fix(frontend): Patch Artifact Storage Key XSS Vulnerability. Fixes #12670 #12671

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open

JerT33 wants to merge 1 commit into kubeflow:master from JerT33:feat/patch_storage_key_xss

+38 −0

frontend/server/handlers/artifacts.ts

-Original file line number
+Diff line change
@@ Expand Up / @@ -19,6 +19,7 @@ import { @@
       findFileOnPodVolume,
       parseJSONString,
       isAllowedResourceName,
+      isAllowedObjectKey,
     } from '../utils';
     import { createMinioClient, getObjectStream } from '../minio-helper';
     import * as serverInfo from '../helpers/server-info';
@@ Expand Down Expand Up / @@ -124,6 +125,10 @@ export function getArtifactsHandler({ @@
           res.status(500).send('Storage key is missing from artifact request');
           return;
         }
+        if (!isAllowedObjectKey(key)) {
+          res.status(500).send('Invalid object key');
+          return;
+        }
         console.log(`Getting storage artifact at: ${source}: ${bucket}/${key}`);
         let client: MinioClient;
@@ Expand Down @@

frontend/server/integration-tests/artifact-get.test.ts

-Original file line number
+Diff line change
@@ Expand Up / @@ -838,6 +838,35 @@ describe('/artifacts', () => { @@
             .get(`/artifacts/get?source=volume&bucket=artifact&key=subartifact/notxist.csv`)
             .expect(500, 'Failed to open volume.', done);
         });
+        it('rejects keys with encoded XSS payloads', done => {
+          const configs = loadConfigs(argv, {
+            AWS_ACCESS_KEY_ID: 'aws123',
+            AWS_SECRET_ACCESS_KEY: 'awsSecret123',
+          });
+          app = new UIServer(configs);
+          const request = requests(app.start());
+          request
+            .get(
+              '/artifacts/get?source=s3&namespace=test&peek=256&bucket=ml-pipeline&key=%3Cscript%3Ealert(1)%3C%2Fscript%3E',
+            )
+            .expect(500, 'Invalid object key', done);
+        });
+        it('rejects keys with repeated unsafe characters', done => {
+          const configs = loadConfigs(argv, {
+            AWS_ACCESS_KEY_ID: 'aws123',
+            AWS_SECRET_ACCESS_KEY: 'awsSecret123',
+          });
+          app = new UIServer(configs);
+          const request = requests(app.start());
+          request
+            .get(
+              '/artifacts/get?source=s3&namespace=test&peek=256&bucket=ml-pipeline&key=' +
+                '%2b['.repeat(300),
+            )
+            .expect(500, 'Invalid object key', done);
+        });
       });
       describe('/:source/:bucket/:key', () => {
@@ Expand Down @@

frontend/server/utils.ts

-Original file line number
+Diff line change
@@ Expand Up @@
     export function isAllowedResourceName(name: string): boolean {
       return name.length > 0 && name.length <= 63 && /^[a-z0-9]([-a-z0-9]*[a-z0-9])?$/.test(name);
     }
+    export function isAllowedObjectKey(key: string): boolean {
+      return key.length > 0 && key.length <= 1024 && /^[a-zA-Z0-9\/\-_.]+$/.test(key);
+    }

Provide feedback