[Security] Mitigate the risk of path traversal attacks through a request validator

[gmarciani]

Description

Mitigate the risk of path traversal attacks by adding a request validator that rejects requests containing a 'path' argument matching the unsafe path traversal pattern.

This mitigation, together with #422, provides a full mitigation of the path traversal attack.

How Has This Been Tested?

1. Validator is covered by unit tests
2. PCUI is working as expected: login/logout, list clusters, create cluster, delete cluster, list images
3. The legit proxy request (the same form used by PCUI frontend) succeeds, example:
   • https://[PCUI_URL]/pcui/api?path=/v3/images/official
4. Path traversal gets rejected, regardless it points to the legitimate or illegitimate stage. Examples:
   • (legitimate stage) https://hu0moxausi.execute-api.us-east-1.amazonaws.com/pcui/api?path=/../prod/v3/images/official
   • (illegitimate stage) https://hu0moxausi.execute-api.us-east-1.amazonaws.com/pcui/api?path=/../Stage/v3/images/official

when a path traversal is detected, now the request fails with the error:

{"code":400,"message":"Input validation failed for /api","validation_errors":{"path":["Invalid value."]}}

References

PR Quality Checklist

• I added tests to new or existing code
• I removed hardcoded strings and used react-i18next library (useTranslation hook and/or Trans component), see an example here
• I made sure no sensitive info gets logged at any time in the codebase (see here) (e.g. no user info or details, no stacktraces, etc.)
• I made sure that any GitHub issue solved by this PR is correctly linked
• I checked that infrastructure/update_infrastructure.sh runs without any error
• I checked that npm run build builds without any error
• I checked that clusters are listed correctly
• I checked that a new cluster can be created (config is produced and dry run passes)
• I checked that login and logout work as expected

In order to increase the likelihood of your contribution being accepted, please make sure you have read both the Contributing Guidelines and the Project Guidelines

By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice.

[himani2411]

Can we have more descriptive error message as the below message might look like /api is Invalid instead of the PATH /../Stage/v3/images/official

{"code":400,"message":"Input validation failed for /api","validation_errors":{"path":["Invalid value."]}}

[gmarciani]

@himani2411 Input validation failed for ${api_resource} this is the current messaging PCUI returns for whatever validation error. It is defined here:

aws-parallelcluster-ui/api/validation/__init__.py

Line 33 in a8fe235

raise ValidationError(f'Input validation failed for {request.path}', data=errors)

I agree it may be misleading. What about changing it to Input validation failed for requested resource ${api_resource}?

[himani2411]

@himani2411 Input validation failed for ${api_resource} this is the current messaging PCUI returns for whatever validation error. It is defined here:

aws-parallelcluster-ui/api/validation/__init__.py

Line 33 in a8fe235

raise ValidationError(f'Input validation failed for {request.path}', data=errors)

I agree it may be misleading. What about changing it to Input validation failed for requested resource ${api_resource}?

Agreed on messaging