HomeSoftwareXSS Vulnerability Found in Backstage Software program Catalog
XSS Vulnerability Found in Backstage Software program Catalog
March 3, 2023
Backstage, the open supply inner developer portal created by Spotify, has been adopted by American Airways, Constancy Investments, Netflix, VMware and different enterprises. Nevertheless, it’s traveled a rocky highway in latest months.
In mid-February, a cross-site scripting (XSS) vulnerability was discovered within the Backstage Software program Catalog, which may enable an attacker to inject malicious code into the applying. The vulnerability is brought on by inadequate enter validation of user-supplied information, particularly within the search performance of the catalog.
Although the brand new vulnerability isn’t as critical because the one found in November, which racked up a Common Vulnerability Scoring System (CVSS) rating of 10 out of 10, it nonetheless has a reasonable severity degree with a rating of 6.8, in response to CVSS base metrics.
The brand new vulnerability’s metrics point out that it wouldn’t take many assets or experience to launch an assault. The assault vector is by way of the community, which means the attacker will be distant and doesn’t want bodily entry to the system. An attacker additionally wouldn’t want high-level entry privileges to take advantage of the vulnerability.
XSS is often used to steal cookies and take management of consumer periods. Nevertheless, it will also be used to show delicate data, acquire entry to privileged providers and performance, and unfold malware, in response to the Open Worldwide Web Application Security Project (OWASP) HttpOnly supply.
The affected variations of the package deal are:
@backstage/catalog-model (npm) < 1.1.5
@backstage/core-components (npm) < 0.12.3
@backstage/plugin-catalog-backend (npm) < 1.7.1
To handle this vulnerability, customers of Backstage who’re utilizing an affected model of the package deal ought to improve to the patched variations:
@backstage/catalog-model (npm) 1.2.0
@backstage/core-components (npm) 0.12.4
@backstage/plugin-catalog-backend (npm) 1.7.2
Core Performance of Affected Packages
In keeping with the CVSS base metrics, the scope of the vulnerability on the three affected packages has modified, indicating that it could possibly have an effect on a element past its supposed scope. On this case, it may have an effect on the confidentiality of the system, because the attacker might acquire entry to delicate data. The integrity and availability of the system should not affected by this vulnerability.
Let’s take a better take a look at the core features of the affected packages to higher perceive the size of a possible assault.
Backstage Catalog Mannequin
The documentation for the catalog-model package offers data on the interfaces and validators/insurance policies that outline the info mannequin for the Backstage Software program Catalog. These interfaces and validators allow constant and standardized illustration of software program parts throughout the catalog.
The documentation covers the varied interfaces outlined within the package deal, together with:
Element: Represents a software program element within the catalog, corresponding to a service, API or library. This interface consists of metadata corresponding to title, description, proprietor and model, in addition to relationships to different parts.
Entity: Represents a higher-level entity within the catalog, corresponding to a company or staff. This interface consists of metadata corresponding to title, description and proprietor, in addition to relationships to parts and different entities.
Location: Represents the placement of a element’s supply code, corresponding to a git repository or a file system listing.
The documentation additionally covers the varied validators offered by the package deal, which can be utilized to make sure that information conforms to the outlined interfaces.
Through the use of the interfaces and validators offered by the catalog-model package deal, builders can be certain that their software program parts are represented constantly and precisely throughout the Backstage Software program Catalog.
For groups that use Backstage, this results in higher group, discovery and reuse of software program parts. Moreover, the package deal will be personalized to incorporate metadata and relationships which can be particular to a company’s distinctive wants.
When used together with different Backstage packages, corresponding to @backstage/backend-plugin-api and @backstage/catalog-client, the catalog-model package deal offers the flexibility to entry and handle software program catalog information. This mixture of packages makes it doable to create a centralized software program catalog that builders and groups all through a company can use.
Backstage Core Elements
The core-components package deal is a group of reusable React parts for constructing developer portals utilizing the Backstage platform. These parts present a set of UI primitives that can be utilized to create a constant and cohesive consumer interface on your developer portal.
Among the parts included within the package deal are:
AlertDisplay: The alert API is used to report alerts to the app and show them to the consumer.
CopyTextButton: Permits the consumer to repeat textual content to their clipboard.
InfoCard: Shows data in a card format.
Progress: Shows a progress bar.
Desk: Shows information in a desk format.
The core-components package deal is designed to work seamlessly with different Backstage packages, corresponding to @backstage/core-app-api and @backstage/core-plugin-api. These packages present further performance for constructing developer portals, corresponding to app integration and plugin assist.
Utilizing the core-components package deal can save effort and time when constructing a developer portal utilizing the Backstage platform, because it offers pre-built parts which can be particularly designed for the platform.
