All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Sideview Utils 3.3.5 issue with ConvertToDrilldownSearch ViewRedirector

pradeepkumarg
Influencer
‎09-25-2015 08:28 AM

After upgrading to sideview utils 3.3.5, we observed that the special charecters in the html module inside ViewRedirector are encoded breaking the rex statements. Example below.

Before
<pre>
rex "APPID_(?<CONSUMER>[A-Za-z0-9]*)APPID="
</pre>

Now
<pre>
rex "APPID_(?& lt;CONSUMER& gt;[A-Za-z0-9]*)APPID="
</pre>

Is this expected starting 3.3.5 and needs to be handled in the view? If not, is there a fix in plan? We have many dashboards which are impacted by this.

0 Karma
Reply

sideview
SplunkTrust
SplunkTrust
‎09-28-2015 11:11 AM

(while we work this out via email I thought I'd post this answer)

The root cause here is a major change in 3.3.3, released April 6th 2015. 

> Work to close a number of script injection holes.  URLLoader will now HTML
  escape all arguments passed on the URL, and specific form element modules 
  do some extra work to nonetheless correctly prepopulate their selections.

You can also see it in the release notes here:
http://sideviewapps.com/apps/sideview-utils/release-notes/

The dashboards having the problem here after the upgrade were taking a $foo$ token that had come from the page URL, via URLLoader, and were plugging that value into HTML and Javascript that an HTML module was constructing on the page. And in such a way that the $foo$ token needed to be un-escaped HTML (specifically the argument was going into an argument to a subsequent URL).

Unfortunately this use case is itself inherently a script-injection hole. ie, it is easy to construct a URL to such a page that an attacker could use to make that page's link do something malicious.

The solution will be to ultimately rewrite the functionality a bit. The solution that I'd probably use would be to use a Link module instead of the HTML module to make the link on the page, and then attach a customBehavior to that Link module to retrieve the $foo$ token from the context and do the application logic onclick. However it's possible that a Link module and a Redirector (mod some ValueSetter modules) could also do the same job without any custom JS.

I'll probably update again after our private email thread gets to a full solution.

0 Karma
Reply

pradeepkumarg
Influencer
‎09-28-2015 05:18 PM

Thanks so much Nick..

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing Splunk Enterprise 9.2

WATCH HERE! Watch this Tech Talk to learn about the latest features and enhancements shipped in the new Splunk ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...