wazuh-dashboard-plugins
wazuh-dashboard-plugins copied to clipboard
wazuh
Ruleset search bars don't sanitize input
In the Management > {Rules, Decoders, CDB lists} screens if special characters such as & or ; (ampersand or semicolon) are used in the search bar an error occurs.
The full error dialog shows:
_callee3/_callee3$/<@https://WAZUH-DASHBOARD-ADDRESS/1/bundles/plugin/wazuh/wazuh.chunk.7.js:5:1885772
It's worth doing a thorough investigation of this as this may be indicative of a potential code injection possibility.
On 4.2.x the input is accepted although it won't find rules with a matching description.
Finally the error message Error when get the items of rules is grammatically incorrect and confusing.
I was researching a problem with a particular API search in the Wazuh plugin. When the value of search query parameter contains &, the API replies that is not a valid format.
I was testing to do the desired request, without expected results. I don't know if this request is allowed by the API. I wil ask to the colleagues for more information.
Some tests with cURL:
Manager used:
4.4.0built from sourcesv4.4.0-beta1Wazuh plugin: "name": "wazuh", "version": "4.4.0", "revision": "01", "stage": "beta", "commit": "c6c3bf7ef", "pluginPlatform": { "version": "2.4.1" }
wz_api_token=$(curl -u wazuh:wazuh -s -k -X POST "https://localhost:55000/security/user/authenticate?raw=true")
curl -k -H "Authorization: Bearer ${wz_api_token}" https://localhost:55000/rules -G --data-urlencode "search=att&ck"
{"title": "Bad Request", "detail": "'att&ck' is not a 'search'. Failed validating 'format' in schema: {'format': 'search', 'type': 'string'}. On instance: 'att&ck'"}
curl -k -H "Authorization: Bearer ${wz_api_token}" https://localhost:55000/rules -G --data-urlencode "search=att%26ck"
{"title": "Bad Request", "detail": "'att&ck' is not a 'search'. Failed validating 'format' in schema: {'format': 'search', 'type': 'string'}. On instance: 'att&ck'"}
API logs:
2023/02/07 08:20:02 INFO: wazuh 172.18.0.1 "GET /rules" with parameters {"search": "att&ck"} and body {} done in 0.075s: 400
2023/02/07 08:20:45 INFO: wazuh 172.18.0.1 "GET /rules" with parameters {"search": "att%26ck"} and body {} done in 0.018s: 400
I attach some screenshots when using the Wazuh plugin.
API logs:
2023/02/07 08:24:16 INFO: wazuh-wui 172.18.0.3 "GET /rules" with parameters {"search": "att&ck", "offset": "0", "limit": "10", "sort": "+id"} and body {} done in 0.018s: 400
2023/02/07 08:24:59 INFO: wazuh-wui 172.18.0.3 "GET /rules" with parameters {"search": "att%26ck", "offset": "0", "limit": "10", "sort": "+id"} and body {} done in 0.017s: 400
According to the @vicferpoy , the search query parameter has a regex restriction.
_search_param = re.compile(r'^[^;|&^*>]+$')
The search query parameter doesn't support & or ; characters. I don't know the reason for this, according to @davidjiglesias this could be related to SQL injection or any other sort of thing.
I asked @gdiazlo what is the action item taking into account the shared information.
According to @davidjiglesias , we could use the q query parameter instead to do the search.
Another issue suggesting this approach: https://github.com/wazuh/wazuh-kibana-app/issues/5198
We move this issue to 4.5.0 because it needs some changes in the search bar and there is an epic issue https://github.com/wazuh/wazuh-kibana-app/issues/4312 to redo it.
Closing this as the development is being done in https://github.com/wazuh/wazuh-kibana-app/issues/4312
