Ruleset search bars don't sanitize input

[jctello]

In the Management > {Rules, Decoders, CDB lists} screens if special characters such as & or ; (ampersand or semicolon) are used in the search bar an error occurs.

The full error dialog shows:

_callee3/_callee3$/<@https://WAZUH-DASHBOARD-ADDRESS/1/bundles/plugin/wazuh/wazuh.chunk.7.js:5:1885772

It's worth doing a thorough investigation of this as this may be indicative of a potential code injection possibility.

On 4.2.x the input is accepted although it won't find rules with a matching description.

Finally the error message Error when get the items of rules is grammatically incorrect and confusing.

[havidarou]

Related to https://github.com/wazuh/wazuh-kibana-app/issues/4312

[Desvelao]

I was researching a problem with a particular API search in the Wazuh plugin. When the value of search query parameter contains &, the API replies that is not a valid format.

I was testing to do the desired request, without expected results. I don't know if this request is allowed by the API. I wil ask to the colleagues for more information.

Some tests with cURL:

Manager used: 4.4.0 built from sources v4.4.0-beta1 Wazuh plugin: "name": "wazuh", "version": "4.4.0", "revision": "01", "stage": "beta", "commit": "c6c3bf7ef", "pluginPlatform": { "version": "2.4.1" }

wz_api_token=$(curl -u wazuh:wazuh -s -k -X POST "https://localhost:55000/security/user/authenticate?raw=true")
curl -k -H "Authorization: Bearer ${wz_api_token}" https://localhost:55000/rules -G --data-urlencode "search=att&ck"
{"title": "Bad Request", "detail": "'att&ck' is not a 'search'. Failed validating 'format' in schema: {'format': 'search', 'type': 'string'}. On instance: 'att&ck'"}
curl -k -H "Authorization: Bearer ${wz_api_token}" https://localhost:55000/rules -G --data-urlencode "search=att%26ck"
{"title": "Bad Request", "detail": "'att&ck' is not a 'search'. Failed validating 'format' in schema: {'format': 'search', 'type': 'string'}. On instance: 'att&ck'"}

API logs:

2023/02/07 08:20:02 INFO: wazuh 172.18.0.1 "GET /rules" with parameters {"search": "att&ck"} and body {} done in 0.075s: 400
2023/02/07 08:20:45 INFO: wazuh 172.18.0.1 "GET /rules" with parameters {"search": "att%26ck"} and body {} done in 0.018s: 400

I attach some screenshots when using the Wazuh plugin.

API logs:

2023/02/07 08:24:16 INFO: wazuh-wui 172.18.0.3 "GET /rules" with parameters {"search": "att&ck", "offset": "0", "limit": "10", "sort": "+id"} and body {} done in 0.018s: 400
2023/02/07 08:24:59 INFO: wazuh-wui 172.18.0.3 "GET /rules" with parameters {"search": "att%26ck", "offset": "0", "limit": "10", "sort": "+id"} and body {} done in 0.017s: 400

[Desvelao]

According to the @vicferpoy , the search query parameter has a regex restriction.

_search_param = re.compile(r'^[^;|&^*>]+$')

The search query parameter doesn't support & or ; characters. I don't know the reason for this, according to @davidjiglesias this could be related to SQL injection or any other sort of thing.

I asked @gdiazlo what is the action item taking into account the shared information.

[Desvelao]

According to @davidjiglesias , we could use the q query parameter instead to do the search.

Another issue suggesting this approach: https://github.com/wazuh/wazuh-kibana-app/issues/5198

[Desvelao]

We move this issue to 4.5.0 because it needs some changes in the search bar and there is an epic issue https://github.com/wazuh/wazuh-kibana-app/issues/4312 to redo it.

[gdiazlo]

Closing this as the development is being done in https://github.com/wazuh/wazuh-kibana-app/issues/4312