fix(security): fixing possible xss issue in parsed objects #1119
Conversation
|
With this fix, there is still some meddling required on the angular side though.
|
|
I started playing around with this branch, and noticed a couple of issues..
Test this with both logged in users, and non authenticated user, to see these behaviors. As for the issue of injecting that script into the username field, we can add some validation logic using Angular, right? |
| @@ -45,7 +45,17 @@ | |||
|
|
|||
| <!--Embedding The User Object--> | |||
| <script type="text/javascript"> | |||
| var user = {{ user | json | safe }}; | |||
| var user = { | |||
| displayName: "{{ user.displayName | escape }}", | |||
There was a problem hiding this comment.
Where is this user object coming from? Is it getting it from the session middleware when the page is rendered?
If would be nice to have some sort of condition here that would check if the user data is populated. If it's not then set this new user object to undefined or null.
Is that possible here? Perhaps, with a locals variable?
There was a problem hiding this comment.
the user object comes from the server's response object/express variables.
that view is server-side view, not angular.
on your comment with not setting it, how about setting to an empty object rather than null/undefined? is that safer?
There was a problem hiding this comment.
This part of the express middleware is still a bit elusive to me; meaning I don't understand it that well..
This is how I'm perceiving it to be working, in regards to the Authentication service. When this object is set on the browser, it becomes accessible through $window.user. Is that correct?
With the above assumption..
I think we can just set this variable to an empty object. However, how would we do this? In the current state of this PR, if the user isn't authenticated then the express variable is undefined. Thus, this variable is set to the following..
{
displayName: "",
provider: "",
username: "",
created: "",
roles: "",
profileImageURL: "",
email: "",
lastName: "",
firstName: ""
}This is probably sufficient, and we'd avoid making significant changes to the backend request/express user variable. However, we need to adjust the logic in the Authentication service. At this line https://github.com/meanjs/mean/blob/master/modules/users/client/services/authentication.client.service.js#L7, we probably can change it to..
user: $window.user.username.length ? $window.user : {}, or something similar
|
@mleanos I didn't get your 2nd bullet about seeing another user's session when not logged in... sounds very bad. Can you explain better? Also, you can go ahead and commit to my branch all the changes concerning the angular part. |
|
@lirantal Regarding my 2nd point.. I was monitoring what the browser's user object was getting set to, by viewing the source of the page. When I wasn't logged in, I navigated to the Articles list view & viewed the page source. The user object was set to my previously logged in user. My guess, is that it pulled it from the browser cookie. I only experienced this in Chrome, and not Firefox; I only tested with these two browsers. Can you try to reproduce? |
|
@lirantal Also, what changes do you see needed on the Angular side of things? I'm more than happy to submit them to your branch. Some of these changes could include the following..
Anything else? |
lirantal
force-pushed
the
bugfix/xss_and_validations
branch
from
98ec3c9 to
c494f84
Compare
|
@mleanos about the actual changes required - I refactored so that the change is only happening in the server-side, including the sanitizing before echo'ing back to the frontend to render. On the Angular part - see my screenshot above - it requires "re-encoding" the data back on the view layer so that it doesn't show the HTML entities decoded. EDIT - actually re-testing this it looks ok. |
|
@codydaig @mleanos as to the other weird issue reported - I'm able to reproduce this:
any ideas? |
|
@lirantal Nice. Yea, keeping the changes on the server-side is the best way to go. Also, so much of the framework expects null (or undefined) for the user object when not logged in. It will take some work to refactor everything to expect an empty object. If we decide an empty object is better, we can tackle that in a new PR. I've re-synced to your latest change, and tested. I can verify the E2E tests are passing now. And now there's no need to refactor the Authentication service. I'm about to try to reproduce your issue. Did you have any success reproducing what I reported above? Quick question: Only applying the |
|
@lirantal I wasn't able to reproduce the issue you described. I was experiencing odd-ish behavior with the user object on the page, and it appeared to be related to previous browsing history. I cleared my cookies & browsing history for my local meanjs host. After that, the odd behavior went away. Perhaps try to do the same, and see if you still experience your issue. After removing history/cookies in Chrome, I'm still seeing the same behavior I reported above. However, once I do a hard refresh (CTRL+F5) of the page, the data isn't there anymore. It's weird tho, that even after clearing the cookies, the data would still be there until I do the hard refresh. I think we can chalk these issues up to browser (cache) issues. WDYT? |
|
Thanks for the feedback @mleanos |
lirantal
force-pushed
the
bugfix/xss_and_validations
branch
from
c494f84 to
2b0ae86
Compare
|
@mleanos addressed changes. |
|
LGTM, other than the coverage. It looks like we just don't have tests specifically for the core server controller; the little coverage that file has is coming from other tests. |
|
Right, the code coverage is a bit harder in that area because if you inspect the missing statements at https://coveralls.io/builds/4587050/source?filename=..%2Fmodules%2Fcore%2Fserver%2Fcontrollers%2Fcore.server.controller.js then you clearly see these are basically the actual interaction with the page and error handling. |
|
@lirantal for me it says source is unavailable. Does that link work for you? |
|
@ilanbiala try this: https://coveralls.io/builds/4587050 and scroll down to click on the actual controller file |
|
@ilanbiala @lirantal I'm getting the same error "Source not available" even with @lirantal's other link. |
|
For these statements, can't we actually make a request and test the header and content-type? Then it will test these lines, no? |
|
That's really odd, about not being able to see the coverage on that file. @ilanbiala I think you're right. We can just a request, and test the header & content-type. We'll need to have tests for both logged in users, and non-authenticated users. I think |
|
The server-side route tests simply don't touch these areas, I don't think it's related to header or content-type. I'll try to work on adding these for these areas too. |
|
Merging fix for now. |
fix(security): fixing possible xss issue in parsed objects
To handle potential security issues with XSS - the following PR introduces:
Fixes #1106