Telerik Forums / UI for ASP.NET Core
This is a migrated thread and some comments may be shown as answers.

DataSourceRequest - validate/error handle filter, sort, group parameters

4 Answers 273 Views
Grid
This is a migrated thread and some comments may be shown as answers.
Werdna
Top achievements
Rank 1
Werdna asked on 23 Jun 2020, 05:00 AM

Hello,

I've followed the example found here: https://demos.telerik.com/aspnet-core/grid/remote-data-binding to create a grid that is bound to remote data.  Everything works great.  However, my IT security team has run the Rapid7 Appspider security scan  on my web application and all that comes up is "vulnerabilities" related to the scanner sending bogus values for the filter, sort, and group parameters to the Grid controller.  Here's an example:

Attack type:  Buffer Overflow string of 100 characters

Basically it's sending a string of 100+ characters as a value to the "filter" parameter.

https://mysite.com/Grid/Orders_Read?filter=100characterlongstring

In other cases, it's sending potential harmful strings such as ./*][ and %s%f%d%x.  The Grid seems to handle it by returning an error, but they may force me to handle/validate these parameters.  The problem is I don't see where/how I can do that?  Can you please shine some light on how I can prevent these "vulnerabilities"?

Thanks

4 Answers, 1 is accepted

Sort by
0
Werdna
Top achievements
Rank 1
answered on 24 Jun 2020, 05:19 PM
Anyone have any ideas on this?
0
Tsvetomir
Telerik team
answered on 25 Jun 2020, 11:34 AM

Hi Andrew,

In general, all the vulnerable and potentially harmful scripts should be handled on the server-side by the developer. The event in which you can prevent the Read requests is the RequestStart event:

.Events(ev=>ev.RequestStart("onRequestStart"))

function onRequestStart(e){

}

Within the handler, you can prevent the request, do your validations and after that manually send a request via the DataSource widget's API:

https://docs.telerik.com/kendo-ui/api/javascript/data/datasource#methods

I hope you find this helpful.

 

Kind regards,
Tsvetomir
Progress Telerik

Progress is here for your business, like always. Read more about the measures we are taking to ensure business continuity and help fight the COVID-19 pandemic.
Our thoughts here at Progress are with those affected by the outbreak.
0
Werdna
Top achievements
Rank 1
answered on 25 Jun 2020, 06:25 PM

Hi Tsvetomir,

I'm probably not understanding this correctly.. but the issue is I can't handle this in the widget event because the Rapid7 Appspider security scan is accessing the controller directly and not via the widget. for example:

https://mysite.com/Grid/Orders_Read?filter=./*][

I can validate/handle the vulnerable and potentially harmful scripts on the server-side in the controller except for some reason, when the "filter" parameter is used, the controller is never hit.  A generic .NET core error is returned, but I'd rather handle/validate for a bogus value for the "filter" parameter.  Here's the stack of the error I get:

 

FilterParserException: Expected token
Kendo.Mvc.Infrastructure.Implementation.FilterLexer.Tokenize()
Kendo.Mvc.Infrastructure.Implementation.FilterParser..ctor(string input)
Kendo.Mvc.Infrastructure.FilterDescriptorFactory.Create(string input)
Kendo.Mvc.UI.DataSourceRequestModelBinder+<>c__DisplayClass2_0.<CreateDataSourceRequest>b__3(string filter)
Kendo.Mvc.UI.DataSourceRequestModelBinder.TryGetValue<T>(ModelMetadata modelMetadata, IValueProvider valueProvider, string modelName, string key, Action<T> action)
Kendo.Mvc.UI.DataSourceRequestModelBinder.CreateDataSourceRequest(ModelMetadata modelMetadata, IValueProvider valueProvider, string modelName)
Kendo.Mvc.UI.DataSourceRequestModelBinder.BindModelAsync(ModelBindingContext bindingContext)
Microsoft.AspNetCore.Mvc.ModelBinding.Binders.BinderTypeModelBinder.BindModelAsync(ModelBindingContext bindingContext)
Microsoft.AspNetCore.Mvc.ModelBinding.ParameterBinder.BindModelAsync(ActionContext actionContext, IModelBinder modelBinder, IValueProvider valueProvider, ParameterDescriptor parameter, ModelMetadata metadata, object value)
Microsoft.AspNetCore.Mvc.Internal.ControllerBinderDelegateProvider+<>c__DisplayClass0_0+<<CreateBinderDelegate>g__Bind|0>d.MoveNext()
Microsoft.AspNetCore.Mvc.Internal.ControllerActionInvoker.InvokeInnerFilterAsync()
Microsoft.AspNetCore.Mvc.Internal.ResourceInvoker.InvokeNextResourceFilter()
Microsoft.AspNetCore.Mvc.Internal.ResourceInvoker.Rethrow(ResourceExecutedContext context)
Microsoft.AspNetCore.Mvc.Internal.ResourceInvoker.Next(ref State next, ref Scope scope, ref object state, ref bool isCompleted)
Microsoft.AspNetCore.Mvc.Internal.ResourceInvoker.InvokeFilterPipelineAsync()
Microsoft.AspNetCore.Mvc.Internal.ResourceInvoker.InvokeAsync()
Microsoft.AspNetCore.Builder.RouterMiddleware.Invoke(HttpContext httpContext)
Microsoft.AspNetCore.StaticFiles.StaticFileMiddleware.Invoke(HttpContext context)
Microsoft.AspNetCore.Diagnostics.DeveloperExceptionPageMiddleware.Invoke(HttpContext context)

Thank you.

0
Tsvetomir
Telerik team
answered on 29 Jun 2020, 02:24 PM

Hi Andrew,

Thank you for the additional details. Is it possible for you to execute a custom AJAX request by passing the value as a query parameter and see if the issue can be replicated outside of the scope of the grid? 

Alternatively, can you try reproducing the issue in any of our live demos and let me know on the needed steps?

https://demos.telerik.com/aspnet-core/grid/remote-data-binding

 

Regards,
Tsvetomir
Progress Telerik

Progress is here for your business, like always. Read more about the measures we are taking to ensure business continuity and help fight the COVID-19 pandemic.
Our thoughts here at Progress are with those affected by the outbreak.
Tags
Grid
Asked by
Werdna
Top achievements
Rank 1
Answers by
Werdna
Top achievements
Rank 1
Tsvetomir
Telerik team
Share this question
or