[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    [oss-security] CVE-2022-25757: Apache APISIX: the body_schema check in request-validation plugin can
From:       Zexuan Luo <spacewander () apache ! org>
Date:       2022-03-28 3:16:43
Message-ID: CAADJU110xZQCFK9xOC+s1OmAYo=a36uJa0+Mb6=h5cQO08yTzw () mail ! gmail ! com
[Download RAW message or body]

Severity: low

Description:

When decoding JSON with duplicate keys, lua-cjson will choose the last
occurred value as the result. By passing a JSON with a duplicate key,
the attacker can bypass the body_schema validation in the
request-validation plugin. For example,
`{"string_payload":"bad","string_payload":"good"}` can be used to hide
the "bad" input.

Systems satisfy three conditions below are affected by this attack:
1. use body_schema validation in the request-validation plugin
2. upstream application uses a special JSON library that chooses the
first occurred value, like jsoniter or gojay
3. upstream application does not validate the input anymore.

The fix in APISIX is to re-encode the validated JSON input back into
the request body at the side of APISIX.

Mitigation:

1. upgrade APISIX to 2.13.0 if you need to use the body_schema
validation in the request-validation plugin
2. add additional validation in the application code, embrace
defensive programming

Credit:

Thanks for Guangli Dong from https://www.huoxian.cn/
[prev in list] [next in list] [prev in thread] [next in thread]