<?xml version="1.0" encoding="UTF-8"?>
<rss xmlns:content="http://purl.org/rss/1.0/modules/content/" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#" xmlns:taxo="http://purl.org/rss/1.0/modules/taxonomy/" version="2.0">
  <channel>
    <title>topic Re: How to prevent injection from field in a dashboard? in Splunk Search</title>
    <link>https://community.splunk.com/t5/Splunk-Search/How-to-prevent-injection-from-field-in-a-dashboard/m-p/321595#M96069</link>
    <description>&lt;P&gt;If  a user is enabled to access an index and can use search, you cannot block this searches.&lt;/P&gt;

&lt;P&gt;You could try to add to your code &lt;CODE&gt;index!=_*&lt;/CODE&gt; but if user can open search dashboard from this panel, he can delete this condition!&lt;/P&gt;

&lt;P&gt;Bye.&lt;BR /&gt;
Giuseppe&lt;/P&gt;</description>
    <pubDate>Fri, 08 Sep 2017 09:41:39 GMT</pubDate>
    <dc:creator>gcusello</dc:creator>
    <dc:date>2017-09-08T09:41:39Z</dc:date>
    <item>
      <title>How to prevent injection from field in a dashboard?</title>
      <link>https://community.splunk.com/t5/Splunk-Search/How-to-prevent-injection-from-field-in-a-dashboard/m-p/321592#M96066</link>
      <description>&lt;P&gt;I create a simple dashboard and put a text field (token: field1) and&lt;BR /&gt;
a panel with shows result search query.&lt;/P&gt;

&lt;PRE&gt;&lt;CODE&gt;&amp;lt;form&amp;gt;
  &amp;lt;fieldset submitButton="false"&amp;gt;
    &amp;lt;input type="text" token="field1" searchWhenChanged="true"&amp;gt;
      &amp;lt;label&amp;gt;field1&amp;lt;/label&amp;gt;
      &amp;lt;default&amp;gt;*&amp;lt;/default&amp;gt;
    &amp;lt;/input&amp;gt;
  &amp;lt;/fieldset&amp;gt;

  &amp;lt;row&amp;gt;
    &amp;lt;panel&amp;gt;
      &amp;lt;event&amp;gt;
        &amp;lt;search&amp;gt;
          &amp;lt;query&amp;gt;index=main "$field1$"&amp;lt;/query&amp;gt;
        &amp;lt;/search&amp;gt;
      &amp;lt;/event&amp;gt;
    &amp;lt;/panel&amp;gt;
  &amp;lt;/row&amp;gt;
&amp;lt;/form&amp;gt;
&lt;/CODE&gt;&lt;/PRE&gt;

&lt;P&gt;If user input the following keyword in the field&lt;/P&gt;

&lt;PRE&gt;&lt;CODE&gt;" OR index=_internal earliest=-365d@d sourcetype="*
&lt;/CODE&gt;&lt;/PRE&gt;

&lt;P&gt;(it should start with an orphaned double quote and end with an asterisk),&lt;BR /&gt;
the dashboard displayed the result from _internal log.&lt;/P&gt;

&lt;P&gt;Does someone have any idea to prevent SPL injections?&lt;/P&gt;</description>
      <pubDate>Fri, 08 Sep 2017 09:03:25 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Splunk-Search/How-to-prevent-injection-from-field-in-a-dashboard/m-p/321592#M96066</guid>
      <dc:creator>takaakinakajima</dc:creator>
      <dc:date>2017-09-08T09:03:25Z</dc:date>
    </item>
    <item>
      <title>Re: How to prevent injection from field in a dashboard?</title>
      <link>https://community.splunk.com/t5/Splunk-Search/How-to-prevent-injection-from-field-in-a-dashboard/m-p/321593#M96067</link>
      <description>&lt;P&gt;Hi  takaakinakajima,&lt;BR /&gt;
access to indexes is managed by access role assigned to the user:&lt;BR /&gt;
assign to your users specific roles that haven't access to _internal or (better) to only to the indexes mandatory for this work.&lt;BR /&gt;
Bye.&lt;BR /&gt;
Giuseppe&lt;/P&gt;</description>
      <pubDate>Fri, 08 Sep 2017 09:22:37 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Splunk-Search/How-to-prevent-injection-from-field-in-a-dashboard/m-p/321593#M96067</guid>
      <dc:creator>gcusello</dc:creator>
      <dc:date>2017-09-08T09:22:37Z</dc:date>
    </item>
    <item>
      <title>Re: How to prevent injection from field in a dashboard?</title>
      <link>https://community.splunk.com/t5/Splunk-Search/How-to-prevent-injection-from-field-in-a-dashboard/m-p/321594#M96068</link>
      <description>&lt;P&gt;Thank you Giuseppe,&lt;BR /&gt;
basically, I agree with you.&lt;BR /&gt;
Administrators should manage roles to limit access to indexes for users.&lt;/P&gt;

&lt;P&gt;However, I want to discuss about how to prevent SPL-injections in input validation layer.&lt;/P&gt;

&lt;P&gt;Takaaki&lt;/P&gt;</description>
      <pubDate>Fri, 08 Sep 2017 09:37:02 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Splunk-Search/How-to-prevent-injection-from-field-in-a-dashboard/m-p/321594#M96068</guid>
      <dc:creator>takaakinakajima</dc:creator>
      <dc:date>2017-09-08T09:37:02Z</dc:date>
    </item>
    <item>
      <title>Re: How to prevent injection from field in a dashboard?</title>
      <link>https://community.splunk.com/t5/Splunk-Search/How-to-prevent-injection-from-field-in-a-dashboard/m-p/321595#M96069</link>
      <description>&lt;P&gt;If  a user is enabled to access an index and can use search, you cannot block this searches.&lt;/P&gt;

&lt;P&gt;You could try to add to your code &lt;CODE&gt;index!=_*&lt;/CODE&gt; but if user can open search dashboard from this panel, he can delete this condition!&lt;/P&gt;

&lt;P&gt;Bye.&lt;BR /&gt;
Giuseppe&lt;/P&gt;</description>
      <pubDate>Fri, 08 Sep 2017 09:41:39 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Splunk-Search/How-to-prevent-injection-from-field-in-a-dashboard/m-p/321595#M96069</guid>
      <dc:creator>gcusello</dc:creator>
      <dc:date>2017-09-08T09:41:39Z</dc:date>
    </item>
    <item>
      <title>Re: How to prevent injection from field in a dashboard?</title>
      <link>https://community.splunk.com/t5/Splunk-Search/How-to-prevent-injection-from-field-in-a-dashboard/m-p/321596#M96070</link>
      <description>&lt;P&gt;@takaakinakajima, Splunk provides Token filters to allow you to escape certain character based on used case&lt;/P&gt;

&lt;P&gt;In your case you can take out double quotes from your query while consuming the token and place &lt;CODE&gt;$&amp;lt;YourTokenName&amp;gt;|s$&lt;/CODE&gt;instead. Try the following code:&lt;/P&gt;

&lt;PRE&gt;&lt;CODE&gt; &amp;lt;query&amp;gt;index=main $field1|s$&amp;lt;/query&amp;gt;
&lt;/CODE&gt;&lt;/PRE&gt;

&lt;P&gt;Refer to documentation for details: &lt;A href="http://docs.splunk.com/Documentation/Splunk/latest/Viz/Tokens#Token_filters"&gt;http://docs.splunk.com/Documentation/Splunk/latest/Viz/Tokens#Token_filters&lt;/A&gt;&lt;BR /&gt;
&lt;STRONG&gt;Wrap value in quotes&lt;/STRONG&gt;&lt;/P&gt;

&lt;PRE&gt;&lt;CODE&gt;$token_name|s$  Ensures that quotation marks surround the value referenced by the token. Escapes all quotation characters, ", within the quoted value.
&lt;/CODE&gt;&lt;/PRE&gt;

&lt;P&gt;&lt;STRONG&gt;HTML format&lt;/STRONG&gt;&lt;/P&gt;

&lt;PRE&gt;&lt;CODE&gt;$token_name|h$  Ensures that the token value is valid for HTML formatting.
Token values for the &amp;lt;HTML&amp;gt; element use this filter by default.
&lt;/CODE&gt;&lt;/PRE&gt;

&lt;P&gt;&lt;STRONG&gt;URL format&lt;/STRONG&gt;&lt;/P&gt;

&lt;PRE&gt;&lt;CODE&gt;$token_name|u$  Ensures that the token value is valid to use as a URL.
Token values for the &amp;lt;link&amp;gt; element use this filter by default.
&lt;/CODE&gt;&lt;/PRE&gt;

&lt;P&gt;&lt;STRONG&gt;Specify no character escaping&lt;/STRONG&gt;&lt;/P&gt;

