Opened 10 years ago

Closed 9 years ago

Last modified 9 years ago

#10694 closed defect (fixed)

Document json method security limitations

Reported by: Adam Peller Owned by: Kris Zyp
Priority: high Milestone: 1.5
Component: General Version: 1.4.0
Keywords: Cc:
Blocked By: Blocking:

Description

I've been asked if we could document that dojo and dojox json routines assume that the json comes from a secure source. It would be bad programming practice to pass in an unchecked string through a proxy, and there are a couple of other ways one might sneak a string from one site to another without routing through a server, but it would probably be a good idea to call this out.

Change History (6)

comment:1 Changed 10 years ago by Kris Zyp

Places where parsing of text that is expected to be secure can be found by searching for "eval(" in the codebase. Unfortunately, there are a large number of places where we use eval in Dojo. There are a few of these evals which do security checks prior to eval (dojox.secure.* and dojox.json.query), but most of the others unchecked if data came from an unfiltered source. It is a little tricky to determine which of these eval statements could (with a reasonable likely-hood) be potential endpoints for server originated JSON and which ones would only come from more deterministic points in secure code. I can try to help identify points of unsecurity, but it can be a blurry line.

comment:2 Changed 10 years ago by Adam Peller

Priority: normalhigh

comment:3 Changed 9 years ago by Kris Zyp

Not sure where you want this, but here is my list of where we do unchecked evals/fromJson calls:

dojo:

hostenv_*.js - loading djConfig json.js - eval used for loading json xhr.js - eval used for loading javascript io/iframe.js - eval used for handleAs json and javascript rpc/RpcService.js - eval used to parse SMD files dojo.js - eval used during bootstrap to load initial files cookie - fromJson used for parsing config information

dojox:

charting - eval used frequently for parsing config information data/AndOrReadStore - eval used for evaluating queries data/KeyValueStore - eval used for evaluating data drawing - eval used for parsing config information embed/Flash.js - eval used to parse results from flash responses flash - eval used to parse results from flash responses json/query.js - eval (with controlled syntax) used for evaluating queries json/ref.js - eval (with controlled syntax) for references jsonPath/query.js - eval used for evaluating queries lang/utils - eval used for type coercion robot - eval used for interpreting events secure/sandbox - provides secure eval sql/_crypto - eval used for parsing config information storage/* - All providers use eval/fromJson to parse stored values widget/Rotator - eval used frequently for parsing config information widget/UpgradeBar - eval used frequently for parsing config information cometd/RestChannels - fromJson used for parsing server responses data/StoreExplorer - fromJson used for user entry of new values dtl - fromJson used to parse lazy loaded files form/ListInput - fromJson used to parse input properties io/xhrWindowNamePlugin - fromJson used if server response is explicitly defined to be trusted rpc/JsonRPC - fromJson used for server responses rpc/OfflineRest - fromJson used for parsing stored data in database rpc/Service - fromJson used to parse SMD file sketch/Annotation - fromJson used to parse node attributes

comment:4 Changed 9 years ago by Kris Zyp

Resolution: fixed
Status: newclosed

Again reformatted:

dojo:

hostenv_*.js - loading djConfig

json.js - eval used for loading json

xhr.js - eval used for loading javascript

io/iframe.js - eval used for handleAs json and javascript

rpc/RpcService.js - eval used to parse SMD files

dojo.js - eval used during bootstrap to load initial files

cookie - fromJson used for parsing config information

dojox:

charting - eval used frequently for parsing config information

data/AndOrReadStore - eval used for evaluating queries

data/KeyValueStore - eval used for evaluating data

drawing - eval used for parsing config information

embed/Flash.js - eval used to parse results from flash responses

flash - eval used to parse results from flash responses

json/query.js - eval (with controlled syntax) used for evaluating queries

json/ref.js - eval (with controlled syntax) for references

jsonPath/query.js - eval used for evaluating queries

lang/utils - eval used for type coercion

robot - eval used for interpreting events

secure/sandbox - provides secure eval

sql/_crypto - eval used for parsing config information

storage/* - All providers use eval/fromJson to parse stored values

widget/Rotator - eval used frequently for parsing config information

widget/UpgradeBar - eval used frequently for parsing config information

cometd/RestChannels - fromJson used for parsing server responses

data/StoreExplorer - fromJson used for user entry of new values

dtl - fromJson used to parse lazy loaded files

form/ListInput - fromJson used to parse input properties

io/xhrWindowNamePlugin - fromJson used if server response is explicitly defined to be trusted

rpc/JsonRPC - fromJson used for server responses

rpc/OfflineRest - fromJson used for parsing stored data in database

rpc/Service - fromJson used to parse SMD file

sketch/Annotation - fromJson used to parse node attributes

comment:5 Changed 9 years ago by Adam Peller

Kris -thanks for this list. Module owners should likely review each one of these.'

It's arbitrary, but how about just documenting security implications of the json methods for now for 1.5? That seems to have the highest exposure, being in dojo._base and taking args and eval'ing them directly. Programmers need to be aware not to do things like take data from untrusted sources and pass it in to fromJson

comment:6 Changed 9 years ago by Adam Peller

(In [22334]) security warning. Refs #10694

Note: See TracTickets for help on using tickets.