All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Sideview Utils 3.3.5 issue with ConvertToDrilldownSearch ViewRedirector

pradeepkumarg
Influencer
‎09-25-2015 08:28 AM

After upgrading to sideview utils 3.3.5, we observed that the special charecters in the html module inside ViewRedirector are encoded breaking the rex statements. Example below.

Before
<pre>
rex "APPID_(?<CONSUMER>[A-Za-z0-9]*)APPID="
</pre>

Now
<pre>
rex "APPID_(?& lt;CONSUMER& gt;[A-Za-z0-9]*)APPID="
</pre>

Is this expected starting 3.3.5 and needs to be handled in the view? If not, is there a fix in plan? We have many dashboards which are impacted by this.

0 Karma
Reply

sideview
SplunkTrust
SplunkTrust
‎09-28-2015 11:11 AM

(while we work this out via email I thought I'd post this answer)

The root cause here is a major change in 3.3.3, released April 6th 2015. 

> Work to close a number of script injection holes.  URLLoader will now HTML
  escape all arguments passed on the URL, and specific form element modules 
  do some extra work to nonetheless correctly prepopulate their selections.

You can also see it in the release notes here:
http://sideviewapps.com/apps/sideview-utils/release-notes/

The dashboards having the problem here after the upgrade were taking a $foo$ token that had come from the page URL, via URLLoader, and were plugging that value into HTML and Javascript that an HTML module was constructing on the page. And in such a way that the $foo$ token needed to be un-escaped HTML (specifically the argument was going into an argument to a subsequent URL).

Unfortunately this use case is itself inherently a script-injection hole. ie, it is easy to construct a URL to such a page that an attacker could use to make that page's link do something malicious.

The solution will be to ultimately rewrite the functionality a bit. The solution that I'd probably use would be to use a Link module instead of the HTML module to make the link on the page, and then attach a customBehavior to that Link module to retrieve the $foo$ token from the context and do the application logic onclick. However it's possible that a Link module and a Redirector (mod some ValueSetter modules) could also do the same job without any custom JS.

I'll probably update again after our private email thread gets to a full solution.

0 Karma
Reply

pradeepkumarg
Influencer
‎09-28-2015 05:18 PM

Thanks so much Nick..

0 Karma
Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...