Pentest 2023: Review the email strategy to avoid HTML injection vulnerability
Description
PRDE - Story default text according to the team DoR (Definition of Ready)
02 - PROBLEM (WHAT'S THE CURRENT PROBLEM SCENARIO OR PAIN TO BE RESOLVED?):
Today the way we are allowing the customization of HTML allow users to inject an HTML and redirect the password reset to another service other than Carol, allowing external users to receive the token allowing them to change the password.
Pentest report: https://drive.google.com/file/d/1kcDewpYZ8VffMgTXKi7VLQZ5JIdRRL9a/view?usp=sharing
03 - GOAL (DESCRIBE THE PROPOSED SOLUTION):
- Review the strategy applied to send emails blocking the ability to customize the HTML by the endpoint callers.
- Understand the side effect and eventual communication with internal teams.
04 - WHO CAN USE THIS FEATURE (USER ROLES):
05 - ASSETS (FIGMA LINKS, RELEVANT DOCUMENTATION LINKS, JSON EXAMPLES, ETC):
06 - ACCEPTANCE CRITERIA:
Avoid HTML injection through our endpoint by using a parameter instead a linkIgnore the parameter related to html and consider the default template internally defined
As we have discussed on our backlog review today, we are going to:
- Remove the mailTemplate option from the reset password endpoint and use the default template provided by the platform
- Validate the host url sent on the endpoint. If it is does not belong to the hosts (*.qarol.ai or *.caro.ai) we’re going to reject the request.
Activity
Show:
Details
Priority
HighestAssignee
Gabriel DAmore Marciano
Reporter
Robson Thanael Poffo
Labels
CAROL_BACKLOG_REVIEWDEMOPLANNEDPLATFORM_LEADERSHIP_REVIEWPROD_IMPACTREADYREVIEWED
Due Date
4 March 2024
Fix versions
CAPL_4.00
Components
TENANT_ADMIN | USERS
Created
19 December 2023, 19:36
Updated
13 August 2024, 15:07
More fields
Created: 19 December 2023, 23:36
Updated:
13 August 2024, 20:07
Foi declinado o PR.
Github PR: https://github.com/totvslabs/mdm/pull/4351
This issue was automatically transitioned to WAITING DEPLOY, as its PR was just merged into master branch in Github.
Github user douglascoimbra has just approved a PR (added as Shard Assignee in this Jira issue).
fix: Pentest email reset password
VALID URL
INVALID URL
This issue was automatically transitioned to QA REVIEW, as its PR was just approved in Github.
This issue was automatically transitioned to REVIEW, as its PR (not DRAFT and not WIP) was just created in Github.
fix: Pentest email reset password
@Robson Thanael Poffo ,
@Gabriel DAmore Marciano ,
This issue was planned to be delivered until 2024-03-04. You can check that by consulting the issue in the Due Date field.
Dates already planned for this issue: 2024-03-04
If External Issue Link field is filled, customer was also informed on JIRA TOTVS.
Sobre aquele primeiro bullet trocar url por um parâmetro quando falei, eu tinha pensado nesta ideia, não sei se é válida.
/passwordResetRequests-> Envia um token aleatório e único (nonce) como parâmetro no front-end para ser montado no back-end e enviado ao usuário no e-mail. Esta transmissão de FE para BE por meio de conexão segura HTTPS. O Token seria armazenado de forma criptografada por um tempo de vida limitado (expiração). Quando o usuário receber o e-mail e clicar no link gerado pelo BE, este token será validado.