Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to prevent injection from field in a dashboard?

takaakinakajima
Path Finder
‎09-08-2017 02:03 AM

I create a simple dashboard and put a text field (token: field1) and
a panel with shows result search query.

<form>
  <fieldset submitButton="false">
    <input type="text" token="field1" searchWhenChanged="true">
      <label>field1</label>
      <default>*</default>
    </input>
  </fieldset>

  <row>
    <panel>
      <event>
        <search>
          <query>index=main "$field1$"</query>
        </search>
      </event>
    </panel>
  </row>
</form>

If user input the following keyword in the field

" OR index=_internal earliest=-365d@d sourcetype="*

(it should start with an orphaned double quote and end with an asterisk),
the dashboard displayed the result from _internal log.

Does someone have any idea to prevent SPL injections?

Reply
1 Solution
Solved! Jump to solution
Solution

niketn
Legend
‎09-08-2017 03:23 AM

@takaakinakajima, Splunk provides Token filters to allow you to escape certain character based on used case

In your case you can take out double quotes from your query while consuming the token and place $<YourTokenName>|s$instead. Try the following code:

 <query>index=main $field1|s$</query>

Refer to documentation for details: http://docs.splunk.com/Documentation/Splunk/latest/Viz/Tokens#Token_filters
Wrap value in quotes

$token_name|s$  Ensures that quotation marks surround the value referenced by the token. Escapes all quotation characters, ", within the quoted value.

HTML format

$token_name|h$  Ensures that the token value is valid for HTML formatting.
Token values for the <HTML> element use this filter by default.

URL format

$token_name|u$  Ensures that the token value is valid to use as a URL.
Token values for the <link> element use this filter by default.

Specify no character escaping

$token_name|n$  Prevents the default token filter from running. No characters in the token are escaped.
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

View solution in original post

Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎09-09-2017 03:38 PM

I would leave it just the way that it is and do this:

          <query>index=main | search "$field1$"</query>
0 Karma
Reply
Solved! Jump to solution

takaakinakajima
Path Finder
‎09-12-2017 02:04 AM

Thank you @woodcook

It can prevent the sample injection, above.
However in essential, I think escaping (such as token filter)
is effective to prevent any injection.

0 Karma
Reply
Solved! Jump to solution
Solution

niketn
Legend
‎09-08-2017 03:23 AM

@takaakinakajima, Splunk provides Token filters to allow you to escape certain character based on used case

In your case you can take out double quotes from your query while consuming the token and place $<YourTokenName>|s$instead. Try the following code:

 <query>index=main $field1|s$</query>

Refer to documentation for details: http://docs.splunk.com/Documentation/Splunk/latest/Viz/Tokens#Token_filters
Wrap value in quotes

$token_name|s$  Ensures that quotation marks surround the value referenced by the token. Escapes all quotation characters, ", within the quoted value.

HTML format

$token_name|h$  Ensures that the token value is valid for HTML formatting.
Token values for the <HTML> element use this filter by default.

URL format

$token_name|u$  Ensures that the token value is valid to use as a URL.
Token values for the <link> element use this filter by default.

Specify no character escaping

$token_name|n$  Prevents the default token filter from running. No characters in the token are escaped.
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
Reply
Solved! Jump to solution

takaakinakajima
Path Finder
‎09-08-2017 04:53 AM

Hi @niketnilay,

Thank you for your elegant suggestion. That's just the thing!!
I have missed the Docs page.

It supports View designers to develop injection free dashboards.
(Also, data admins must manage roles to control access to the data.)

Takaaki

0 Karma
Reply
Solved! Jump to solution

niketn
Legend
‎09-08-2017 05:40 AM

@takaakinakajima, Glad it worked! Yes security can be implemented at so many levels. You can also check out view related options like hideSplunkBar="true", hideEdit="true" etc.

Also wanted to add that if you are willing to code more you can have your own custom validations for Tokens using Splunk JS Stack. You can opt for Simple XML JS Extension to achieve this. Refer to some additional documentation: http://dev.splunk.com/view/SP-CAAAEW4

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎09-08-2017 02:22 AM

Hi takaakinakajima,
access to indexes is managed by access role assigned to the user:
assign to your users specific roles that haven't access to _internal or (better) to only to the indexes mandatory for this work.
Bye.
Giuseppe

0 Karma
Reply
Solved! Jump to solution

takaakinakajima
Path Finder
‎09-08-2017 02:37 AM

Thank you Giuseppe,
basically, I agree with you.
Administrators should manage roles to limit access to indexes for users.

However, I want to discuss about how to prevent SPL-injections in input validation layer.

Takaaki

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎09-08-2017 02:41 AM

If a user is enabled to access an index and can use search, you cannot block this searches.

You could try to add to your code index!=_* but if user can open search dashboard from this panel, he can delete this condition!

Bye.
Giuseppe

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...