XSS Vulnerability Discovered in Backstage Software Catalog

Backstage, the open source internal developer portal created by Spotify, has been adopted by American Airlines, Fidelity Investments, Netflix, VMware and other enterprises. However, it’s traveled a rocky road in recent months.
In November, Oxeye, a cloud native security company, discovered a serious JavaScript vulnerability in the platform engineering tool.
In mid-February, a cross-site scripting (XSS) vulnerability was discovered in the Backstage Software Catalog, which could allow an attacker to inject malicious code into the application. The vulnerability is caused by insufficient input validation of user-supplied data, specifically in the search functionality of the catalog.
Though the new vulnerability isn’t as serious as the one discovered in November, which racked up a Common Vulnerability Scoring System (CVSS) score of 10 out of 10, it still has a moderate severity level with a score of 6.8, according to CVSS base metrics.
The new vulnerability’s metrics indicate that it wouldn’t take many resources or expertise to launch an attack. The attack vector is via the network, meaning the attacker can be remote and doesn’t need physical access to the system. An attacker also wouldn’t need high-level access privileges to exploit the vulnerability.
This security flaw can be exploited by an attacker to inject JavaScript code into the search query, which would then be executed when the search results are displayed. As a result, an attacker can inject malicious scripts into the page that will execute in the browser of anyone who visits the affected page.
XSS is typically used to steal cookies and take control of user sessions. However, it can also be used to expose sensitive information, gain access to privileged services and functionality, and spread malware, according to the Open Worldwide Web Application Security Project (OWASP) HttpOnly source.
The affected versions of the package are:
- @backstage/catalog-model (npm) < 1.1.5
- @backstage/core-components (npm) < 0.12.3
- @backstage/plugin-catalog-backend (npm) < 1.7.1
To address this vulnerability, users of Backstage who are using an affected version of the package should upgrade to the patched versions:
- @backstage/catalog-model (npm) 1.2.0
- @backstage/core-components (npm) 0.12.4
- @backstage/plugin-catalog-backend (npm) 1.7.2
Core Functionality of Affected Packages
According to the CVSS base metrics, the scope of the vulnerability on the three affected packages has changed, indicating that it can affect a component beyond its intended scope. In this case, it could affect the confidentiality of the system, as the attacker may gain access to sensitive information. The integrity and availability of the system are not affected by this vulnerability.
Let’s take a closer look at the core functions of the affected packages to better understand the scale of a potential attack.
Backstage Catalog Model
The documentation for the catalog-model package provides information on the interfaces and validators/policies that define the data model for the Backstage Software Catalog. These interfaces and validators enable consistent and standardized representation of software components within the catalog.
The documentation covers the various interfaces defined in the package, including:
- Component: Represents a software component in the catalog, such as a service, API or library. This interface includes metadata such as name, description, owner and version, as well as relationships to other components.
- Entity: Represents a higher-level entity in the catalog, such as an organization or team. This interface includes metadata such as name, description and owner, as well as relationships to components and other entities.
- Location: Represents the location of a component’s source code, such as a git repository or a file system directory.
The documentation also covers the various validators provided by the package, which can be used to ensure that data conforms to the defined interfaces.
By using the interfaces and validators provided by the catalog-model package, developers can ensure that their software components are represented consistently and accurately within the Backstage Software Catalog.
For teams that use Backstage, this leads to better organization, discovery and reuse of software components. Additionally, the package can be customized to include metadata and relationships that are specific to an organization’s unique needs.
When used in conjunction with other Backstage packages, such as @backstage/backend-plugin-api
and @backstage/catalog-client
, the catalog-model package provides the ability to access and manage software catalog data. This combination of packages makes it possible to create a centralized software catalog that developers and teams throughout an organization can use.
Backstage Core Components
The core-components package is a collection of reusable React components for building developer portals using the Backstage platform. These components provide a set of UI primitives that can be used to create a consistent and cohesive user interface for your developer portal.
Some of the components included in the package are:
- AlertDisplay: The alert API is used to report alerts to the app and display them to the user.
- CopyTextButton: Allows the user to copy text to their clipboard.
- InfoCard: Displays information in a card format.
- Progress: Displays a progress bar.
- Table: Displays data in a table format.
The core-components package is designed to work seamlessly with other Backstage packages, such as @backstage/core-app-api
and @backstage/core-plugin-api
. These packages provide additional functionality for building developer portals, such as app integration and plugin support.
