[Openid-specs-fapi] Issue #487: RS must check x-fapi-interaction-id is an UUID or IP address (openid/fapi)
Vladimir Dzhuvinov
issues-reply at bitbucket.org
Mon Mar 21 13:01:11 UTC 2022
New issue 487: RS must check x-fapi-interaction-id is an UUID or IP address
https://bitbucket.org/openid/fapi/issues/487/rs-must-check-x-fapi-interaction-id-is-an
Vladimir Dzhuvinov:
In December 2021 when the Log4Shell vulnerability became public we had a sec review and it was discovered the FAPI 1.0 spec has no explicit requirement for the RS to validate the x-fapi-interaction-id header.
For the client we have a clear UUID requirement:
[https://openid.net/specs/openid-financial-api-part-1-1\_0-final.html#client-provisions](https://openid.net/specs/openid-financial-api-part-1-1_0-final.html#client-provisions)
> may send the `x-fapi-interaction-id` request header, in which case the value shall be a RFC4122 UUID to the server to help correlate log entries between client and server, e.g., `x-fapi-interaction-id: c770aef3-6784-41f7-8e0e-ff5f97bddb3a`.
However, the RS is not required to actually check the received header is indeed an UUID \(or IP address\), so a malicious client could potentially send special characters to exploit log injection and other vulns in software:
[https://openid.net/specs/openid-financial-api-part-1-1\_0-final.html#protected-resources-provisions](https://openid.net/specs/openid-financial-api-part-1-1_0-final.html#protected-resources-provisions)
* shall set the response header `x-fapi-interaction-id` to the value received from the corresponding FAPI client request header or to a [RFC4122](https://tools.ietf.org/html/rfc4122) UUID value if the request header was not provided to track the interaction, e.g., `x-fapi-interaction-id: c770aef3-6784-41f7-8e0e-ff5f97bddb3a`;
* shall log the value of `x-fapi-interaction-id` in the log entry; and
* shall not reject requests with a `x-fapi-customer-ip-address` header containing a valid IPv4 or IPv6 address.
Our recommendation is to consider addressing this in the next errata so that RSes are informed to perform a check on the header format before processing the request
\(
and in FAPI 2 if the WG decides to keep the x-fapi-interaction-id in the next version
[https://bitbucket.org/openid/fapi/pull-requests/288/add-initial-version-of-implementation#LFAPI\_2\_0\_Implementation\_Advice.mdT98](https://bitbucket.org/openid/fapi/pull-requests/288/add-initial-version-of-implementation#LFAPI_2_0_Implementation_Advice.mdT98)
\)
More information about the Openid-specs-fapi
mailing list