DataSourceRequest - validate/error handle filter, sort, group parameters

5 posts, 0 answers
  1. Werdna
    Werdna avatar
    6 posts
    Member since:
    Aug 2017

    Posted 23 Jun 2020 Link to this post

    Hello,

    I've followed the example found here: https://demos.telerik.com/aspnet-core/grid/remote-data-binding to create a grid that is bound to remote data.  Everything works great.  However, my IT security team has run the Rapid7 Appspider security scan  on my web application and all that comes up is "vulnerabilities" related to the scanner sending bogus values for the filter, sort, and group parameters to the Grid controller.  Here's an example:

    Attack type:  Buffer Overflow string of 100 characters

    Basically it's sending a string of 100+ characters as a value to the "filter" parameter.

    https://mysite.com/Grid/Orders_Read?filter=100characterlongstring

    In other cases, it's sending potential harmful strings such as ./*][ and %s%f%d%x.  The Grid seems to handle it by returning an error, but they may force me to handle/validate these parameters.  The problem is I don't see where/how I can do that?  Can you please shine some light on how I can prevent these "vulnerabilities"?

    Thanks

  2. Werdna
    Werdna avatar
    6 posts
    Member since:
    Aug 2017

    Posted 24 Jun 2020 in reply to Werdna Link to this post

    Anyone have any ideas on this?
  3. Tsvetomir
    Admin
    Tsvetomir avatar
    796 posts

    Posted 25 Jun 2020 Link to this post

    Hi Andrew,

    In general, all the vulnerable and potentially harmful scripts should be handled on the server-side by the developer. The event in which you can prevent the Read requests is the RequestStart event:

    .Events(ev=>ev.RequestStart("onRequestStart"))
    
    function onRequestStart(e){
    
    }

    Within the handler, you can prevent the request, do your validations and after that manually send a request via the DataSource widget's API:

    https://docs.telerik.com/kendo-ui/api/javascript/data/datasource#methods

    I hope you find this helpful.

     

    Kind regards,
    Tsvetomir
    Progress Telerik

    Progress is here for your business, like always. Read more about the measures we are taking to ensure business continuity and help fight the COVID-19 pandemic.
    Our thoughts here at Progress are with those affected by the outbreak.
  4. Werdna
    Werdna avatar
    6 posts
    Member since:
    Aug 2017

    Posted 25 Jun 2020 in reply to Tsvetomir Link to this post

    Hi Tsvetomir,

    I'm probably not understanding this correctly.. but the issue is I can't handle this in the widget event because the Rapid7 Appspider security scan is accessing the controller directly and not via the widget. for example:

    https://mysite.com/Grid/Orders_Read?filter=./*][

    I can validate/handle the vulnerable and potentially harmful scripts on the server-side in the controller except for some reason, when the "filter" parameter is used, the controller is never hit.  A generic .NET core error is returned, but I'd rather handle/validate for a bogus value for the "filter" parameter.  Here's the stack of the error I get:

     

    FilterParserException: Expected token
    Kendo.Mvc.Infrastructure.Implementation.FilterLexer.Tokenize()
    Kendo.Mvc.Infrastructure.Implementation.FilterParser..ctor(string input)
    Kendo.Mvc.Infrastructure.FilterDescriptorFactory.Create(string input)
    Kendo.Mvc.UI.DataSourceRequestModelBinder+<>c__DisplayClass2_0.<CreateDataSourceRequest>b__3(string filter)
    Kendo.Mvc.UI.DataSourceRequestModelBinder.TryGetValue<T>(ModelMetadata modelMetadata, IValueProvider valueProvider, string modelName, string key, Action<T> action)
    Kendo.Mvc.UI.DataSourceRequestModelBinder.CreateDataSourceRequest(ModelMetadata modelMetadata, IValueProvider valueProvider, string modelName)
    Kendo.Mvc.UI.DataSourceRequestModelBinder.BindModelAsync(ModelBindingContext bindingContext)
    Microsoft.AspNetCore.Mvc.ModelBinding.Binders.BinderTypeModelBinder.BindModelAsync(ModelBindingContext bindingContext)
    Microsoft.AspNetCore.Mvc.ModelBinding.ParameterBinder.BindModelAsync(ActionContext actionContext, IModelBinder modelBinder, IValueProvider valueProvider, ParameterDescriptor parameter, ModelMetadata metadata, object value)
    Microsoft.AspNetCore.Mvc.Internal.ControllerBinderDelegateProvider+<>c__DisplayClass0_0+<<CreateBinderDelegate>g__Bind|0>d.MoveNext()
    Microsoft.AspNetCore.Mvc.Internal.ControllerActionInvoker.InvokeInnerFilterAsync()
    Microsoft.AspNetCore.Mvc.Internal.ResourceInvoker.InvokeNextResourceFilter()
    Microsoft.AspNetCore.Mvc.Internal.ResourceInvoker.Rethrow(ResourceExecutedContext context)
    Microsoft.AspNetCore.Mvc.Internal.ResourceInvoker.Next(ref State next, ref Scope scope, ref object state, ref bool isCompleted)
    Microsoft.AspNetCore.Mvc.Internal.ResourceInvoker.InvokeFilterPipelineAsync()
    Microsoft.AspNetCore.Mvc.Internal.ResourceInvoker.InvokeAsync()
    Microsoft.AspNetCore.Builder.RouterMiddleware.Invoke(HttpContext httpContext)
    Microsoft.AspNetCore.StaticFiles.StaticFileMiddleware.Invoke(HttpContext context)
    Microsoft.AspNetCore.Diagnostics.DeveloperExceptionPageMiddleware.Invoke(HttpContext context)

    Thank you.

  5. Tsvetomir
    Admin
    Tsvetomir avatar
    796 posts

    Posted 29 Jun 2020 Link to this post

    Hi Andrew,

    Thank you for the additional details. Is it possible for you to execute a custom AJAX request by passing the value as a query parameter and see if the issue can be replicated outside of the scope of the grid? 

    Alternatively, can you try reproducing the issue in any of our live demos and let me know on the needed steps?

    https://demos.telerik.com/aspnet-core/grid/remote-data-binding

     

    Regards,
    Tsvetomir
    Progress Telerik

    Progress is here for your business, like always. Read more about the measures we are taking to ensure business continuity and help fight the COVID-19 pandemic.
    Our thoughts here at Progress are with those affected by the outbreak.
Back to Top