ICEfaces
  1. ICEfaces
  2. ICE-11372

SECURITY: Potential 'eval' injection risk in gmap.js

    Details

    • Type: Improvement Improvement
    • Status: Closed
    • Priority: Major Major
    • Resolution: Fixed
    • Affects Version/s: EE-1.8.2.GA_P09
    • Fix Version/s: EE-1.8.2.GA_P10
    • Component/s: Bridge
    • Labels:
      None
    • Environment:
      Any

      Description

      After some recent work regarding potential eval injection risks in ICEfaces 3.3 and 4.2, our ICEfaces 1.8.2 code should be surveyed for other potentially dangerous uses of the eval() function, and those uses should be refactored to avoid using the eval function().

        Activity

        Hide
        Arturo Zambrano added a comment -

        The survey was carried out, and only the gmap code needed to be refactored.

        For the sake of completeness, here's a list of all the files that use the eval() function in some way in the 1.8.2 codebase.

        /bridge/lib/element.js
        /bridge/lib/prototype/lang.js
        /bridge/src/script.js
        These framework scripts use it for evaluating contents of entire <script> elements.

        /bridge/lib/scriptaculous/controls.js @790
        /bridge/lib/extras/initializer.js @41,@56
        /bridge/lib/extras/repository.js @39
        These scripts contain instances that are not actually used by any static Javascript file or Java-rendered dynamic Javascript code.

        /bridge/lib/extras/extras.js
        @711 evaluates the 'handler' attribute of the ice:jsEventListener component, which is unlikely to be set by user input and is meant to be an entire function

        /bridge/lib/extras/gmap.js
        Contained a few instances that could contain user input. The overlay functions were removed, since there actually isn't a GMap overlay component in 1.8.2.

        Show
        Arturo Zambrano added a comment - The survey was carried out, and only the gmap code needed to be refactored. For the sake of completeness, here's a list of all the files that use the eval() function in some way in the 1.8.2 codebase. /bridge/lib/element.js /bridge/lib/prototype/lang.js /bridge/src/script.js These framework scripts use it for evaluating contents of entire <script> elements. /bridge/lib/scriptaculous/controls.js @790 /bridge/lib/extras/initializer.js @41,@56 /bridge/lib/extras/repository.js @39 These scripts contain instances that are not actually used by any static Javascript file or Java-rendered dynamic Javascript code. /bridge/lib/extras/extras.js @711 evaluates the 'handler' attribute of the ice:jsEventListener component, which is unlikely to be set by user input and is meant to be an entire function /bridge/lib/extras/gmap.js Contained a few instances that could contain user input. The overlay functions were removed, since there actually isn't a GMap overlay component in 1.8.2.
        Hide
        Arturo Zambrano added a comment -

        r52042: refactored potentially dangerous uses of the eval() function to avoid using it

        Show
        Arturo Zambrano added a comment - r52042: refactored potentially dangerous uses of the eval() function to avoid using it
        Hide
        Liana Munroe added a comment -

        Verified ICEfaces 1.8.2 r52062, Tomcat 8, WAS 8.5.5.11, MS Edge, Chrome 63, FF 53.

        Show
        Liana Munroe added a comment - Verified ICEfaces 1.8.2 r52062, Tomcat 8, WAS 8.5.5.11, MS Edge, Chrome 63, FF 53.

          People

          • Assignee:
            Arturo Zambrano
            Reporter:
            Arturo Zambrano
          • Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved: