v0.4 Release – XSS vulnerabilities and Loader.gif Issues

I’ve decided to fix two extra features regarding my v0.4 release. During the course of figuring out how to implement other features I was able to fix these two issues as well so I decided to add them to the release. These fixes are concerning bug 459727.

XSS Vulnerability

In renderMorePushLogResults(), the main work horse that does all the work of adding new entries; I was creating an object from the JSON text received from the server:

1
var pushData = new Function("return " + pushCheckins.responseText) ();

Apparently the above makes the feature vulnerable to XSS attacks. I’m not an expert on security issues but this line has been pointed out to me on the bug page. So I decided to use the advice given to me and use JSON.parse() instead.

1
var pushData = JSON.parse(pushCheckins.responseText);

At first I thought that JSON was built into Javascript but I was wrong since I tried using JSON.parse() and got the error: “JSON is undefined”. After getting some help from IRC I found out that I needed a JSON library. Then, I headed over to good old Google and found the lib I was looking for here. Once I had the lib all I needed to do was add the following and everything worked again:

1
<script type="text/javascript" src="{url}static/json2.js"></script>

Loader.gif

I had already implemented the loader.gif last semester. I thought it was working and wasn’t showing up because I was testing on localhost and the load times were so fast that I wasn’t able to see the loader.gif

I was wrong. The loader.gif wasn’t showing up at all. To fix this all I needed to do was move the code that inserts the loader.gif to the very start of renderMorePushLogResults(). See below:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
function renderMorePushLogResults() {
  var loader = document.getElementById("loader");
  loader.innerHTML = '<img src="{url}static/ajax-loader.gif" align="right" />';
 
  var end = start;
  start = start - 20
  var pushCheckins = new XMLHttpRequest();
  pushCheckins.open('GET', '/json-pushes?startID=' + start + '&endID=' + end, true);
  pushCheckins.onreadystatechange = function() {
    if(pushCheckins.readyState == 4)  {
      if(pushCheckins.status != 404) {
        var pushData = JSON.parse(pushCheckins.responseText);
        var counter = 0;
        for(var i = end; i > start; i--) {
          var trScroll = document.createElement("tr");
          if(counter == 0) {
            trScroll.className = "parity0"; 
            counter = 1;
          } else {
              counter = 0;
              trScroll.className = "parity1";
          }      
          var tdScrollUser = document.createElement("td");
          tdScrollUser.width = "184px";
          tdScrollUser.innerHTML += pushData[i].user + '<br />' + pushData[i].formattedDate;
          //Create changset link
          var tdScrollChangeset = document.createElement("td");
          tdScrollChangeset.innerHTML += 
            '<a href="/rev/' + 
            pushData[i].individualChangeset.substring(0, 12) + 
            '">' + 
            pushData[i].individualChangeset.substring(0, 12) + 
            '</a>'; 
 
		  //Create bug link
		  var bugLink = createBuglink(pushData[i].desc);
 
          var tdScrollAuthorDesc = document.createElement("td");
          tdScrollAuthorDesc.innerHTML += '<strong>' + pushData[i].author + ' &mdash ' + bugLink + '</strong>';
          trScroll.appendChild(tdScrollUser);
          trScroll.appendChild(tdScrollChangeset);
          trScroll.appendChild(tdScrollAuthorDesc);
          loader.innerHTML = "";
          document.getElementById("titlePush").appendChild(trScroll);
 
          //Check whether it is a merge changeset or not
          if(pushData[i].MergeData != []) {
            for(var j = 0; j < pushData[i].mergeData.length; j++) {
              if(pushData[i].mergeData[j] != "") {
                var mergeStr = pushData[i].mergeData[j];
                for(var k = 0; k < pushData[i].mergeData[j].length; k++) {
                  var actualMergeStr = mergeStr[k].split('|-|');
                  var mergeC = actualMergeStr[0];
                  var mergeUser = actualMergeStr[1];
                  var mergeDesc = actualMergeStr[2];
                  if(mergeDesc != pushData[i].desc) {
                    var trScrollMerge = document.createElement("tr");
                    trScrollMerge.style.backgroundColor = trScroll.style.backgroundColor;
                    var tdScroll_MergeUser = document.createElement("td");
                    tdScroll_MergeUser.width = "184px";
 
                    //Create changset link 
                    var tdScroll_MergeC = document.createElement("td");
                    tdScroll_MergeC.innerHTML +=
                      '<a href="/rev/' +
                      mergeC.substring(0, 12) + 
                      '">' + 
                      mergeC.substring(0, 12) +
                      '</a>'; 
 
                    var merge_bugLink = createBuglink(mergeDesc);
 
                    var tdScroll_MergeAuthorDesc = document.createElement("td");
                    tdScroll_MergeAuthorDesc.innerHTML += '<strong>' + mergeUser + ' &mdash ' + merge_bugLink + '</strong>';
                    trScrollMerge.appendChild(tdScroll_MergeUser);
                    trScrollMerge.appendChild(tdScroll_MergeC);
                    trScrollMerge.appendChild(tdScroll_MergeAuthorDesc);
                    document.getElementById("titlePush").appendChild(trScrollMerge);
                  }
                }
              }
            }
          }
        }    
      } 
    }
  }
  pushCheckins.send(null);
}
This entry was posted in DPS911, Mercurial Project, Open Source and tagged , , , . Bookmark the permalink.

One Response to v0.4 Release – XSS vulnerabilities and Loader.gif Issues

  1. Kolorowanki says:

    Great tutorial, I only draw but will pass your post address to my programmer. He will love it. Thanks for sharing.
    Regards,
    Matt Kolorowanki,
    Illustrator

Leave a Reply

Your email address will not be published. Required fields are marked *


*

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>