|
|
Post by AMI_RythonCai on Sept 16, 2022 5:31:40 GMT
Hi, According to the definition of Sensitive data: Responses from URIs that contain sensitive data may return the HTTP 404 Not Found status code instead of the HTTP 401 Unauthorized status code or the HTTP 403 Forbidden status code to prevent attackers from obtaining the sensitive data in the URI. www.dmtf.org/sites/default/files/standards/documents/DSP0266_1.15.1.pdf. I would like to know what the scope of sensitive data ? Is there any standard to refer to ? I couldn't find property annotations related to sensitive data in the resource schema. Thanks |
|
|
|
Post by mraineri on Sept 19, 2022 12:48:00 GMT
A possible attack point could be the URI itself. If an attacker with invalid credentials gets back a 401 instead of a 404 for different URIs, it can deduce which URIs are valid. This can indicate the value of the Id property of different resources; if the attacker has knowledge about the behavior of that implementation, they might be able to use this information to determine system identifiers, session information, user information, or anything they managed to reverse engineer with their own instance of the implementation.
Ultimately it's really going to come down to how you designed your implementation for what types of information can be deduced by an attacker from knowing the existence of a given URI.
|
|
|
|
Post by JenHuang on Oct 18, 2022 12:51:39 GMT
The redfish specification request to return 401 if contains sensitive data. But the problem is, not only property is sensitive data. ![]() AccountService_v1.xml The property "Password", "Token" and "KerberosKeytab" is sensitive data which has the following contents in description, This property is `null` in responses. ExternalAccountProvider_v1.xml The property "Password", "Token" and "KerberosKeytab" is sensitive data which has the following contents in description, This property is `null` in responses. ManagerAccount_v1.xml The property "Password" is sensitive data which has the following contents in description, This property is `null` in responses. We expect dmtf redfish might introduce more properties as sensitive data along with redfish schema regularly update. But those properties/sensitive data is not possible to describe by csdl/json schema (Obviously no specific property annotation for sensitive data.) I think a property annotation for sensitive data help to address missing sensitive data information derived (from redfish schema) and much help for redfish server, redfish validation and also redfish client development. Attachments:
|
|
|
|
Post by jautor on Oct 20, 2022 16:37:22 GMT
Reading that clause, I agree that phrase needs some slight re-wording to clarify that the 401/404 choice is referring to URIs that may have sensitive data embedded in the URI itself. That has nothing to do with a JSON payload that includes properties with sensitive data values. I'll open an issue on the spec to have that clarified.
Separately, for properties that contain sensitive data, where the Redfish schema requires a null to be returned on GET, I agree that a schema annotation to indicate that would be useful, and I'll open an enhancement request for that as well. You are correct that an annotation would enable the conformance tests to ensure that no sensitive data is returned for those properties, and our documentation could further indicate that behavior (instead of relying on text in the property description alone).
Also, you both appear (according to your usernames) to work for a DMTF member company, so you can also ask your company representative to open issues within the group to address these topics.
Jeff
|
|
|
|
Post by JenHuang on Oct 16, 2023 21:06:31 GMT
I saw there is "write only" in recently redfish schema and specification.
This is awesome for redfish interoperability.
|
|
