ICEfaces
  1. ICEfaces
  2. ICE-11365

SECURITY: Potential 'eval' injection risk in gmap.js

    Details

    • Type: Improvement Improvement
    • Status: Closed
    • Priority: Major Major
    • Resolution: Fixed
    • Affects Version/s: 4.2, EE-3.3.0.GA_P05
    • Fix Version/s: 4.3, EE-3.3.0.GA_P06
    • Component/s: ACE-Components
    • Labels:
      None
    • Environment:
      Any
    • Assignee Priority:
      P1

      Description

      After working on ICE-11362, it was noted that our javascript code in gmap.js uses several eval() calls. Our code should be refactored to avoid the use of the eval() function.

        Activity

        Arturo Zambrano created issue -
        Arturo Zambrano made changes -
        Field Original Value New Value
        Assignee Arturo Zambrano [ artzambrano ]
        Arturo Zambrano made changes -
        Fix Version/s 4.3 [ 13096 ]
        Arturo Zambrano made changes -
        Fix Version/s EE-3.3.0.GA_P06 [ 13114 ]
        Ken Fyten made changes -
        Assignee Arturo Zambrano [ artzambrano ] Mircea Toma [ mircea.toma ]
        Ken Fyten made changes -
        Assignee Priority P1 [ 10010 ]
        Repository Revision Date User Message
        ICEsoft Public SVN Repository #51924 Wed Sep 20 13:01:32 MDT 2017 mircea.toma ICE-11365 Use Number() function to transform strings to numbers.
        Files Changed
        Commit graph MODIFY /icefaces4/trunk/icefaces/ace/component/resources/icefaces.ace/gmap/gmap.js
        Repository Revision Date User Message
        ICEsoft Public SVN Repository #51925 Wed Sep 20 16:10:32 MDT 2017 mircea.toma ICE-11365 Parse and interpret the list of locations instead of blindly evaluate them.
        Files Changed
        Commit graph MODIFY /icefaces4/trunk/icefaces/ace/component/resources/icefaces.ace/gmap/gmap.js
        Repository Revision Date User Message
        ICEsoft Public SVN Repository #51926 Wed Sep 20 16:26:56 MDT 2017 mircea.toma ICE-11365 Fix regex for coordinates.
        Files Changed
        Commit graph MODIFY /icefaces4/trunk/icefaces/ace/component/resources/icefaces.ace/gmap/gmap.js
        Repository Revision Date User Message
        ICEsoft Public SVN Repository #51930 Thu Sep 21 16:55:39 MDT 2017 mircea.toma ICE-11365 Modified Gmap renderers to send the 'options' parameter as JSON object (fully parsed on server side) and thus avoid any evaluation on the client.
        Files Changed
        Commit graph MODIFY /icefaces4/trunk/icefaces/ace/component/src/org/icefaces/ace/component/gmap/GMapLayerRenderer.java
        Commit graph MODIFY /icefaces4/trunk/icefaces/ace/component/src/org/icefaces/ace/component/gmap/GMapMarkerRenderer.java
        Commit graph MODIFY /icefaces4/trunk/icefaces/ace/component/resources/icefaces.ace/gmap/gmap.js
        Commit graph MODIFY /icefaces4/trunk/icefaces/ace/component/src/org/icefaces/ace/component/gmap/GMapOverlayRenderer.java
        Commit graph MODIFY /icefaces4/trunk/icefaces/ace/component/src/org/icefaces/ace/component/gmap/GMapServicesRenderer.java
        Commit graph MODIFY /icefaces4/trunk/icefaces/ace/component/src/org/icefaces/ace/component/gmap/GMapRenderer.java
        Commit graph MODIFY /icefaces4/trunk/icefaces/ace/component/src/org/icefaces/ace/component/gmap/GMapInfoWindowRenderer.java
        Repository Revision Date User Message
        ICEsoft Public SVN Repository #51931 Thu Sep 21 17:18:10 MDT 2017 mircea.toma ICE-11365 Modify renderer to pass callback function instead of free form script.
        Files Changed
        Commit graph MODIFY /icefaces4/trunk/icefaces/ace/component/resources/icefaces.ace/gmap/gmap.js
        Commit graph MODIFY /icefaces4/trunk/icefaces/ace/component/src/org/icefaces/ace/component/gmap/GMapEventRenderer.java
        Repository Revision Date User Message
        ICEsoft Public SVN Repository #51932 Thu Sep 21 17:21:36 MDT 2017 mircea.toma ICE-11365 Add semicolons where required.
        Files Changed
        Commit graph MODIFY /icefaces4/trunk/icefaces/ace/component/resources/icefaces.ace/gmap/gmap.js
        Repository Revision Date User Message
        ICEsoft Public SVN Repository #51933 Thu Sep 21 17:26:06 MDT 2017 mircea.toma ICE-11365 Simplify code.
        Files Changed
        Commit graph MODIFY /icefaces4/trunk/icefaces/ace/component/resources/icefaces.ace/gmap/gmap.js
        Repository Revision Date User Message
        ICEsoft Public SVN Repository #51934 Thu Sep 21 17:39:35 MDT 2017 mircea.toma ICE-11365 Fix and simplify ice.ace.gMap.addEvent function.
        Files Changed
        Commit graph MODIFY /icefaces4/trunk/icefaces/ace/component/resources/icefaces.ace/gmap/gmap.js
        Repository Revision Date User Message
        ICEsoft Public SVN Repository #51935 Thu Sep 21 17:40:37 MDT 2017 mircea.toma ICE-11365 Reformat code.
        Files Changed
        Commit graph MODIFY /icefaces4/trunk/icefaces/ace/component/resources/icefaces.ace/gmap/gmap.js
        Repository Revision Date User Message
        ICEsoft Public SVN Repository #51938 Mon Sep 25 15:34:48 MDT 2017 mircea.toma ICE-11365 Fix how options are sent. Modify name to constant mapping functions.
        Files Changed
        Commit graph MODIFY /icefaces4/trunk/icefaces/ace/component/src/org/icefaces/ace/component/gmap/GMapLayerRenderer.java
        Commit graph MODIFY /icefaces4/trunk/icefaces/ace/component/src/org/icefaces/ace/component/gmap/GMapMarkerRenderer.java
        Commit graph MODIFY /icefaces4/trunk/icefaces/ace/component/resources/icefaces.ace/gmap/gmap.js
        Commit graph MODIFY /icefaces4/trunk/icefaces/ace/component/src/org/icefaces/ace/component/gmap/GMapOverlayRenderer.java
        Commit graph MODIFY /icefaces4/trunk/icefaces/ace/component/src/org/icefaces/ace/component/gmap/GMapServicesRenderer.java
        Commit graph MODIFY /icefaces4/trunk/icefaces/ace/component/src/org/icefaces/ace/component/gmap/GMapRenderer.java
        Commit graph MODIFY /icefaces4/trunk/icefaces/ace/component/src/org/icefaces/ace/component/gmap/GMapInfoWindowRenderer.java
        Hide
        Mircea Toma added a comment -

