CodeIgniter 4.1.7 までのAPI\ResponseTraitのXSS脆弱性
この記事は CodeIgniter Advent Calendar 2022 - Qiita の16日目です。まだ、空きがありますので、興味のある方は気軽に参加してください。
CodeIgniter 4.1.8 で修正された CVE-2022-21715 XSS Vulnerability in API\ResponseTrait in CodeIgniter4 の解説です。
脆弱性のあったコード
以下が実際のコードです。
https://github.com/codeigniter4/CodeIgniter4/blob/v4.1.7/system/API/ResponseTrait.php
<?php
/**
* This file is part of CodeIgniter 4 framework.
*
* (c) CodeIgniter Foundation <admin@codeigniter.com>
*
* For the full copyright and license information, please view
* the LICENSE file that was distributed with this source code.
*/
namespace CodeIgniter\API;
use CodeIgniter\Format\FormatterInterface;
use CodeIgniter\HTTP\IncomingRequest;
use CodeIgniter\HTTP\Response;
use Config\Services;
/**
* Provides common, more readable, methods to provide
* consistent HTTP responses under a variety of common
* situations when working as an API.
*
* @property IncomingRequest $request
* @property Response $response
*/
trait ResponseTrait
{
/**
* Allows child classes to override the
* status code that is used in their API.
*
* @var array<string, int>
*/
protected $codes = [
'created' => 201,
'deleted' => 200,
'updated' => 200,
'no_content' => 204,
'invalid_request' => 400,
'unsupported_response_type' => 400,
'invalid_scope' => 400,
'temporarily_unavailable' => 400,
'invalid_grant' => 400,
'invalid_credentials' => 400,
'invalid_refresh' => 400,
'no_data' => 400,
'invalid_data' => 400,
'access_denied' => 401,
'unauthorized' => 401,
'invalid_client' => 401,
'forbidden' => 403,
'resource_not_found' => 404,
'not_acceptable' => 406,
'resource_exists' => 409,
'conflict' => 409,
'resource_gone' => 410,
'payload_too_large' => 413,
'unsupported_media_type' => 415,
'too_many_requests' => 429,
'server_error' => 500,
'unsupported_grant_type' => 501,
'not_implemented' => 501,
];
/**
* How to format the response data.
* Either 'json' or 'xml'. If blank will be
* determine through content negotiation.
*
* @var string
*/
protected $format = 'json';
/**
* Current Formatter instance. This is usually set by ResponseTrait::format
*
* @var FormatterInterface
*/
protected $formatter;
/**
* Provides a single, simple method to return an API response, formatted
* to match the requested format, with proper content-type and status code.
*
* @param array|string|null $data
*
* @return mixed
*/
public function respond($data = null, ?int $status = null, string $message = '')
{
if ($data === null && $status === null) {
$status = 404;
$output = null;
} elseif ($data === null && is_numeric($status)) {
$output = null;
} else {
$status = empty($status) ? 200 : $status;
$output = $this->format($data);
}
if ($output !== null) {
if ($this->format === 'json') {
return $this->response->setJSON($output)->setStatusCode($status, $message);
}
if ($this->format === 'xml') {
return $this->response->setXML($output)->setStatusCode($status, $message);
}
}
return $this->response->setBody($output)->setStatusCode($status, $message);
}
/**
* Used for generic failures that no custom methods exist for.
*
* @param array|string $messages
* @param int $status HTTP status code
* @param string|null $code Custom, API-specific, error code
*
* @return mixed
*/
public function fail($messages, int $status = 400, ?string $code = null, string $customMessage = '')
{
if (! is_array($messages)) {
$messages = ['error' => $messages];
}
$response = [
'status' => $status,
'error' => $code ?? $status,
'messages' => $messages,
];
return $this->respond($response, $status, $customMessage);
}
//--------------------------------------------------------------------
// Response Helpers
//--------------------------------------------------------------------
/**
* Used after successfully creating a new resource.
*
* @param mixed $data
*
* @return mixed
*/
public function respondCreated($data = null, string $message = '')
{
return $this->respond($data, $this->codes['created'], $message);
}
/**
* Used after a resource has been successfully deleted.
*
* @param mixed $data
*
* @return mixed
*/
public function respondDeleted($data = null, string $message = '')
{
return $this->respond($data, $this->codes['deleted'], $message);
}
/**
* Used after a resource has been successfully updated.
*
* @param mixed $data
*
* @return mixed
*/
public function respondUpdated($data = null, string $message = '')
{
return $this->respond($data, $this->codes['updated'], $message);
}
/**
* Used after a command has been successfully executed but there is no
* meaningful reply to send back to the client.
*
* @return mixed
*/
public function respondNoContent(string $message = 'No Content')
{
return $this->respond(null, $this->codes['no_content'], $message);
}
/**
* Used when the client is either didn't send authorization information,
* or had bad authorization credentials. User is encouraged to try again
* with the proper information.
