.govt.nz
>
> [image: Logo-test]
>
>
>
>
>
>
>
> *From:* Adrià Mercader <adria.mercader at okfn.org>
> *Sent:* Thursday, 18 July 2019 10:26 PM
> *To:* Cam Findlay <Cam.Findlay at dia.govt.nz>
> *Cc:* security at ckan.org
> *Subject:* Re: [ckan-dev] New patch releases, next Wednesday 3rd July
>
>
>
> Sorry Cam, maybe your original message got lost in the moderation queue,
> would you mind submitting it again?
>
>
>
>
>
> On Thu, 18 Jul 2019 at 06:55, Cam Findlay <Cam.Findlay at dia.govt.nz> wrote:
>
> Hi again Adrià,
>
> Just to let you know I touched base with the security email you suggested
> but we've heard nothing back.
>
> We have an XSS issue to raise in CKAN when used alongside the DCAT module
> and outputting json-ld into the markup.
>
> Happy to share the steps to replicate if you like. We've put a fix in our
> product and happy to do a more coordinated disclosure with you folk to give
> people time to patch (literally a 1 line fix to escape the generated json).
>
>
> Many thanks,
>
> Cam Findlay | Lead Product Owner | Government Information Services
> The Department of Internal Affairs Te Tari Taiwhenua
> DDI: +64 4 819 8968 | Extn: 4351 | Mobile: +64 21 263 0351
> www.data.govt.nz
>
>
>
>
>
>
> -----Original Message-----
> From: Adrià Mercader <adria.mercader at okfn.org>
> Sent: Thursday, 27 June 2019 7:54 PM
> To: Cam Findlay <Cam.Findlay at dia.govt.nz>
> Subject: Re: [ckan-dev] New patch releases, next Wednesday 3rd July
>
> Hi Cam,
>
> Thanks for reaching out. The releases branches that will eventually become
> the patch releases are the dev-v2.X one. I can also provide debian packages
> for these if you'd like.
>
> To discuss security related issues please reach out to security at ckan.org,
> which forwards privately to the tech team
>
> Best,
>
> Adrià
>
> On Thu, 27 Jun 2019 at 01:07, Cam Findlay <Cam.Findlay at dia.govt.nz> wrote:
> >
> > Hi Adrià,
> >
> >
> >
> > Cam here from data.govt.nz (been a while since we touched base via
> GitHub!).
> >
> >
> >
> > Are you staging these patch releases somewhere on a release candidate
> branch we can have a pre look at what’s in the box?
> >
> >
> >
> > Also, just to let you know we’ve just run a pen test over our
> implementation of CKAN and have found a potential vulnerability in
> ckan/ckan core.
> >
> >
> >
> > What is the best way to do a coordinated disclosure with you?
> >
> >
> >
> > C.
> >
> >
> >
> >
> >
> >
> >
> > From: Cam Findlay <cam at camfindlay.com>
> > Sent: Thursday, 27 June 2019 11:03 AM
> > To: Cam Findlay <Cam.Findlay at dia.govt.nz>
> > Subject: Fwd: [ckan-dev] New patch releases, next Wednesday 3rd July
> >
> >
> >
> >
> >
> > ---------- Forwarded message ---------
> > From: Adrià Mercader <adria.mercader at okfn.org>
> > Date: Wed, 26 Jun 2019 at 21:45
> > Subject: [ckan-dev] New patch releases, next Wednesday 3rd July
> > To: CKAN Development Discussions <ckan-dev at lists.okfn.org>,
> > <ckan-announce at lists.okfn.org>
> >
> >
> >
> > Hi all,
> >
> > Next Wednesday 3rd July around 13:00 UTC (15:00 CEST, 09:00 EST) we
> > will be releasing patch releases for the following previous versions:
> >
> > 2.8.x -> 2.8.3
> > 2.7.x -> 2.7.6
> > 2.6.x -> 2.6.8
> >
> > Users are strongly encouraged to always run on the latest patch
> > release for their version, as these include important security and
> > stability fixes. The latest patch release is the only one supported by
> > the CKAN team (patch releases don't contain backwards incompatible
> > changes and upgrading should be straightforward).
> >
> > More information about CKAN releases can be found here:
> >
> > http://docs.ckan.org/en/latest/maintaining/upgrading/index.html#ckan-r
> > eleases
> >
> > Best,
> >
> > Adrià
> > _______________________________________________
> > ckan-dev mailing list
> > ckan-dev at lists.okfn.org
> > https://lists.okfn.org/mailman/listinfo/ckan-dev
> > Unsubscribe: https://lists.okfn.org/mailman/options/ckan-dev
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.okfn.org/mailman/private/security/attachments/20190719/50494d5e/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image002.png
Type: image/png
Size: 6501 bytes
Desc: not available
URL: <https://lists.okfn.org/mailman/private/security/attachments/20190719/50494d5e/attachment-0001.png>