ICEfaces
  1. ICEfaces
  2. ICE-11372

SECURITY: Potential 'eval' injection risk in gmap.js

          Details

          • Type: Improvement Improvement
          • Status: Closed
          • Priority: Major Major
          • Resolution: Fixed
          • Affects Version/s: EE-1.8.2.GA_P09
          • Fix Version/s: EE-1.8.2.GA_P10
          • Component/s: Bridge
          • Labels:
            None
          • Environment:
            Any

            Description

            After some recent work regarding potential eval injection risks in ICEfaces 3.3 and 4.2, our ICEfaces 1.8.2 code should be surveyed for other potentially dangerous uses of the eval() function, and those uses should be refactored to avoid using the eval function().

              Activity

              Ascending order - Click to sort in descending order
              Arturo Zambrano created issue -
              Arturo Zambrano made changes -
              Field Original Value New Value
              Assignee Arturo Zambrano [ artzambrano ]
              Arturo Zambrano made changes -
              Fix Version/s EE-1.8.2.GA_P10 [ 13089 ]
              Hide
              Permalink
              Arturo Zambrano added a comment -

              The survey was carried out, and only the gmap code needed to be refactored.

              For the sake of completeness, here's a list of all the files that use the eval() function in some way in the 1.8.2 codebase.

              /bridge/lib/element.js
              /bridge/lib/prototype/lang.js
              /bridge/src/script.js
              These framework scripts use it for evaluating contents of entire <script> elements.

              /bridge/lib/scriptaculous/controls.js @790
              /bridge/lib/extras/initializer.js @41,@56
              /bridge/lib/extras/repository.js @39
              These scripts contain instances that are not actually used by any static Javascript file or Java-rendered dynamic Javascript code.

              /bridge/lib/extras/extras.js
              @711 evaluates the 'handler' attribute of the ice:jsEventListener component, which is unlikely to be set by user input and is meant to be an entire function

              /bridge/lib/extras/gmap.js
              Contained a few instances that could contain user input. The overlay functions were removed, since there actually isn't a GMap overlay component in 1.8.2.

              Show
              Arturo Zambrano added a comment - The survey was carried out, and only the gmap code needed to be refactored. For the sake of completeness, here's a list of all the files that use the eval() function in some way in the 1.8.2 codebase. /bridge/lib/element.js /bridge/lib/prototype/lang.js /bridge/src/script.js These framework scripts use it for evaluating contents of entire <script> elements. /bridge/lib/scriptaculous/controls.js @790 /bridge/lib/extras/initializer.js @41,@56 /bridge/lib/extras/repository.js @39 These scripts contain instances that are not actually used by any static Javascript file or Java-rendered dynamic Javascript code. /bridge/lib/extras/extras.js @711 evaluates the 'handler' attribute of the ice:jsEventListener component, which is unlikely to be set by user input and is meant to be an entire function /bridge/lib/extras/gmap.js Contained a few instances that could contain user input. The overlay functions were removed, since there actually isn't a GMap overlay component in 1.8.2.
              Hide
              Permalink
              Arturo Zambrano added a comment -

              r52042: refactored potentially dangerous uses of the eval() function to avoid using it

              Show
              Arturo Zambrano added a comment - r52042: refactored potentially dangerous uses of the eval() function to avoid using it
              Arturo Zambrano made changes -
              Status Open [ 1 ] Resolved [ 5 ]
              Resolution Fixed [ 1 ]
              Repository Revision Date User Message
              ICEsoft Public SVN Repository #52042 Mon Oct 30 19:49:32 MDT 2017 art.zambrano ICE-11372 refactored potentially dangerous uses of the eval() function to avoid using it
              Files Changed
              Commit graph MODIFY /icefaces/trunk/icefaces/bridge/lib/extras/gmap.js
              Commit graph MODIFY /icefaces/trunk/icefaces/component/src/com/icesoft/faces/component/gmap/GMapMarker.java
              Hide
              Permalink
              Liana Munroe added a comment -

              Verified ICEfaces 1.8.2 r52062, Tomcat 8, WAS 8.5.5.11, MS Edge, Chrome 63, FF 53.

              Show
              Liana Munroe added a comment - Verified ICEfaces 1.8.2 r52062, Tomcat 8, WAS 8.5.5.11, MS Edge, Chrome 63, FF 53.
              Ken Fyten made changes -
              Status Resolved [ 5 ] Closed [ 6 ]

                People

                • Assignee:
                  Arturo Zambrano
                  Reporter:
                  Arturo Zambrano
                • Votes:
                  0 Vote for this issue
                  Watchers:
                  2 Start watching this issue

                  Dates

                  • Created:
                    Updated:
                    Resolved: