Consider compiling your application with style=PRETTY or DETAILED so you
can see more detail on the name of methods and the classes that surround
the code you have questions about, it can make it easier to hunt these down.
I pretty-printed the code snippet you shared, which results in this:
{
j = k.substring(Z, m);
l = k.substring(m + $)
} else {
j = k;
l = fb
}
c[j] = l
}
}
else if (j == xb) {
k = i.getAttribute(vb);
if (k) {
try {
d = eval(k)
} catch (a) {
alert(yb + k + zb)
}
}
} else if (j == Ab) {
k = i.getAttribute(vb);
if (k) {
try {
e = eval(k)
} catch (a) {
alert(yb + k + Bb)
}
}
}
}
}
__gwt_getMetaProperty = function(a) {
var b = c[a];
return b == null ? null : b
};
The catch blocks have an alert in them, not something we typically see in
GWT. It turns out this is part of the default linker, what looks like an
old workaround to support extra meta tags contributing error handling code.
https://github.com/gwtproject/gwt/blob/6cf9146a8c53743c99e48b1d1db42a2e2010e1d7/dev/core/src/com/google/gwt/core/ext/linker/impl/processMetas.js
if (eq >= 0) {
name = content.substring(0, eq);
value = content.substring(eq + 1);
} else {
name = content;
value = '';
}
metaProps[name] = value;
}
} else if (name == 'gwt:onPropertyErrorFn') {
content = meta.getAttribute('content');
if (content) {
try {
propertyErrorFunc = eval(content);
} catch (e) {
alert('Bad handler \"' + content +
'\" for \"gwt:onPropertyErrorFn\"');
}
}
} else if (name == 'gwt:onLoadErrorFn') {
content = meta.getAttribute('content');
if (content) {
try {
onLoadErrorFunc = eval(content);
} catch (e) {
alert('Bad handler \"' + content + '\" for
\"gwt:onLoadErrorFn\"');
}
}
}
}
}
// Set some of the variables in the main script
__gwt_getMetaProperty = function(name) {
var value = metaProps[name];
return (value == null) ? null : value;
}
This is used by most of the built-in linkers - there is an alternative
file, processMetasNull.js, which could be used to remove these entirely. To
use that, extend your current linker (presumably CrossSiteIframeLinker) and
override getJsProcessMetas to return
"com/google/gwt/core/ext/linker/impl/processMetasNull.js".
I've filed https://github.com/gwtproject/gwt/issues/9967 to explore phasing
these out or making them easier to disable.
On Tuesday, June 4, 2024 at 4:54:38 AM UTC-5 [email protected] wrote:
> When we run automated security scan against our GWT project, one of the
> main vulnerability is related to the presence of eval() functions in
> the xxxx.nocache.js file
>
> ...{j=k.substring(Z,m);l=k.substring(m+$)}else{j=k;l=fb}c[j]=l}}else
> if(j==xb){k=i.getAttribute(vb);if(k){try{d=*eval(k)*}catch(a){alert(yb+k+zb)}}}else
>
> if(j==Ab){k=i.getAttribute(vb);if(k){try{e=*eval(k)*}catch(a){alert(yb+k+Bb)}}}}}__gwt_getMetaProperty=function(a){var
>
> b=c[a];return b==null?null:b};w=d;ipmweb.__errFn=e}...
>
> We added the CSP that blocks eval executions and the application runs
> correctly, meaning that those eval() is not called at runtime.
>
> Is there a way to get rid of those eval() functions? Is there someone who
> knows in which cases those eval() gets executed?
>
--
You received this message because you are subscribed to the Google Groups "GWT
Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/google-web-toolkit/5257c8e3-db4d-4f5f-8b93-0b952ac569b5n%40googlegroups.com.
