Reflected xss in the jira-gadgets-plugin getLabelGroups rest resource

Type atlassian
Reporter dblack
Modified 2017-02-20T00:46:54


The jira-gadgets-plugin LabelsResource class exposes a getLabelGroups rest resource that is vulnerable to reflected xss through the user supplied 'project' path parameter. The vulnerability is caused by building an error response message with a content type of text/html and not html encoding the 'project' parameter when the 'project' parameter cannot be parsed as a long.

An example url demonstrating this flaw looks like: http://$JIRA/jira/rest/gadget/1.0/labels/gadget/%22'%3Cvideo%20onerror=alert(3)%20src=xxxx%3Ealert(3);%3C/script%3E/groups

{code} @GET @Path ("gadget/{project}/{fieldId}/groups") @Produces (MediaType.TEXT_HTML) public Response getLabelGroups(@PathParam ("project") String project, @PathParam ("fieldId") String fieldId) { long projectId; try { projectId = Long.parseLong(StringUtils.substring(project, "project-".length())); } catch (NumberFormatException e) { log.error("Error parsing project id from '" + project + "'"); return Response.status(Response.Status.BAD_REQUEST).entity("Error parsing project id from '" + project + "'").cacheControl(NO_CACHE).build(); }

    return Response.ok(alphabeticalLabelRenderer.getHtml(authenticationContext.getLoggedInUser(), projectId, fieldId, true)).cacheControl(NO_CACHE).build();