Skip to content

Backport of [Security] SECVULN-8621: Fix XSS Vulnerability where content-type header wasn't explicitly set in API requests into release/1.20.x#21976

Merged
NiniOak merged 2 commits into
release/1.20.xfrom
backport/SECVULN-8621_consul_api_validate_request_content_type/humbly-excited-pheasant
Nov 27, 2024
Merged

Backport of [Security] SECVULN-8621: Fix XSS Vulnerability where content-type header wasn't explicitly set in API requests into release/1.20.x#21976
NiniOak merged 2 commits into
release/1.20.xfrom
backport/SECVULN-8621_consul_api_validate_request_content_type/humbly-excited-pheasant

Conversation

@hc-github-team-consul-core
Copy link
Copy Markdown
Collaborator

@hc-github-team-consul-core hc-github-team-consul-core commented Nov 27, 2024

Backport

This PR is auto-generated from #21930 to be assessed for backporting due to the inclusion of the label backport/1.20.

The below text is copied from the body of the original PR.

Description

  • Modified existing ensureContentTypeHeader middleware to set the response Content-Type to match the type of content that the server will process.

SOLUTION

ensureContentTypeHeader middleware is used to determine if the content-type set in the API request is the expected content type. If it's not a match:

  • A warning is logged in Consul
  • The appropriate contentType Header set before processing the request.
  • The same action is carried out for API response.
    NOTE: The same function is used in doRequest function which is used in processing CLI requests to the Consul API.

Testing & Reproduction steps

Updated unit tests to add additional checks for content-type header
Vercel should deploy UI with no errors

MANUAL TESTING

Before Changes

Screenshot 2024-11-26 at 1 32 11 PM

After Changes

Screenshot 2024-11-26 at 1 33 02 PM

PR Checklist

  • updated test coverage
  • external facing docs updated
  • appropriate backport labels added
  • not a security concern
Overview of commits

@hc-github-team-consul-core hc-github-team-consul-core force-pushed the backport/SECVULN-8621_consul_api_validate_request_content_type/humbly-excited-pheasant branch from 6e47fd8 to 0e77e30 Compare November 27, 2024 17:30
github-team-consul-core-pr-approver
github-team-consul-core-pr-approver approved these changes Nov 27, 2024
View reviewed changes
Copy link
Copy Markdown
Collaborator

@github-team-consul-core-pr-approver github-team-consul-core-pr-approver left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Auto approved Consul Bot automated PR

@github-actions github-actions Bot added the theme/api Relating to the HTTP API interface label Nov 27, 2024
@NiniOak NiniOak enabled auto-merge (squash) November 27, 2024 17:45
@NiniOak NiniOak merged commit 10af0cd into release/1.20.x Nov 27, 2024
@NiniOak NiniOak deleted the backport/SECVULN-8621_consul_api_validate_request_content_type/humbly-excited-pheasant branch November 27, 2024 17:47
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@github-team-consul-core-pr-approver github-team-consul-core-pr-approver github-team-consul-core-pr-approver approved these changes

@NiniOak NiniOak Awaiting requested review from NiniOak

Assignees

@NiniOak NiniOak

Labels

theme/api Relating to the HTTP API interface

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@hc-github-team-consul-core @github-team-consul-core-pr-approver @NiniOak