        Modified component code to avoid evaluating JS snippets that can include code injected through component attributes. Instead generate (on the server side) parse JSON structures.

        Show
        Mircea Toma added a comment - Modified component code to avoid evaluating JS snippets that can include code injected through component attributes. Instead generate (on the server side) parse JSON structures.
        Mircea Toma made changes -
        Status Open [ 1 ] Resolved [ 5 ]
        Resolution Fixed [ 1 ]
        Hide
        Liana Munroe added a comment -

        Tested showcase gMap demos with ICEfaces 4 trunk, EE-3.3.0 maintenance branch r51943 Tomcat 8, Chrome 61, MS Edge, IE 11, 10, 9, 8

        A console error in the showcase gMapEvent > Overview demo was introduced at r51726

        Uncaught ReferenceError: none is not defined
        showcase.jsf?grp=ace%3AgMapEvent&exp=Overview:260 
            at HTMLDocument.<anonymous> (showcase.jsf?grp=ace%3AgMapEvent&exp=Overview:260)
            at fire (coalesced.js.jsf?ln=ice.core&dgst=o4f8tk:3099)
            at Object.fireWith [as resolveWith] (coalesced.js.jsf?ln=ice.core&dgst=o4f8tk:3211)
            at Function.ready (coalesced.js.jsf?ln=ice.core&dgst=o4f8tk:3423)
            at HTMLDocument.completed (coalesced.js.jsf?ln=ice.core&dgst=o4f8tk:3453)
        

        A console error in the showcase gMapLayer > Overview demo was introduced at r51726. The error is seen when selecting one of the radiobuttons. After making selections the expected layers do not render on the map.

        VM3085:1 Uncaught ReferenceError: Skip is not defined
            at HTMLDocument.<anonymous> (<anonymous>:1:139)
            at m (coalesced.js.jsf?ln=ice.core&dgst=o4f8tk:69)
            at Object.add [as done] (coalesced.js.jsf?ln=ice.core&dgst=o4f8tk:69)
            at d.fn.init.d.fn.ready (coalesced.js.jsf?ln=ice.core&dgst=o4f8tk:74)
            at h.fn.init.d.fn.init (coalesced.js.jsf?ln=ice.core&dgst=o4f8tk:64)
        
