Pentest 2023: Review the invitation strategy to avoid HTML injection vulnerability

Description

PRDE - Story default text according to the team DoR (Definition of Ready)

01 - STAKEHOLDER (PERSON THAT CAN VALIDATE AND ANSWER QUESTIONS):
02 - PROBLEM (WHAT'S THE CURRENT PROBLEM SCENARIO OR PAIN TO BE RESOLVED?):

In addition to the problem reported in this card, another point of vulnerability was found that can be exploited with less risk, although with the same degree of severity.

Endpoint /api/v3/users/invites

03 - GOAL (DESCRIBE THE PROPOSED SOLUTION):

In order to resolve this vulnerability we must:

  • Review the strategy applied for sending invitations by email, blocking the possibility of HTLM customization by endpoint callers.
  • Understand the side effect and eventual communication with internal teams.

04 - WHO CAN USE THIS FEATURE (USER ROLES):
05 - ASSETS (FIGMA LINKS, RELEVANT DOCUMENTATION LINKS, JSON EXAMPLES, ETC):
06 - ACCEPTANCE CRITERIA:

  • Avoid HTML and URL injection through our endpoint. We should have all HTML and link to redirect the user when he accepts the invitation defined by the platform.
    • Ignore the parameter related to html and consider the default template internally defined

Ps.: On

we handled the ability to inject HTML and URL when reseting the password. This issue ( PRDE-3445 Done ) has the goal to review the same ability on the flow to invite users. The invitation flow is authenticated.

  • For this card we’re going to:
    • Only allow CAROL_ADMINs to modify mail templates
    • Validate the url based on our cors filters.

Activity

Automation for Jira 18 March 2024, 15:04 Jira Internal Users

This issue was automatically transitioned to REGRESSION, as its PR was just merged into qa branch in Github.

Automation for Jira 18 March 2024, 15:04 Jira Internal Users

This issue was automatically transitioned to REGRESSION, as its PR was just merged into qa branch in Github.

Automation for Jira 18 March 2024, 15:03 Jira Internal Users

This issue was automatically transitioned to REGRESSION, as its PR was just merged into qa branch in Github.

Automation for Jira 15 March 2024, 12:40 Jira Internal Users

This issue was automatically transitioned to TESTED & MERGED, as its PR was just merged into develop branch in Github. PR Approved by lucasnoetzold,douglascoimbra.

Automation for Jira 1 March 2024, 19:01 Jira Internal Users

@MARCOS STUMPF ,
@Pedro Buzzi , @Gabriel DAmore Marciano , @Douglas Coimbra Lopes , @Lucas Noetzold

This issue was planned to be delivered until 2024-03-25. You can check that by consulting the issue in the Due Date field.

Dates already planned for this issue: 2024-03-01, 2024-03-25

If External Issue Link field is filled, customer was also informed on JIRA TOTVS.

Douglas Coimbra Lopes 23 February 2024, 15:58 Jira Internal Users

@Jonathan Willian Moraes @Moises Jose Soares Filho @Gabriel DAmore Marciano This card has been validated by the QA team.

Automation for Jira 23 February 2024, 15:58 Jira Internal Users

Github user douglascoimbra has just approved a PR (added as Shard Assignee in this Jira issue).

fix: https://totvslabs.atlassian.net/browse/CAPL-5546#icft=CAPL-5546 Pentest invite email

Douglas Coimbra Lopes 23 February 2024, 15:57 Jira Internal Users

CAROL ADMIN ALLOWED

INVALID URL

VALID EMAIL

Automation for Jira 23 February 2024, 13:46 Jira Internal Users

This issue was automatically transitioned to QA REVIEW, as its PR was just approved in Github.

Automation for Jira 23 February 2024, 12:52 Jira Internal Users

@MARCOS STUMPF ,
@Gabriel DAmore Marciano ,

This issue was planned to be delivered until 2024-03-01. You can check that by consulting the issue in the Due Date field.

Dates already planned for this issue: 2024-03-01

If External Issue Link field is filled, customer was also informed on JIRA TOTVS.