[ICE-11365] SECURITY: Potential 'eval' injection risk in gmap.js - ICEsoft JIRA Issue Tracker

Details

Type: Improvement
Status: Closed
Priority: Major
Resolution: Fixed
Affects Version/s: 4.2, EE-3.3.0.GA_P05
Fix Version/s: 4.3, EE-3.3.0.GA_P06
Component/s: ACE-Components
Labels:
None
Environment:
Any

Assignee Priority:
P1

Description

After working on ~~ICE-11362~~, it was noted that our javascript code in gmap.js uses several eval() calls. Our code should be refactored to avoid the use of the eval() function.

Activity

Descending order - Click to sort in ascending order

Hide

Permalink

Liana Munroe added a comment - 03/Oct/17 10:13 AM

Verified ICEfaces 4 trunk, EE-3.3.0 maintenance branch r51981, Tomcat 8, FF 53, Chrome 61, MS Edge, IE 11, 10.

Show

Liana Munroe added a comment - 03/Oct/17 10:13 AM Verified ICEfaces 4 trunk, EE-3.3.0 maintenance branch r51981, Tomcat 8, FF 53, Chrome 61, MS Edge, IE 11, 10.

Hide

Permalink

Mircea Toma added a comment - 02/Oct/17 2:39 PM

Missed commiting one of the changes. Fixed now.

Show

Mircea Toma added a comment - 02/Oct/17 2:39 PM Missed commiting one of the changes. Fixed now.

Hide

Permalink

Liana Munroe added a comment - 29/Sep/17 9:55 AM

Tested with ICEfaces 4 trunk, EE-3.3.0 maintenance branch r51969, Tomcat 8, FF 53, Chrome 61, MS Edge, IE 11, 10.
When interacting with the events in the EE-3.3.0 showcase ace:gMap > Google events demo the following console error (or similar) is seen in all browsers:

TypeError: callback is not a function
http://localhost:8080/showcase/javax.faces.resource/coalesced.js.jsf?ln=ice.core&dgst=xgfx05
Line 52362

Show

Liana Munroe added a comment - 29/Sep/17 9:55 AM Tested with ICEfaces 4 trunk, EE-3.3.0 maintenance branch r51969, Tomcat 8, FF 53, Chrome 61, MS Edge, IE 11, 10. When interacting with the events in the EE-3.3.0 showcase ace:gMap > Google events demo the following console error (or similar) is seen in all browsers: TypeError: callback is not a function http: //localhost:8080/showcase/javax.faces.resource/coalesced.js.jsf?ln=ice.core&dgst=xgfx05 Line 52362

Hide

Permalink

Mircea Toma added a comment - 27/Sep/17 11:16 AM

Fix default value for 'options' attribute. Do not rely on a magic word to avoid sending options.

Show

Mircea Toma added a comment - 27/Sep/17 11:16 AM Fix default value for 'options' attribute. Do not rely on a magic word to avoid sending options.

Hide

Permalink

Liana Munroe added a comment - 26/Sep/17 2:50 PM

Tested showcase gMap demos with ICEfaces 4 trunk, EE-3.3.0 maintenance branch r51943 Tomcat 8, Chrome 61, MS Edge, IE 11, 10, 9, 8

A console error in the showcase gMapEvent > Overview demo was introduced at r51726

Uncaught ReferenceError: none is not defined
showcase.jsf?grp=ace%3AgMapEvent&exp=Overview:260 
    at HTMLDocument.<anonymous> (showcase.jsf?grp=ace%3AgMapEvent&exp=Overview:260)
    at fire (coalesced.js.jsf?ln=ice.core&dgst=o4f8tk:3099)
    at Object.fireWith [as resolveWith] (coalesced.js.jsf?ln=ice.core&dgst=o4f8tk:3211)
    at Function.ready (coalesced.js.jsf?ln=ice.core&dgst=o4f8tk:3423)
    at HTMLDocument.completed (coalesced.js.jsf?ln=ice.core&dgst=o4f8tk:3453)

A console error in the showcase gMapLayer > Overview demo was introduced at r51726. The error is seen when selecting one of the radiobuttons. After making selections the expected layers do not render on the map.

VM3085:1 Uncaught ReferenceError: Skip is not defined
    at HTMLDocument.<anonymous> (<anonymous>:1:139)
    at m (coalesced.js.jsf?ln=ice.core&dgst=o4f8tk:69)
    at Object.add [as done] (coalesced.js.jsf?ln=ice.core&dgst=o4f8tk:69)
    at d.fn.init.d.fn.ready (coalesced.js.jsf?ln=ice.core&dgst=o4f8tk:74)
    at h.fn.init.d.fn.init (coalesced.js.jsf?ln=ice.core&dgst=o4f8tk:64)

Show

Liana Munroe added a comment - 26/Sep/17 2:50 PM Tested showcase gMap demos with ICEfaces 4 trunk, EE-3.3.0 maintenance branch r51943 Tomcat 8, Chrome 61, MS Edge, IE 11, 10, 9, 8 A console error in the showcase gMapEvent > Overview demo was introduced at r51726 Uncaught ReferenceError: none is not defined showcase.jsf?grp=ace%3AgMapEvent&exp=Overview:260 at HTMLDocument.<anonymous> (showcase.jsf?grp=ace%3AgMapEvent&exp=Overview:260) at fire (coalesced.js.jsf?ln=ice.core&dgst=o4f8tk:3099) at Object .fireWith [as resolveWith] (coalesced.js.jsf?ln=ice.core&dgst=o4f8tk:3211) at Function.ready (coalesced.js.jsf?ln=ice.core&dgst=o4f8tk:3423) at HTMLDocument.completed (coalesced.js.jsf?ln=ice.core&dgst=o4f8tk:3453) A console error in the showcase gMapLayer > Overview demo was introduced at r51726. The error is seen when selecting one of the radiobuttons. After making selections the expected layers do not render on the map. VM3085:1 Uncaught ReferenceError: Skip is not defined at HTMLDocument.<anonymous> (<anonymous>:1:139) at m (coalesced.js.jsf?ln=ice.core&dgst=o4f8tk:69) at Object .add [as done] (coalesced.js.jsf?ln=ice.core&dgst=o4f8tk:69) at d.fn.init.d.fn.ready (coalesced.js.jsf?ln=ice.core&dgst=o4f8tk:74) at h.fn.init.d.fn.init (coalesced.js.jsf?ln=ice.core&dgst=o4f8tk:64)

Hide

Permalink

Mircea Toma added a comment - 25/Sep/17 5:02 PM

Modified component code to avoid evaluating JS snippets that can include code injected through component attributes. Instead generate (on the server side) parse JSON structures.

Show

Mircea Toma added a comment - 25/Sep/17 5:02 PM Modified component code to avoid evaluating JS snippets that can include code injected through component attributes. Instead generate (on the server side) parse JSON structures.

People

Assignee:

Mircea Toma

Reporter:

Arturo Zambrano

Votes:

0 Vote for this issue

Watchers:

3 Start watching this issue

Dates

Created:

13/Sep/17 6:27 PM

Updated:

29/Oct/21 5:31 PM

Resolved:

02/Oct/17 2:39 PM