Splunk Search

How to prevent injection from field in a dashboard?

takaakinakajima
Path Finder

I create a simple dashboard and put a text field (token: field1) and
a panel with shows result search query.

<form>
  <fieldset submitButton="false">
    <input type="text" token="field1" searchWhenChanged="true">
      <label>field1</label>
      <default>*</default>
    </input>
  </fieldset>

  <row>
    <panel>
      <event>
        <search>
          <query>index=main "$field1$"</query>
        </search>
      </event>
    </panel>
  </row>
</form>

If user input the following keyword in the field

" OR index=_internal earliest=-365d@d sourcetype="*

(it should start with an orphaned double quote and end with an asterisk),
the dashboard displayed the result from _internal log.

Does someone have any idea to prevent SPL injections?

1 Solution

niketnilay
Legend

@takaakinakajima, Splunk provides Token filters to allow you to escape certain character based on used case

In your case you can take out double quotes from your query while consuming the token and place $<YourTokenName>|s$instead. Try the following code:

 <query>index=main $field1|s$</query>

Refer to documentation for details: http://docs.splunk.com/Documentation/Splunk/latest/Viz/Tokens#Token_filters
Wrap value in quotes

$token_name|s$  Ensures that quotation marks surround the value referenced by the token. Escapes all quotation characters, ", within the quoted value.

HTML format

$token_name|h$  Ensures that the token value is valid for HTML formatting.
Token values for the <HTML> element use this filter by default.

URL format

$token_name|u$  Ensures that the token value is valid to use as a URL.
Token values for the <link> element use this filter by default.

Specify no character escaping

$token_name|n$  Prevents the default token filter from running. No characters in the token are escaped.
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

View solution in original post

woodcock
Esteemed Legend

I would leave it just the way that it is and do this:

          <query>index=main | search "$field1$"</query>
0 Karma

takaakinakajima
Path Finder

Thank you @woodcook

It can prevent the sample injection, above.
However in essential, I think escaping (such as token filter)
is effective to prevent any injection.

0 Karma

niketnilay
Legend

@takaakinakajima, Splunk provides Token filters to allow you to escape certain character based on used case

In your case you can take out double quotes from your query while consuming the token and place $<YourTokenName>|s$instead. Try the following code:

 <query>index=main $field1|s$</query>

Refer to documentation for details: http://docs.splunk.com/Documentation/Splunk/latest/Viz/Tokens#Token_filters
Wrap value in quotes

$token_name|s$  Ensures that quotation marks surround the value referenced by the token. Escapes all quotation characters, ", within the quoted value.

HTML format

$token_name|h$  Ensures that the token value is valid for HTML formatting.
Token values for the <HTML> element use this filter by default.

URL format

$token_name|u$  Ensures that the token value is valid to use as a URL.
Token values for the <link> element use this filter by default.

Specify no character escaping

$token_name|n$  Prevents the default token filter from running. No characters in the token are escaped.
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

takaakinakajima
Path Finder

Hi @niketnilay,

Thank you for your elegant suggestion. That's just the thing!!
I have missed the Docs page.

It supports View designers to develop injection free dashboards.
(Also, data admins must manage roles to control access to the data.)

Takaaki

0 Karma

niketnilay
Legend

@takaakinakajima, Glad it worked! Yes security can be implemented at so many levels. You can also check out view related options like hideSplunkBar="true", hideEdit="true" etc.

Also wanted to add that if you are willing to code more you can have your own custom validations for Tokens using Splunk JS Stack. You can opt for Simple XML JS Extension to achieve this. Refer to some additional documentation: http://dev.splunk.com/view/SP-CAAAEW4

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

gcusello
Legend

Hi takaakinakajima,
access to indexes is managed by access role assigned to the user:
assign to your users specific roles that haven't access to _internal or (better) to only to the indexes mandatory for this work.
Bye.
Giuseppe

0 Karma

takaakinakajima
Path Finder

Thank you Giuseppe,
basically, I agree with you.
Administrators should manage roles to limit access to indexes for users.

However, I want to discuss about how to prevent SPL-injections in input validation layer.

Takaaki

0 Karma

gcusello
Legend

If a user is enabled to access an index and can use search, you cannot block this searches.

You could try to add to your code index!=_* but if user can open search dashboard from this panel, he can delete this condition!

Bye.
Giuseppe

0 Karma
Get Updates on the Splunk Community!

Improve Your Security Posture

Watch NowImprove Your Security PostureCustomers are at the center of everything we do at Splunk and security ...

Maximize the Value from Microsoft Defender with Splunk

 Watch NowJoin Splunk and Sens Consulting for this Security Edition Tech TalkWho should attend:  Security ...

This Week's Community Digest - Splunk Community Happenings [6.27.22]

Get the latest news and updates from the Splunk Community here! News From Splunk Answers ✍️ Splunk Answers is ...