Using the core-components package can save time and effort when building a developer portal using the Backstage platform, as it provides pre-built components that are specifically designed for the platform.
Backstage Catalog Backend Plugin
The plugin-catalog-backend-module package is a plugin for the Backstage platform that provides backend functionality for the software catalog. It is designed to be used with other Backstage plugins, such as @backstage/plugin-catalog
, @backstage/plugin-catalog-node
and @backstage/catalog-client
, to enable a fully featured software catalog experience for developers.
The package comes with a built-in database-backed implementation of the catalog, which can store and serve catalog data. It can also act as a bridge to existing catalog solutions, allowing developers to ingest data into the database or proxy calls to an external catalog service.
The plugin-catalog-backend-module package is designed to be extensible, allowing developers to add custom functionality to the software catalog. For example, developers can define custom metadata fields for components or add integrations with external tools for managing software components.
The package is built on top of the @backstage/catalog-model
package, which provides a standardized data model for representing software components. This enables consistent and standardized management of components across an organization.
Like other Backstage packages, the plugin-catalog-backend-module package is open source.
Extension Modules to the Catalog Backend Plugin
Currently, 12 packages depend on the plugin-catalog-backend-module
. Below, we highlight three of them. For a full list of packages, search @backstage/plugin-catalog-backend-module
at NuGet Package Manager.
AWS Extension Module
The plugin-catalog-backend-module-aws
package is a Catalog Backend Module for Amazon Web Services (AWS). It is an extension module to the plugin-catalog-backend plugin, which provides an AwsOrganizationCloudAccountProcessor that can be used to ingest cloud accounts as Resource kind entities.
This module allows users to easily add AWS accounts to their Backstage instance, making it possible to view and manage them alongside other resources in the catalog. The AwsOrganizationCloudAccountProcessor can be used to scan an AWS organization for accounts and automatically create resource entities for them.
By using this module, users can gain better visibility and management capabilities for their AWS accounts within their Backstage instance, leading to increased efficiency and better resource utilization.
GitLab Extension Module
The plugin-catalog-backend-module-gitlab
package provides a GitLab discovery module for the Backstage Software Catalog. The GitLab integration includes a special entity provider that allows users to discover catalog entities from GitLab.
The entity provider will crawl the GitLab instance and register entities that match the configured paths. This can be a useful alternative to manually adding things to the catalog or using static locations. The GitLab discovery module simplifies the process of integrating GitLab repositories into the Backstage Software Catalog.
OpenAPI Extension Module
The plugin-catalog-backend-module-openapi
is a catalog backend module that offers an extension to the catalog backend, specifically designed to resolve $refs
in YAML documents.
This module provides users with the ability to break down their YAML documents into multiple files and reference them. During processing, the files are bundled using an UrlReader and stored as a single specification.
This functionality is particularly useful for OpenAPI and AsyncAPI specifications, where users often work with complex and large files that need to be broken down into smaller, more manageable files.
With the plugin-catalog-backend-module-openapi
, users can easily manage these files and reference them without the need to merge or concatenate them manually.
Best Practices to Prevent XSS Vulnerabilities
Preventing XSS attacks is crucial for ensuring the security of web applications. Here are some best practices, derived in part from OWASP guidance, that can help prevent XSS vulnerabilities:
- Input validation: Validate all user input and filter or escape all data before displaying it back to the user. Ensure that no untrusted data is executed as code in the browser.
- Encoding: Encode special characters such as &, <, >, /, and spaces to their respective HTML or URL encoded equivalents.
- Content security policy (CSP): Use and enforce a CSP to restrict the types of content that can be loaded on a page. This can prevent attackers from executing malicious scripts or injecting malicious code into a page.
- Disable client-side scripts: Allow users to disable client-side scripts, which can help prevent malicious scripts from executing in their browsers.
- Invalid request handling: Redirect invalid requests to a safe page or display an error message.
- Session management: Detect simultaneous logins, including those from two separate IP addresses, and invalidate those sessions. Proper session management can prevent session hijacking attacks.
- Library documentation: Review the documentation of any libraries used in your application to understand which elements allow for embedded HTML.
By following these best practices, developers can help prevent XSS vulnerabilities and ensure the security of their web applications.
Conclusion
It is strongly recommended that users update to the latest version of the affected packages as soon as possible to prevent the exploitation of this vulnerability and protect their systems from potential attacks.
To mitigate this vulnerability, it is generally best practice to limit access to modifying catalog content and require code reviews.