*
* @return mixed
*/
public function failUnauthorized(string $description = 'Unauthorized', ?string $code = null, string $message = '')
{
return $this->fail($description, $this->codes['unauthorized'], $code, $message);
}
/**
* Used when access is always denied to this resource and no amount
* of trying again will help.
*
* @return mixed
*/
public function failForbidden(string $description = 'Forbidden', ?string $code = null, string $message = '')
{
return $this->fail($description, $this->codes['forbidden'], $code, $message);
}
/**
* Used when a specified resource cannot be found.
*
* @return mixed
*/
public function failNotFound(string $description = 'Not Found', ?string $code = null, string $message = '')
{
return $this->fail($description, $this->codes['resource_not_found'], $code, $message);
}
/**
* Used when the data provided by the client cannot be validated.
*
* @return mixed
*
* @deprecated Use failValidationErrors instead
*/
public function failValidationError(string $description = 'Bad Request', ?string $code = null, string $message = '')
{
return $this->fail($description, $this->codes['invalid_data'], $code, $message);
}
/**
* Used when the data provided by the client cannot be validated on one or more fields.
*
* @param string|string[] $errors
*
* @return mixed
*/
public function failValidationErrors($errors, ?string $code = null, string $message = '')
{
return $this->fail($errors, $this->codes['invalid_data'], $code, $message);
}
/**
* Use when trying to create a new resource and it already exists.
*
* @return mixed
*/
public function failResourceExists(string $description = 'Conflict', ?string $code = null, string $message = '')
{
return $this->fail($description, $this->codes['resource_exists'], $code, $message);
}
/**
* Use when a resource was previously deleted. This is different than
* Not Found, because here we know the data previously existed, but is now gone,
* where Not Found means we simply cannot find any information about it.
*
* @return mixed
*/
public function failResourceGone(string $description = 'Gone', ?string $code = null, string $message = '')
{
return $this->fail($description, $this->codes['resource_gone'], $code, $message);
}
/**
* Used when the user has made too many requests for the resource recently.
*
* @return mixed
*/
public function failTooManyRequests(string $description = 'Too Many Requests', ?string $code = null, string $message = '')
{
return $this->fail($description, $this->codes['too_many_requests'], $code, $message);
}
/**
* Used when there is a server error.
*
* @param string $description The error message to show the user.
* @param string|null $code A custom, API-specific, error code.
* @param string $message A custom "reason" message to return.
*
* @return Response The value of the Response's send() method.
*/
public function failServerError(string $description = 'Internal Server Error', ?string $code = null, string $message = ''): Response
{
return $this->fail($description, $this->codes['server_error'], $code, $message);
}
//--------------------------------------------------------------------
// Utility Methods
//--------------------------------------------------------------------
/**
* Handles formatting a response. Currently makes some heavy assumptions
* and needs updating! :)
*
* @param array|string|null $data
*
* @return string|null
*/
protected function format($data = null)
{
// If the data is a string, there's not much we can do to it...
if (is_string($data)) {
// The content type should be text/... and not application/...
$contentType = $this->response->getHeaderLine('Content-Type');
$contentType = str_replace('application/json', 'text/html', $contentType);
$contentType = str_replace('application/', 'text/', $contentType);
$this->response->setContentType($contentType);
$this->format = 'html';
return $data;
}
$format = Services::format();
$mime = "application/{$this->format}";
// Determine correct response type through content negotiation if not explicitly declared
if (empty($this->format) || ! in_array($this->format, ['json', 'xml'], true)) {
$mime = $this->request->negotiate('media', $format->getConfig()->supportedResponseFormats, false);
}
$this->response->setContentType($mime);
// if we don't have a formatter, make one
if (! isset($this->formatter)) {
// if no formatter, use the default
$this->formatter = $format->getFormatter($mime);
}
if ($mime !== 'application/json') {
// Recursively convert objects into associative arrays
// Conversion not required for JSONFormatter
$data = json_decode(json_encode($data), true);
}
return $this->formatter->format($data);
}
/**
* Sets the format the response should be in.
*
* @return $this
*/
public function setResponseFormat(?string $format = null)
{
$this->format = strtolower($format);
return $this;
}
}
API作成のための、レスポンスを返すメソッドのトレイトです。
CodeIgniter\API\ResponseTrait はコントローラで use して使うこともできますし、
ResourceController でも使われています。
何が問題だったのでしょうか?
