#10694 closed defect (fixed)
Document json method security limitations
| Reported by: | Adam Peller | Owned by: | Kris Zyp |
|---|---|---|---|
| Priority: | high | Milestone: | 1.5 |
| Component: | General | Version: | 1.4.0 |
| Keywords: | Cc: | ||
| Blocked By: | Blocking: |
Description
I've been asked if we could document that dojo and dojox json routines assume that the json comes from a secure source. It would be bad programming practice to pass in an unchecked string through a proxy, and there are a couple of other ways one might sneak a string from one site to another without routing through a server, but it would probably be a good idea to call this out.
Change History (6)
comment:1 Changed 9 years ago by
comment:2 Changed 9 years ago by
| Priority: | normal → high |
|---|
comment:3 Changed 9 years ago by
Not sure where you want this, but here is my list of where we do unchecked evals/fromJson calls:
dojo:
hostenv_*.js - loading djConfig json.js - eval used for loading json xhr.js - eval used for loading javascript io/iframe.js - eval used for handleAs json and javascript rpc/RpcService.js - eval used to parse SMD files dojo.js - eval used during bootstrap to load initial files cookie - fromJson used for parsing config information
dojox:
charting - eval used frequently for parsing config information data/AndOrReadStore - eval used for evaluating queries data/KeyValueStore - eval used for evaluating data drawing - eval used for parsing config information embed/Flash.js - eval used to parse results from flash responses flash - eval used to parse results from flash responses json/query.js - eval (with controlled syntax) used for evaluating queries json/ref.js - eval (with controlled syntax) for references jsonPath/query.js - eval used for evaluating queries lang/utils - eval used for type coercion robot - eval used for interpreting events secure/sandbox - provides secure eval sql/_crypto - eval used for parsing config information storage/* - All providers use eval/fromJson to parse stored values widget/Rotator - eval used frequently for parsing config information widget/UpgradeBar - eval used frequently for parsing config information cometd/RestChannels - fromJson used for parsing server responses data/StoreExplorer - fromJson used for user entry of new values dtl - fromJson used to parse lazy loaded files form/ListInput - fromJson used to parse input properties io/xhrWindowNamePlugin - fromJson used if server response is explicitly defined to be trusted rpc/JsonRPC - fromJson used for server responses rpc/OfflineRest - fromJson used for parsing stored data in database rpc/Service - fromJson used to parse SMD file sketch/Annotation - fromJson used to parse node attributes
comment:4 Changed 9 years ago by
| Resolution: | → fixed |
|---|---|
| Status: | new → closed |
Again reformatted:
dojo:
hostenv_*.js - loading djConfig
json.js - eval used for loading json
xhr.js - eval used for loading javascript
io/iframe.js - eval used for handleAs json and javascript
rpc/RpcService.js - eval used to parse SMD files
dojo.js - eval used during bootstrap to load initial files
cookie - fromJson used for parsing config information
dojox:
charting - eval used frequently for parsing config information
data/AndOrReadStore - eval used for evaluating queries
data/KeyValueStore - eval used for evaluating data
drawing - eval used for parsing config information
embed/Flash.js - eval used to parse results from flash responses
flash - eval used to parse results from flash responses
json/query.js - eval (with controlled syntax) used for evaluating queries
json/ref.js - eval (with controlled syntax) for references
jsonPath/query.js - eval used for evaluating queries
lang/utils - eval used for type coercion
robot - eval used for interpreting events
secure/sandbox - provides secure eval
sql/_crypto - eval used for parsing config information
storage/* - All providers use eval/fromJson to parse stored values
widget/Rotator - eval used frequently for parsing config information
widget/UpgradeBar - eval used frequently for parsing config information
cometd/RestChannels - fromJson used for parsing server responses
data/StoreExplorer - fromJson used for user entry of new values
dtl - fromJson used to parse lazy loaded files
form/ListInput - fromJson used to parse input properties
io/xhrWindowNamePlugin - fromJson used if server response is explicitly defined to be trusted
rpc/JsonRPC - fromJson used for server responses
rpc/OfflineRest - fromJson used for parsing stored data in database
rpc/Service - fromJson used to parse SMD file
sketch/Annotation - fromJson used to parse node attributes
comment:5 Changed 9 years ago by
Kris -thanks for this list. Module owners should likely review each one of these.'
It's arbitrary, but how about just documenting security implications of the json methods for now for 1.5? That seems to have the highest exposure, being in dojo._base and taking args and eval'ing them directly. Programmers need to be aware not to do things like take data from untrusted sources and pass it in to fromJson
Places where parsing of text that is expected to be secure can be found by searching for "eval(" in the codebase. Unfortunately, there are a large number of places where we use eval in Dojo. There are a few of these evals which do security checks prior to eval (dojox.secure.* and dojox.json.query), but most of the others unchecked if data came from an unfiltered source. It is a little tricky to determine which of these eval statements could (with a reasonable likely-hood) be potential endpoints for server originated JSON and which ones would only come from more deterministic points in secure code. I can try to help identify points of unsecurity, but it can be a blurry line.