oss-sec mailing list archives
CVE-2022-25757: Apache APISIX: the body_schema check in request-validation plugin can be bypassed
From: Zexuan Luo <spacewander () apache org>
Date: Mon, 28 Mar 2022 11:16:43 +0800
Severity: low Description: When decoding JSON with duplicate keys, lua-cjson will choose the last occurred value as the result. By passing a JSON with a duplicate key, the attacker can bypass the body_schema validation in the request-validation plugin. For example, `{"string_payload":"bad","string_payload":"good"}` can be used to hide the "bad" input. Systems satisfy three conditions below are affected by this attack: 1. use body_schema validation in the request-validation plugin 2. upstream application uses a special JSON library that chooses the first occurred value, like jsoniter or gojay 3. upstream application does not validate the input anymore. The fix in APISIX is to re-encode the validated JSON input back into the request body at the side of APISIX. Mitigation: 1. upgrade APISIX to 2.13.0 if you need to use the body_schema validation in the request-validation plugin 2. add additional validation in the application code, embrace defensive programming Credit: Thanks for Guangli Dong from https://www.huoxian.cn/
Current thread:
- CVE-2022-25757: Apache APISIX: the body_schema check in request-validation plugin can be bypassed Zexuan Luo (Mar 28)