Pentest 2023: Review the email strategy to avoid HTML injection vulnerability

Description

PRDE - Story default text according to the team DoR (Definition of Ready)

02 - PROBLEM (WHAT'S THE CURRENT PROBLEM SCENARIO OR PAIN TO BE RESOLVED?):

Today the way we are allowing the customization of HTML allow users to inject an HTML and redirect the password reset to another service other than Carol, allowing external users to receive the token allowing them to change the password.

Pentest report: https://drive.google.com/file/d/1kcDewpYZ8VffMgTXKi7VLQZ5JIdRRL9a/view?usp=sharing

03 - GOAL (DESCRIBE THE PROPOSED SOLUTION):

  • Review the strategy applied to send emails blocking the ability to customize the HTML by the endpoint callers.
  • Understand the side effect and eventual communication with internal teams.

04 - WHO CAN USE THIS FEATURE (USER ROLES):
05 - ASSETS (FIGMA LINKS, RELEVANT DOCUMENTATION LINKS, JSON EXAMPLES, ETC):
06 - ACCEPTANCE CRITERIA:

  • Avoid HTML injection through our endpoint by using a parameter instead a link
  • Ignore the parameter related to html and consider the default template internally defined

As we have discussed on our backlog review today, we are going to:

  • Remove the mailTemplate option from the reset password endpoint and use the default template provided by the platform
  • Validate the host url sent on the endpoint. If it is does not belong to the hosts (*.qarol.ai or *.caro.ai) we’re going to reject the request.

Activity

Automation for Jira 13 August 2024, 18:07 Jira Internal Users

Foi declinado o PR.

Automation for Jira 27 June 2024, 17:22 Jira Internal Users
Automation for Jira 15 February 2024, 14:16 Jira Internal Users

This issue was automatically transitioned to WAITING DEPLOY, as its PR was just merged into master branch in Github.

Automation for Jira 15 February 2024, 14:16 Jira Internal Users

Github user douglascoimbra has just approved a PR (added as Shard Assignee in this Jira issue).

fix: https://totvslabs.atlassian.net/browse/CAPL-5217#icft=CAPL-5217 Pentest email reset password

Douglas Coimbra Lopes 14 February 2024, 22:16 Jira Internal Users

VALID URL

INVALID URL

Automation for Jira 14 February 2024, 21:07 Jira Internal Users

This issue was automatically transitioned to QA REVIEW, as its PR was just approved in Github.

Automation for Jira 14 February 2024, 20:31 Jira Internal Users

This issue was automatically transitioned to REVIEW, as its PR (not DRAFT and not WIP) was just created in Github.

fix: https://totvslabs.atlassian.net/browse/CAPL-5217#icft=CAPL-5217 Pentest email reset password

Automation for Jira 12 February 2024, 19:19 Jira Internal Users

@Robson Thanael Poffo ,
@Gabriel DAmore Marciano ,

This issue was planned to be delivered until 2024-03-04. You can check that by consulting the issue in the Due Date field.

Dates already planned for this issue: 2024-03-04

If External Issue Link field is filled, customer was also informed on JIRA TOTVS.

MARCOS STUMPF 19 January 2024, 20:08 Jira Internal Users

Sobre aquele primeiro bullet trocar url por um parâmetro quando falei, eu tinha pensado nesta ideia, não sei se é válida.

/passwordResetRequests -> Envia um token aleatório e único (nonce) como parâmetro no front-end para ser montado no back-end e enviado ao usuário no e-mail. Esta transmissão de FE para BE por meio de conexão segura HTTPS. O Token seria armazenado de forma criptografada por um tempo de vida limitado (expiração). Quando o usuário receber o e-mail e clicar no link gerado pelo BE, este token será validado.