RFC 8183 XML responses submitted via the UI are incorrectly escaped

[ximon18]

Krill version: v0.10.0-rc2

Submitting a valid RFC 8183 repository response XML via the Repository tab in the UI will fail with an "Invalid JSON" error.

This appears to be because the Krill server code checks for a leading < character to determine if the request body contains XML as opposed to JSON, but since Lagosta commit NLnetLabs/lagosta@8eb658c the UI, before sending the valid XML, first double quotes the XML and escapes embedded double quotes, e.g. according to FireFox it does the equivalent of the following HTTP POST:

(omitting most HTTP request headers, with added embedded line breaks for readability)

curl 'https://localhost:3000/api/v1/cas/ca_readwrite/repo' \
  -H 'Content-Type: application/json' \
  --data-raw '"\n
<repository_response xmlns=\"http://www.hactrn.net/uris/rpki/rpki-setup/\" version=\"1\" 
publisher_handle=\"ca_readwrite1660229837597\" service_uri=\"https://localhost:3000/rfc8181/ca_readwrite1660229837597/\" sia_base=\"rsync://localhost/repo/ca_readwrite1660229837597/\" rrdp_notification_uri=\"https://localhost/rrdp/notification.xml\">\n
  <repository_bpki_ta>\n
    MIID...r1ZM=\n
  </repository_bpki_ta>\n
</repository_response>"' \
  --compressed \
  --insecure

Note it also still sends a Content-Type: application/json header as well which is clearly wrong...

This causes the UI tests to fail. Blindly reverting the Lagosta commit mentioned above "solves" the problem.

[ximon18]

With Lagosta builds for the following commits the XML POST problem status is as follows:

Commit	Action Run	POST XML result
Fix test when setting properties	view	❌
Tag has no matching end tag	view	❌
Revert "yarn upgrade; aka I'm feeling lucky."	view	✔️

[ximon18]

So, reverting the Lagosta Yarn dependencies upgrade resolves the issue. As there are a high number of dependabot security issues open in the Lagosta repo we have to look at the dependencies anyway so for now I'll leave the Yarn upgrade reverted and push the updated Lagosta to the Krill v0.10.0-rc3 branch to resolve this issue.

[ximon18]

This should now be fixed in the v0.10.0-rc3 branch.

[ximon18]

I'll leave this open until we have published v0.10.0-rc3.

[ximon18]

A divide and conquer approach to upgrading the yarn dependencies for critical and high dependabot security alerts in Lagosta seems to have narrowed the cause of this issue down to upgrading axios from 0.21.1 to 0.21.2.

[ximon18]

Rather than just revert the yarn upgrades, PR NLnetLabs/lagosta#137 upgrades axios without causing the issue that naive upgrading of axios to 0.21.2 causes. Once this is solved we can also look at upgrading other yarn dependencies safe in the knowledge that this UI breakage was caused by the axios upgrade and not by upgrading other packages.