Backstage Catalog Backend Plugin
The plugin-catalog-backend-module package deal is a plugin for the Backstage platform that gives backend performance for the software program catalog. It’s designed for use with different Backstage plugins, corresponding to @backstage/plugin-catalog, @backstage/plugin-catalog-node and @backstage/catalog-client, to allow a completely featured software program catalog expertise for builders.
The package deal comes with a built-in database-backed implementation of the catalog, which may retailer and serve catalog information. It could additionally act as a bridge to present catalog options, permitting builders to ingest information into the database or proxy calls to an exterior catalog service.
The plugin-catalog-backend-module package deal is designed to be extensible, permitting builders so as to add customized performance to the software program catalog. For instance, builders can outline customized metadata fields for parts or add integrations with exterior instruments for managing software program parts.
The package deal is constructed on prime of the @backstage/catalog-model package deal, which offers a standardized information mannequin for representing software program parts. This allows constant and standardized administration of parts throughout a company.
Like different Backstage packages, the plugin-catalog-backend-module package deal is open supply.
Extension Modules to the Catalog Backend Plugin
At present, 12 packages depend upon the plugin-catalog-backend-module. Beneath, we spotlight three of them. For a full record of packages, search @backstage/plugin-catalog-backend-module at NuGet Package Manager.
AWS Extension Module
The plugin-catalog-backend-module-aws package deal is a Catalog Backend Module for Amazon Web Services (AWS). It’s an extension module to the plugin-catalog-backend plugin, which offers an AwsOrganizationCloudAccountProcessor that can be utilized to ingest cloud accounts as Useful resource type entities.
This module permits customers to simply add AWS accounts to their Backstage occasion, making it doable to view and handle them alongside different assets within the catalog. The AwsOrganizationCloudAccountProcessor can be utilized to scan an AWS group for accounts and mechanically create useful resource entities for them.
Through the use of this module, customers can acquire higher visibility and administration capabilities for his or her AWS accounts inside their Backstage occasion, resulting in elevated effectivity and higher useful resource utilization.
GitLab Extension Module
The plugin-catalog-backend-module-gitlab package deal offers a GitLab discovery module for the Backstage Software program Catalog. The GitLab integration features a particular entity supplier that enables customers to find catalog entities from GitLab.
The entity supplier will crawl the GitLab occasion and register entities that match the configured paths. This generally is a helpful different to manually including issues to the catalog or utilizing static places. The GitLab discovery module simplifies the method of integrating GitLab repositories into the Backstage Software program Catalog.
OpenAPI Extension Module
The plugin-catalog-backend-module-openapi is a catalog backend module that provides an extension to the catalog backend, particularly designed to resolve $refs in YAML paperwork.
This module offers customers with the flexibility to interrupt down their YAML paperwork into a number of information and reference them. Throughout processing, the information are bundled utilizing an UrlReader and saved as a single specification.
This performance is especially helpful for OpenAPI and AsyncAPI specs, the place customers usually work with complicated and huge information that have to be damaged down into smaller, extra manageable information.
With the plugin-catalog-backend-module-openapi, customers can simply handle these information and reference them with out the necessity to merge or concatenate them manually.
Greatest Practices to Stop XSS Vulnerabilities
Stopping XSS assaults is essential for making certain the safety of internet functions. Here are some best practices, derived partially from OWASP steering, that may assist forestall XSS vulnerabilities:
Enter validation: Validate all consumer enter and filter or escape all information earlier than displaying it again to the consumer. Be certain that no untrusted information is executed as code within the browser.
Encoding: Encode particular characters corresponding to &, <, >, /, and areas to their respective HTML or URL encoded equivalents.
Content material safety coverage (CSP): Use and implement a CSP to limit the forms of content material that may be loaded on a web page. This could forestall attackers from executing malicious scripts or injecting malicious code right into a web page.
Disable client-side scripts: Permit customers to disable client-side scripts, which will help forestall malicious scripts from executing of their browsers.
Invalid request dealing with: Redirect invalid requests to a protected web page or show an error message.
Session administration: Detect simultaneous logins, together with these from two separate IP addresses, and invalidate these periods. Correct session administration can forestall session hijacking assaults.
Library documentation: Evaluation the documentation of any libraries utilized in your software to know which parts enable for embedded HTML.
By following these finest practices, builders will help forestall XSS vulnerabilities and make sure the safety of their internet functions.
It’s strongly really helpful that customers replace to the most recent model of the affected packages as quickly as doable to stop the exploitation of this vulnerability and shield their programs from potential assaults.
To mitigate this vulnerability, it’s usually finest follow to restrict entry to modifying catalog content material and require code opinions.
Robert is a systems engineer and open source advocate who loves sharing knowledge. He believes in helping others and is compassionate about giving back to the community. When he’s not geeking with Linux he likes hiking, mountain biking, and exploring…