Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Adding Check Against Injection Attacks #2619

Merged
merged 6 commits into from Jan 11, 2024
Merged

Adding Check Against Injection Attacks #2619

merged 6 commits into from Jan 11, 2024

Conversation

FuPingFranco
Copy link
Contributor

Description

Add a check in ID.Web to check for the presence of '&' for assertion and sub-assertion in ExtraQueryParameters dictionary.

@FuPingFranco FuPingFranco marked this pull request as ready for review January 10, 2024 03:15
MZOLN
MZOLN reviewed Jan 10, 2024
View reviewed changes
Copy link

@MZOLN MZOLN left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This looks like a DID security fix am I correct?
If it is, we should be using whitelisting vs black listing.
Your comment in the function suggests that you perform (paraphrasing) "checks to ensure that assertions do not contain unsupported characters" but the implementation only checks for "&". There could be other characters or representation of characters that cause issue.

If we are discussing a security feature, the best approach is to whitelist vs blacklist, thus validate if each character in the assertion is in the expected range (for example A-z0-9) vs check if it contains unexpected characters.

jmprieur
jmprieur reviewed Jan 10, 2024
View reviewed changes
Copy link
Collaborator

@jmprieur jmprieur left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I still don't understand the logic in CheckAssertionsForInjectionAttempt

src/Microsoft.Identity.Web.TokenAcquisition/TokenAcquisition.cs Outdated Show resolved Hide resolved
@FuPingFranco
Copy link
Contributor Author

This looks like a DID security fix am I correct? If it is, we should be using whitelisting vs black listing. Your comment in the function suggests that you perform (paraphrasing) "checks to ensure that assertions do not contain unsupported characters" but the implementation only checks for "&". There could be other characters or representation of characters that cause issue.

If we are discussing a security feature, the best approach is to whitelist vs blacklist, thus validate if each character in the assertion is in the expected range (for example A-z0-9) vs check if it contains unexpected characters.

Good point, I just did this check based on this PR https://identitydivision.visualstudio.com/DevEx/_git/Microsoft-IdentityModel-S2S/pullrequest/9985?_a=files&path=/src/Microsoft.IdentityModel.S2S.Tokens/TokenManager.cs I'll get more details to ensure I have a more complete solution. Thanks Marcin!

@FuPingFranco
Copy link
Contributor Author

This looks like a DID security fix am I correct? If it is, we should be using whitelisting vs black listing. Your comment in the function suggests that you perform (paraphrasing) "checks to ensure that assertions do not contain unsupported characters" but the implementation only checks for "&". There could be other characters or representation of characters that cause issue.

If we are discussing a security feature, the best approach is to whitelist vs blacklist, thus validate if each character in the assertion is in the expected range (for example A-z0-9) vs check if it contains unexpected characters.

@MZOLN Could you open a new issues with a bit more details? I would like to close this task with the current defined scope. Thanks Marcin!

jennyf19
jennyf19 approved these changes Jan 11, 2024
View reviewed changes
Copy link
Collaborator

@jennyf19 jennyf19 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

:shipit:

@FuPingFranco FuPingFranco merged commit 15de647 into master Jan 11, 2024
4 checks passed
@FuPingFranco FuPingFranco deleted the francofung/Add_Check_Against_Injection_Attack branch January 11, 2024 22:23
@jennyf19
Copy link
Collaborator

@FuPingFranco please create an issue in Id Web for this for easier tracking and link to the follow-up PR I did as well. thanks. #2639

@FuPingFranco FuPingFranco mentioned this pull request Jan 15, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@MZOLN MZOLN MZOLN left review comments

@jmprieur jmprieur jmprieur approved these changes

@jennyf19 jennyf19 jennyf19 approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
4 participants
@FuPingFranco @jennyf19 @jmprieur @MZOLN