Pentest 2023: Review the invitation strategy to avoid HTML injection vulnerability
Description
PRDE - Story default text according to the team DoR (Definition of Ready)
01 - STAKEHOLDER (PERSON THAT CAN VALIDATE AND ANSWER QUESTIONS):
02 - PROBLEM (WHAT'S THE CURRENT PROBLEM SCENARIO OR PAIN TO BE RESOLVED?):
In addition to the problem reported in this card, another point of vulnerability was found that can be exploited with less risk, although with the same degree of severity.
Endpoint /api/v3/users/invites
03 - GOAL (DESCRIBE THE PROPOSED SOLUTION):
In order to resolve this vulnerability we must:
- Review the strategy applied for sending invitations by email, blocking the possibility of HTLM customization by endpoint callers.
- Understand the side effect and eventual communication with internal teams.
04 - WHO CAN USE THIS FEATURE (USER ROLES):
05 - ASSETS (FIGMA LINKS, RELEVANT DOCUMENTATION LINKS, JSON EXAMPLES, ETC):
06 - ACCEPTANCE CRITERIA:
- Avoid HTML and URL injection through our endpoint. We should have all HTML and link to redirect the user when he accepts the invitation defined by the platform.
- Ignore the parameter related to html and consider the default template internally defined
Ps.: On
PRDE-3445:Pentest 2023: Review the invitation strategy to avoid HTML injection vulnerab...Done
PRDE-3445 Done ) has the goal to review the same ability on the flow to invite users. The invitation flow is authenticated.
- For this card we’re going to:
- Only allow CAROL_ADMINs to modify mail templates
- Validate the url based on our cors filters.
Activity
Show:
Details
Priority
HighestAssignee
Gabriel DAmore Marciano
Reporter
MARCOS STUMPF
Labels
CAROL_BACKLOG_REVIEWDEMOPLANNEDREADYREVIEWED
Due Date
25 March 2024
Fix versions
CAPL_4.01
Components
ORGANIZATION/TENANT | SWAGGER/APIS
Created
21 February 2024, 16:38
Updated
19 April 2024, 10:16
More fields
Created: 21 February 2024, 20:38
Updated:
19 April 2024, 15:16
This issue was automatically transitioned to REGRESSION, as its PR was just merged into qa branch in Github.
This issue was automatically transitioned to REGRESSION, as its PR was just merged into qa branch in Github.
This issue was automatically transitioned to REGRESSION, as its PR was just merged into qa branch in Github.
This issue was automatically transitioned to TESTED & MERGED, as its PR was just merged into develop branch in Github. PR Approved by lucasnoetzold,douglascoimbra.
@MARCOS STUMPF ,
@Pedro Buzzi , @Gabriel DAmore Marciano , @Douglas Coimbra Lopes , @Lucas Noetzold
This issue was planned to be delivered until 2024-03-25. You can check that by consulting the issue in the Due Date field.
Dates already planned for this issue: 2024-03-01, 2024-03-25
If External Issue Link field is filled, customer was also informed on JIRA TOTVS.
@Jonathan Willian Moraes @Moises Jose Soares Filho @Gabriel DAmore Marciano This card has been validated by the QA team.
Github user douglascoimbra has just approved a PR (added as Shard Assignee in this Jira issue).
fix: Pentest invite email
CAROL ADMIN ALLOWED
INVALID URL
VALID EMAIL
This issue was automatically transitioned to QA REVIEW, as its PR was just approved in Github.
@MARCOS STUMPF ,
@Gabriel DAmore Marciano ,
This issue was planned to be delivered until 2024-03-01. You can check that by consulting the issue in the Due Date field.
Dates already planned for this issue: 2024-03-01
If External Issue Link field is filled, customer was also informed on JIRA TOTVS.