多くのメソッドが public になっています。それが問題でした。
問題の詳細
試しに、app/Controllers/Home.php で use してみましょう。
<?php
namespace App\Controllers;
use CodeIgniter\API\ResponseTrait;
class Home extends BaseController
{
use ResponseTrait;
public function index()
{
return view('welcome_message');
}
}
はい、これで完了です。
v4.1.7 だと spark routes コマンドが古くてわからないのですが、最新の v4.2.10 にアップデートして、
上記の脆弱性のあった CodeIgniter\API\ResponseTrait を上書きするとすぐにわかります。
$ php spark routes
CodeIgniter v4.2.10 Command Line Tool - Server Time: 2022-12-16 22:21:40 UTC-06:00
+--------+---------------------------------+---------------------------------------------+----------------+----------+--------+---------------------------------+---------------------------------------------+----------------+---------------+
| Method | Route | Handler | Before Filters | After Filters |
+--------+---------------------------------+---------------------------------------------+----------------+---------------+
| GET | / | \App\Controllers\Home::index | | toolbar |
| CLI | ci(.*) | \CodeIgniter\CLI\CommandRunner::index/$1 | | |
| auto | / | \App\Controllers\Home::index | | toolbar |
| auto | home | \App\Controllers\Home::index | | toolbar |
| auto | home/index[/...] | \App\Controllers\Home::index | | toolbar |
| auto | home/respond[/...] | \App\Controllers\Home::respond | | toolbar |
| auto | home/fail[/...] | \App\Controllers\Home::fail | | toolbar |
| auto | home/respondCreated[/...] | \App\Controllers\Home::respondCreated | | toolbar |
| auto | home/respondDeleted[/...] | \App\Controllers\Home::respondDeleted | | toolbar |
| auto | home/respondUpdated[/...] | \App\Controllers\Home::respondUpdated | | toolbar |
| auto | home/respondNoContent[/...] | \App\Controllers\Home::respondNoContent | | toolbar |
| auto | home/failUnauthorized[/...] | \App\Controllers\Home::failUnauthorized | | toolbar |
| auto | home/failForbidden[/...] | \App\Controllers\Home::failForbidden | | toolbar |
| auto | home/failNotFound[/...] | \App\Controllers\Home::failNotFound | | toolbar |
| auto | home/failValidationError[/...] | \App\Controllers\Home::failValidationError | | toolbar |
| auto | home/failValidationErrors[/...] | \App\Controllers\Home::failValidationErrors | | toolbar |
| auto | home/failResourceExists[/...] | \App\Controllers\Home::failResourceExists | | toolbar |
| auto | home/failResourceGone[/...] | \App\Controllers\Home::failResourceGone | | toolbar |
| auto | home/failTooManyRequests[/...] | \App\Controllers\Home::failTooManyRequests | | toolbar |
| auto | home/failServerError[/...] | \App\Controllers\Home::failServerError | | toolbar |
| auto | home/setResponseFormat[/...] | \App\Controllers\Home::setResponseFormat | | toolbar |
+--------+---------------------------------+---------------------------------------------+----------------+---------------+
トレイトにあるメソッドが public なので、自動ルーティング(レガシー)でアクセスできてしまいます。
【注】実際に v4.1.7 をインストールしてアップデートすると App 名前空間が Composer と CodeIgniter4 の設定ファイルで二重に設定されているため、ルートが二重に表示されます。
Composerの設定を削除して、composer update すれば上記のように表示されます。
--- a/composer.json
+++ b/composer.json
@@ -18,8 +18,6 @@
},
"autoload": {
"psr-4": {
- "App\\": "app",
- "Config\\": "app/Config"
},
"exclude-from-classmap": [
"**/Database/Migrations/**"
脆弱性の修正
実際の修正は、問題のあった public が protected に変更されています。
なぜこの脆弱性が発生したのか?
メソッドの可視性を誤って public にしていたため、自動ルーティング(レガシー)でそのメソッドが外部から実行可能だったからです。
外部からアクセスする必要のないメソッドに public を指定したことが原因です。
このように、ある機能(またはバグ)と別の機能(またはバグ)を組み合わせることで攻撃可能になることがよくあります。
自分が攻撃経路を思いつかなくても、攻撃方法が本当にないかどうかはわかりません。 ですから、一つ一つの機能をより安全に実装すべきです。
まとめ
- 外部からアクセスする必要のないメソッドは必ず
protectedかprivateを指定しましょう。 - 自動ルーティング(レガシー)はオフにしましょう。
- 不要なメソッドが公開されていないかルーティング設定を確認しましょう。
この記事は CodeIgniter Advent Calendar 2022 - Qiita の16日目です。まだ、空きがありますので、興味のある方は気軽に参加してください。
関連
- CodeIgniter 4.1.5 までのオブジェクトインジェクション脆弱性
- SameSite攻撃者がCodeIgniter4とShieldでのCSRF保護を回避できる脆弱性の解説
- 浅いモデリングによる脆弱性、あるいはCodeIgniter4の自動ルーティングは何が問題だったのか?
参考
Date: 2022/12/16
![徹底攻略PHP5技術者認定[上級]試験問題集 [PJ0-200]対応](http://tatsu-zine.com/images/books/164/cover_s.jpg "徹底攻略PHP5技術者認定[上級]試験問題集 [PJ0-200]対応")