&lt;PRE&gt;&lt;CODE&gt;$token_name|n$  Prevents the default token filter from running. No characters in the token are escaped.
&lt;/CODE&gt;&lt;/PRE&gt;</description>
      <pubDate>Fri, 08 Sep 2017 10:23:46 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Splunk-Search/How-to-prevent-injection-from-field-in-a-dashboard/m-p/321596#M96070</guid>
      <dc:creator>niketn</dc:creator>
      <dc:date>2017-09-08T10:23:46Z</dc:date>
    </item>
    <item>
      <title>Re: How to prevent injection from field in a dashboard?</title>
      <link>https://community.splunk.com/t5/Splunk-Search/How-to-prevent-injection-from-field-in-a-dashboard/m-p/321597#M96071</link>
      <description>&lt;P&gt;Hi @niketnilay,&lt;/P&gt;

&lt;P&gt;Thank you for your elegant suggestion. That's just the thing!!&lt;BR /&gt;
I have missed the Docs page.&lt;/P&gt;

&lt;P&gt;It supports View designers to develop injection free dashboards.&lt;BR /&gt;
(Also, data admins must manage roles to control access to the data.)&lt;/P&gt;

&lt;P&gt;Takaaki&lt;/P&gt;</description>
      <pubDate>Fri, 08 Sep 2017 11:53:52 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Splunk-Search/How-to-prevent-injection-from-field-in-a-dashboard/m-p/321597#M96071</guid>
      <dc:creator>takaakinakajima</dc:creator>
      <dc:date>2017-09-08T11:53:52Z</dc:date>
    </item>
    <item>
      <title>Re: How to prevent injection from field in a dashboard?</title>
      <link>https://community.splunk.com/t5/Splunk-Search/How-to-prevent-injection-from-field-in-a-dashboard/m-p/321598#M96072</link>
      <description>&lt;P&gt;@takaakinakajima, Glad it worked! Yes security can be implemented at so many levels. You can also check out view related options like hideSplunkBar="true", hideEdit="true" etc.&lt;/P&gt;

&lt;P&gt;Also wanted to add that if you are willing to code more you can have your own custom validations for Tokens using Splunk JS Stack. You can opt for Simple XML JS Extension to achieve this. Refer to some additional documentation: &lt;A href="http://dev.splunk.com/view/SP-CAAAEW4"&gt;http://dev.splunk.com/view/SP-CAAAEW4&lt;/A&gt;&lt;/P&gt;</description>
      <pubDate>Fri, 08 Sep 2017 12:40:42 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Splunk-Search/How-to-prevent-injection-from-field-in-a-dashboard/m-p/321598#M96072</guid>
      <dc:creator>niketn</dc:creator>
      <dc:date>2017-09-08T12:40:42Z</dc:date>
    </item>
    <item>
      <title>Re: How to prevent injection from field in a dashboard?</title>
      <link>https://community.splunk.com/t5/Splunk-Search/How-to-prevent-injection-from-field-in-a-dashboard/m-p/321599#M96073</link>
      <description>&lt;P&gt;I would leave it just the way that it is and do this:&lt;/P&gt;

&lt;PRE&gt;&lt;CODE&gt;          &amp;lt;query&amp;gt;index=main | search "$field1$"&amp;lt;/query&amp;gt;
&lt;/CODE&gt;&lt;/PRE&gt;</description>
      <pubDate>Sat, 09 Sep 2017 22:38:10 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Splunk-Search/How-to-prevent-injection-from-field-in-a-dashboard/m-p/321599#M96073</guid>
      <dc:creator>woodcock</dc:creator>
      <dc:date>2017-09-09T22:38:10Z</dc:date>
    </item>
    <item>
      <title>Re: How to prevent injection from field in a dashboard?</title>
      <link>https://community.splunk.com/t5/Splunk-Search/How-to-prevent-injection-from-field-in-a-dashboard/m-p/321600#M96074</link>
      <description>&lt;P&gt;Thank you @woodcook&lt;/P&gt;

&lt;P&gt;It can prevent the sample injection, above.&lt;BR /&gt;
However in essential, I think escaping (such as token filter)&lt;BR /&gt;
is effective to prevent any injection.&lt;/P&gt;</description>
      <pubDate>Tue, 12 Sep 2017 09:04:34 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Splunk-Search/How-to-prevent-injection-from-field-in-a-dashboard/m-p/321600#M96074</guid>
      <dc:creator>takaakinakajima</dc:creator>
      <dc:date>2017-09-12T09:04:34Z</dc:date>
    </item>
  </channel>
</rss>

