Pentest 2023: Review the invitation strategy to avoid HTML injection vulnerability
Description
PRDE - Story default text according to the team DoR (Definition of Ready)
01 - STAKEHOLDER (PERSON THAT CAN VALIDATE AND ANSWER QUESTIONS):
02 - PROBLEM (WHAT'S THE CURRENT PROBLEM SCENARIO OR PAIN TO BE RESOLVED?):
In addition to the problem reported in this card, another point of vulnerability was found that can be exploited with less risk, although with the same degree of severity.
Endpoint /api/v3/users/invites
03 - GOAL (DESCRIBE THE PROPOSED SOLUTION):
In order to resolve this vulnerability we must:
- Review the strategy applied for sending invitations by email, blocking the possibility of HTLM customization by endpoint callers.
- Understand the side effect and eventual communication with internal teams.
04 - WHO CAN USE THIS FEATURE (USER ROLES):
05 - ASSETS (FIGMA LINKS, RELEVANT DOCUMENTATION LINKS, JSON EXAMPLES, ETC):
06 - ACCEPTANCE CRITERIA:
- Avoid HTML and URL injection through our endpoint. We should have all HTML and link to redirect the user when he accepts the invitation defined by the platform.
- Ignore the parameter related to html and consider the default template internally defined
Ps.: On
PRDE-3445: Pentest 2023: Review the invitation strategy to avoid HTML injection vulnerab...Done
we handled the ability to inject HTML and URL when reseting the password. This issue ( PRDE-3445 Done ) has the goal to review the same ability on the flow to invite users. The invitation flow is authenticated.
- For this card we’re going to:
- Only allow CAROL_ADMINs to modify mail templates
- Validate the url based on our cors filters.
Activity
Show:
This issue was automatically transitioned to REGRESSION, as its PR was just merged into qa branch in Github.
This issue was automatically transitioned to REGRESSION, as its PR was just merged into qa branch in Github.
This issue was automatically transitioned to REGRESSION, as its PR was just merged into qa branch in Github.
This issue was automatically transitioned to TESTED & MERGED, as its PR was just merged into develop branch in Github. PR Approved by lucasnoetzold,douglascoimbra.
@MARCOS STUMPF ,
@Pedro Buzzi , @Gabriel DAmore Marciano , @Douglas Coimbra Lopes , @Lucas Noetzold
This issue was planned to be delivered until 2024-03-25. You can check that by consulting the issue in the Due Date field.
Dates already planned for this issue: 2024-03-01, 2024-03-25
If External Issue Link field is filled, customer was also informed on JIRA TOTVS.
@Jonathan Willian Moraes @Moises Jose Soares Filho @Gabriel DAmore Marciano This card has been validated by the QA team.
Github user douglascoimbra has just approved a PR (added as Shard Assignee in this Jira issue).
fix: https://totvslabs.atlassian.net/browse/CAPL-5546#icft=CAPL-5546 Pentest invite email
CAROL ADMIN ALLOWED
INVALID URL
VALID EMAIL
This issue was automatically transitioned to QA REVIEW, as its PR was just approved in Github.
@MARCOS STUMPF ,
@Gabriel DAmore Marciano ,
This issue was planned to be delivered until 2024-03-01. You can check that by consulting the issue in the Due Date field.
Dates already planned for this issue: 2024-03-01
If External Issue Link field is filled, customer was also informed on JIRA TOTVS.