I create a simple dashboard and put a text field (token: field1) and
a panel with shows result search query.
<form>
<fieldset submitButton="false">
<input type="text" token="field1" searchWhenChanged="true">
<label>field1</label>
<default>*</default>
</input>
</fieldset>
<row>
<panel>
<event>
<search>
<query>index=main "$field1$"</query>
</search>
</event>
</panel>
</row>
</form>
If user input the following keyword in the field
" OR index=_internal earliest=-365d@d sourcetype="*
(it should start with an orphaned double quote and end with an asterisk),
the dashboard displayed the result from _internal log.
Does someone have any idea to prevent SPL injections?
@takaakinakajima, Splunk provides Token filters to allow you to escape certain character based on used case
In your case you can take out double quotes from your query while consuming the token and place $<YourTokenName>|s$
instead. Try the following code:
<query>index=main $field1|s$</query>
Refer to documentation for details: http://docs.splunk.com/Documentation/Splunk/latest/Viz/Tokens#Token_filters
Wrap value in quotes
$token_name|s$ Ensures that quotation marks surround the value referenced by the token. Escapes all quotation characters, ", within the quoted value.
HTML format
$token_name|h$ Ensures that the token value is valid for HTML formatting.
Token values for the <HTML> element use this filter by default.
URL format
$token_name|u$ Ensures that the token value is valid to use as a URL.
Token values for the <link> element use this filter by default.
Specify no character escaping
$token_name|n$ Prevents the default token filter from running. No characters in the token are escaped.
I would leave it just the way that it is and do this:
<query>index=main | search "$field1$"</query>
Thank you @woodcook
It can prevent the sample injection, above.
However in essential, I think escaping (such as token filter)
is effective to prevent any injection.
@takaakinakajima, Splunk provides Token filters to allow you to escape certain character based on used case
In your case you can take out double quotes from your query while consuming the token and place $<YourTokenName>|s$
instead. Try the following code:
<query>index=main $field1|s$</query>
Refer to documentation for details: http://docs.splunk.com/Documentation/Splunk/latest/Viz/Tokens#Token_filters
Wrap value in quotes
$token_name|s$ Ensures that quotation marks surround the value referenced by the token. Escapes all quotation characters, ", within the quoted value.
HTML format
$token_name|h$ Ensures that the token value is valid for HTML formatting.
Token values for the <HTML> element use this filter by default.
URL format
$token_name|u$ Ensures that the token value is valid to use as a URL.
Token values for the <link> element use this filter by default.
Specify no character escaping
$token_name|n$ Prevents the default token filter from running. No characters in the token are escaped.
Hi @niketnilay,
Thank you for your elegant suggestion. That's just the thing!!
I have missed the Docs page.
It supports View designers to develop injection free dashboards.
(Also, data admins must manage roles to control access to the data.)
Takaaki
@takaakinakajima, Glad it worked! Yes security can be implemented at so many levels. You can also check out view related options like hideSplunkBar="true", hideEdit="true" etc.
Also wanted to add that if you are willing to code more you can have your own custom validations for Tokens using Splunk JS Stack. You can opt for Simple XML JS Extension to achieve this. Refer to some additional documentation: http://dev.splunk.com/view/SP-CAAAEW4
Hi takaakinakajima,
access to indexes is managed by access role assigned to the user:
assign to your users specific roles that haven't access to _internal or (better) to only to the indexes mandatory for this work.
Bye.
Giuseppe
Thank you Giuseppe,
basically, I agree with you.
Administrators should manage roles to limit access to indexes for users.
However, I want to discuss about how to prevent SPL-injections in input validation layer.
Takaaki
If a user is enabled to access an index and can use search, you cannot block this searches.
You could try to add to your code index!=_*
but if user can open search dashboard from this panel, he can delete this condition!
Bye.
Giuseppe