        Show
        Liana Munroe added a comment - Tested showcase gMap demos with ICEfaces 4 trunk, EE-3.3.0 maintenance branch r51943 Tomcat 8, Chrome 61, MS Edge, IE 11, 10, 9, 8 A console error in the showcase gMapEvent > Overview demo was introduced at r51726 Uncaught ReferenceError: none is not defined showcase.jsf?grp=ace%3AgMapEvent&exp=Overview:260 at HTMLDocument.<anonymous> (showcase.jsf?grp=ace%3AgMapEvent&exp=Overview:260) at fire (coalesced.js.jsf?ln=ice.core&dgst=o4f8tk:3099) at Object .fireWith [as resolveWith] (coalesced.js.jsf?ln=ice.core&dgst=o4f8tk:3211) at Function.ready (coalesced.js.jsf?ln=ice.core&dgst=o4f8tk:3423) at HTMLDocument.completed (coalesced.js.jsf?ln=ice.core&dgst=o4f8tk:3453) A console error in the showcase gMapLayer > Overview demo was introduced at r51726. The error is seen when selecting one of the radiobuttons. After making selections the expected layers do not render on the map. VM3085:1 Uncaught ReferenceError: Skip is not defined at HTMLDocument.<anonymous> (<anonymous>:1:139) at m (coalesced.js.jsf?ln=ice.core&dgst=o4f8tk:69) at Object .add [as done] (coalesced.js.jsf?ln=ice.core&dgst=o4f8tk:69) at d.fn.init.d.fn.ready (coalesced.js.jsf?ln=ice.core&dgst=o4f8tk:74) at h.fn.init.d.fn.init (coalesced.js.jsf?ln=ice.core&dgst=o4f8tk:64)
        Liana Munroe made changes -
        Resolution Fixed [ 1 ]
        Status Resolved [ 5 ] Reopened [ 4 ]
        Hide
        Mircea Toma added a comment -

        Fix default value for 'options' attribute. Do not rely on a magic word to avoid sending options.

        Show
        Mircea Toma added a comment - Fix default value for 'options' attribute. Do not rely on a magic word to avoid sending options.
        Mircea Toma made changes -
        Status Reopened [ 4 ] Resolved [ 5 ]
        Resolution Fixed [ 1 ]
        Repository Revision Date User Message
        ICEsoft Public SVN Repository #51949 Wed Sep 27 11:39:45 MDT 2017 mircea.toma ICE-11365 Fix default value for 'options' attribute. Do not rely on a magic word to avoid sending options.
        Files Changed
        Commit graph MODIFY /icefaces4/trunk/icefaces/ace/component/src/org/icefaces/ace/component/gmap/GMapMarkerMeta.java
        Commit graph MODIFY /icefaces4/trunk/icefaces/ace/component/src/org/icefaces/ace/component/gmap/GMapLayerMeta.java
        Commit graph MODIFY /icefaces4/trunk/icefaces/ace/component/src/org/icefaces/ace/component/gmap/GMapInfoWindowMeta.java
        Hide
        Liana Munroe added a comment -

        Tested with ICEfaces 4 trunk, EE-3.3.0 maintenance branch r51969, Tomcat 8, FF 53, Chrome 61, MS Edge, IE 11, 10.
        When interacting with the events in the EE-3.3.0 showcase ace:gMap > Google events demo the following console error (or similar) is seen in all browsers:

        TypeError: callback is not a function
        http://localhost:8080/showcase/javax.faces.resource/coalesced.js.jsf?ln=ice.core&dgst=xgfx05
        Line 52362
        
        Show
        Liana Munroe added a comment - Tested with ICEfaces 4 trunk, EE-3.3.0 maintenance branch r51969, Tomcat 8, FF 53, Chrome 61, MS Edge, IE 11, 10. When interacting with the events in the EE-3.3.0 showcase ace:gMap > Google events demo the following console error (or similar) is seen in all browsers: TypeError: callback is not a function http: //localhost:8080/showcase/javax.faces.resource/coalesced.js.jsf?ln=ice.core&dgst=xgfx05 Line 52362
        Liana Munroe made changes -
        Resolution Fixed [ 1 ]
        Status Resolved [ 5 ] Reopened [ 4 ]
        Hide
        Mircea Toma added a comment -

        Missed commiting one of the changes. Fixed now.

        Show
        Mircea Toma added a comment - Missed commiting one of the changes. Fixed now.
        Mircea Toma made changes -
        Status Reopened [ 4 ] Resolved [ 5 ]
        Resolution Fixed [ 1 ]
        Hide
        Liana Munroe added a comment -

        Verified ICEfaces 4 trunk, EE-3.3.0 maintenance branch r51981, Tomcat 8, FF 53, Chrome 61, MS Edge, IE 11, 10.

        Show
        Liana Munroe added a comment - Verified ICEfaces 4 trunk, EE-3.3.0 maintenance branch r51981, Tomcat 8, FF 53, Chrome 61, MS Edge, IE 11, 10.
        Ken Fyten made changes -
        Status Resolved [ 5 ] Closed [ 6 ]

          People

          • Assignee:
            Mircea Toma
            Reporter:
            Arturo Zambrano
          • Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved: