On Friday, November 24, 2017 at 3:13:08 AM UTC+1, Aleks wrote:
>
> Hi,
>
> we are currently going through a security audit and as part of that doing
> static code scans. The scanner has returned two issues with the
> GWT-generated <module>.nocache.js files.
>
> We can't really fix these as they are generated, but were hoping we could
> challenge them if we had a good explanation or some "official" GWT resource
> suggesting the code is actually safe.
> I have found some previous posts on similar or same issues, but was hoping
> I could get a response more relevant to the version we are using (*2.8.1*)
> or an official resource (perhaps results of other scans/security audits?).
>
>
> Below are the two issues with explanations and the code lines.
>
> *1. Cross Site Scripting*
>
> *Description: *The method f() in <module>.nocache.js sends unvalidated
> data to a web browser on line 13, which can result in the browser executing
> malicious code.Sending unvalidated data to a web browser can result in the
> browser executing malicious code.
>
> *Code: *function f(a){if(a.match(/^\w+:\/\//)){}else{var
> b=r.createElement(Gb);b.src=a+Hb;a=e(b.src)}return a}
>
This would come from
here:
https://github.com/gwtproject/gwt/blob/2.8.1/dev/core/src/com/google/gwt/core/ext/linker/impl/computeScriptBase.js#L49-L62
It's used
at
https://github.com/gwtproject/gwt/blob/2.8.1/dev/core/src/com/google/gwt/core/ext/linker/impl/computeScriptBase.js#L115
so it's never "user input" (comes from the DOM, at load time)
> *2. Dynamic Code Evaluation - Code Injection*
>
> *Description: *The file webadmin.nocache.js interprets unvalidated user
> input as source code on line 15. Interpreting user-controlled instructions
> at run-time can allow attackers to execute malicious code.Interpreting
> user-controlled instructions at run-time can allow attackers to execute
> malicious code.
>
> *Code*:
> if(m.addEventListener){m.addEventListener($b,function(){H();M()},false)}var
> L=setInterval(function(){if(/loaded|complete/.test(m.readyState)){H();M()}},50);n&&n({moduleName:O,sessionId:o,subSystem:P,evtGroup:Q,millis:(new
>
> Date).getTime(),type:W});n&&n({moduleName:O,sessionId:o,subSystem:P,evtGroup:Nb,millis:(new
>
> Date).getTime(),type:R});m.write(_b)}
>
This comes from
https://github.com/gwtproject/gwt/blob/2.8.1/dev/core/src/com/google/gwt/core/ext/linker/impl/waitForBodyLoaded.js,
https://github.com/gwtproject/gwt/blob/2.8.1/dev/core/src/com/google/gwt/core/ext/linker/impl/isBodyLoaded.js,
and
https://github.com/gwtproject/gwt/blob/2.8.1/dev/core/src/com/google/gwt/core/ext/linker/impl/installLocationIframe.js#L52
I believe.
Again, nothing that comes from "user input".
(I'm assuming the default configuration here)
--
You received this message because you are subscribed to the Google Groups "GWT
Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To post to this group, send email to [email protected].
Visit this group at https://groups.google.com/group/google-web-toolkit.
For more options, visit https://groups.google.com/d/optout.
