 |
VOOZH | about |
|
VOOZH | about |
We’re so glad you’re here. You can expect all the best TNS content to arrive Monday through Friday to keep you on top of the news and at the top of your game.
Check your inbox for a confirmation email where you can adjust your preferences and even join additional groups.
Follow TNS on your favorite social media networks.
Become a TNS follower on LinkedIn.
Check out the latest featured and trending stories while you wait for your first TNS newsletter.
Backstage, the open source internal developer portal created by Spotify, has been adopted by American Airlines, Fidelity Investments, Netflix, VMware and other enterprises. However, it’s traveled a rocky road in recent months.
In November, Oxeye, a cloud native security company, discovered a serious JavaScript vulnerability in the platform engineering tool.
In mid-February, a cross-site scripting (XSS) vulnerability was discovered in the Backstage Software Catalog, which could allow an attacker to inject malicious code into the application. The vulnerability is caused by insufficient input validation of user-supplied data, specifically in the search functionality of the catalog.
Though the new vulnerability isn’t as serious as the one discovered in November, which racked up a Common Vulnerability Scoring System (CVSS) score of 10 out of 10, it still has a moderate severity level with a score of 6.8, according to CVSS base metrics.
The new vulnerability’s metrics indicate that it wouldn’t take many resources or expertise to launch an attack. The attack vector is via the network, meaning the attacker can be remote and doesn’t need physical access to the system. An attacker also wouldn’t need high-level access privileges to exploit the vulnerability.
This security flaw can be exploited by an attacker to inject JavaScript code into the search query, which would then be executed when the search results are displayed. As a result, an attacker can inject malicious scripts into the page that will execute in the browser of anyone who visits the affected page.
XSS is typically used to steal cookies and take control of user sessions. However, it can also be used to expose sensitive information, gain access to privileged services and functionality, and spread malware, according to the Open Worldwide Web Application Security Project (OWASP) HttpOnly source.
The affected versions of the package are:
To address this vulnerability, users of Backstage who are using an affected version of the package should upgrade to the patched versions:
According to the CVSS base metrics, the scope of the vulnerability on the three affected packages has changed, indicating that it can affect a component beyond its intended scope. In this case, it could affect the confidentiality of the system, as the attacker may gain access to sensitive information. The integrity and availability of the system are not affected by this vulnerability.
Let’s take a closer look at the core functions of the affected packages to better understand the scale of a potential attack.
The documentation for the catalog-model package provides information on the interfaces and validators/policies that define the data model for the Backstage Software Catalog. These interfaces and validators enable consistent and standardized representation of software components within the catalog.
The documentation covers the various interfaces defined in the package, including:
The documentation also covers the various validators provided by the package, which can be used to ensure that data conforms to the defined interfaces.
By using the interfaces and validators provided by the catalog-model package, developers can ensure that their software components are represented consistently and accurately within the Backstage Software Catalog.
For teams that use Backstage, this leads to better organization, discovery and reuse of software components. Additionally, the package can be customized to include metadata and relationships that are specific to an organization’s unique needs.
When used in conjunction with other Backstage packages, such as `@backstage/backend-plugin-api` and `@backstage/catalog-client`, the catalog-model package provides the ability to access and manage software catalog data. This combination of packages makes it possible to create a centralized software catalog that developers and teams throughout an organization can use.
The core-components package is a collection of reusable React components for building developer portals using the Backstage platform. These components provide a set of UI primitives that can be used to create a consistent and cohesive user interface for your developer portal.
Some of the components included in the package are:
The core-components package is designed to work seamlessly with other Backstage packages, such as `@backstage/core-app-api` and `@backstage/core-plugin-api`. These packages provide additional functionality for building developer portals, such as app integration and plugin support.
Using the core-components package can save time and effort when building a developer portal using the Backstage platform, as it provides pre-built components that are specifically designed for the platform.
The plugin-catalog-backend-module package is a plugin for the Backstage platform that provides backend functionality for the software catalog. It is designed to be used with other Backstage plugins, such as `@backstage/plugin-catalog`, `@backstage/plugin-catalog-node` and `@backstage/catalog-client`, to enable a fully featured software catalog experience for developers.
The package comes with a built-in database-backed implementation of the catalog, which can store and serve catalog data. It can also act as a bridge to existing catalog solutions, allowing developers to ingest data into the database or proxy calls to an external catalog service.
The plugin-catalog-backend-module package is designed to be extensible, allowing developers to add custom functionality to the software catalog. For example, developers can define custom metadata fields for components or add integrations with external tools for managing software components.
The package is built on top of the `@backstage/catalog-model` package, which provides a standardized data model for representing software components. This enables consistent and standardized management of components across an organization.
Like other Backstage packages, the plugin-catalog-backend-module package is open source.
Currently, 12 packages depend on the `plugin-catalog-backend-module`. Below, we highlight three of them. For a full list of packages, search `@backstage/plugin-catalog-backend-module` at NuGet Package Manager.
The `plugin-catalog-backend-module-aws` package is a Catalog Backend Module for Amazon Web Services (AWS). It is an extension module to the plugin-catalog-backend plugin, which provides an AwsOrganizationCloudAccountProcessor that can be used to ingest cloud accounts as Resource kind entities.
This module allows users to easily add AWS accounts to their Backstage instance, making it possible to view and manage them alongside other resources in the catalog. The AwsOrganizationCloudAccountProcessor can be used to scan an AWS organization for accounts and automatically create resource entities for them.
By using this module, users can gain better visibility and management capabilities for their AWS accounts within their Backstage instance, leading to increased efficiency and better resource utilization.
The `plugin-catalog-backend-module-gitlab` package provides a GitLab discovery module for the Backstage Software Catalog. The GitLab integration includes a special entity provider that allows users to discover catalog entities from GitLab.
The entity provider will crawl the GitLab instance and register entities that match the configured paths. This can be a useful alternative to manually adding things to the catalog or using static locations. The GitLab discovery module simplifies the process of integrating GitLab repositories into the Backstage Software Catalog.
The `plugin-catalog-backend-module-openapi` is a catalog backend module that offers an extension to the catalog backend, specifically designed to resolve `$refs` in YAML documents.
This module provides users with the ability to break down their YAML documents into multiple files and reference them. During processing, the files are bundled using an UrlReader and stored as a single specification.
This functionality is particularly useful for OpenAPI and AsyncAPI specifications, where users often work with complex and large files that need to be broken down into smaller, more manageable files.
With the `plugin-catalog-backend-module-openapi`, users can easily manage these files and reference them without the need to merge or concatenate them manually.
Preventing XSS attacks is crucial for ensuring the security of web applications. Here are some best practices, derived in part from OWASP guidance, that can help prevent XSS vulnerabilities:
By following these best practices, developers can help prevent XSS vulnerabilities and ensure the security of their web applications.
It is strongly recommended that users update to the latest version of the affected packages as soon as possible to prevent the exploitation of this vulnerability and protect their systems from potential attacks.
To mitigate this vulnerability, it is generally best practice to limit access to modifying catalog content and require code reviews.
