[jira] [Commented] (SOLR-13987) fix admin UI to not rely on javascript eval()
[ https://issues.apache.org/jira/browse/SOLR-13987?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16990290#comment-16990290 ] Robert Muir commented on SOLR-13987: strong +1, this is great! I tested and did some local hacking and it all looks good to me. I think you should defer the style-src, it is less bang for the buck. > fix admin UI to not rely on javascript eval() > - > > Key: SOLR-13987 > URL: https://issues.apache.org/jira/browse/SOLR-13987 > Project: Solr > Issue Type: Improvement > Security Level: Public(Default Security Level. Issues are Public) > Components: Admin UI >Reporter: Robert Muir >Assignee: Kevin Risden >Priority: Major > Attachments: SOLR-13987.patch > > Time Spent: 10m > Remaining Estimate: 0h > > Followup from SOLR-13982: currently any CSP is weak because it must allow > this eval: means arbitrary javascript can still be executed. > Let's fix the admin UI to not require eval so it can be disabled by the > browser. -- This message was sent by Atlassian Jira (v8.3.4#803005) - To unsubscribe, e-mail: issues-unsubscr...@lucene.apache.org For additional commands, e-mail: issues-h...@lucene.apache.org
[jira] [Commented] (SOLR-13987) fix admin UI to not rely on javascript eval()
[ https://issues.apache.org/jira/browse/SOLR-13987?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16990285#comment-16990285 ] Kevin Risden commented on SOLR-13987: - Patch: [^SOLR-13987.patch] PR: https://github.com/apache/lucene-solr/pull/1066/ I think this is the minimal set of changes required. I didn't need to upgrade jstree or jquery. This removes the 'unsafe-eval'. I left 'style-src 'self' 'unsafe-inline';' after I couldn't figure out how to easily fix the dynamic styles between angular-chosen, jstree, and jquery. I tested this on Chrome on a Mac clicking around and creating collections. I think I checked >90% of the UI if not all of it. Would appreciate a second set of eyes if anyone can try it out. > fix admin UI to not rely on javascript eval() > - > > Key: SOLR-13987 > URL: https://issues.apache.org/jira/browse/SOLR-13987 > Project: Solr > Issue Type: Improvement > Security Level: Public(Default Security Level. Issues are Public) > Components: Admin UI >Reporter: Robert Muir >Assignee: Kevin Risden >Priority: Major > Attachments: SOLR-13987.patch > > Time Spent: 10m > Remaining Estimate: 0h > > Followup from SOLR-13982: currently any CSP is weak because it must allow > this eval: means arbitrary javascript can still be executed. > Let's fix the admin UI to not require eval so it can be disabled by the > browser. -- This message was sent by Atlassian Jira (v8.3.4#803005) - To unsubscribe, e-mail: issues-unsubscr...@lucene.apache.org For additional commands, e-mail: issues-h...@lucene.apache.org
[jira] [Commented] (SOLR-13987) fix admin UI to not rely on javascript eval()
[
https://issues.apache.org/jira/browse/SOLR-13987?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16990195#comment-16990195
]
Kevin Risden commented on SOLR-13987:
-
I applied the above changes and then ran into these clicking around:
* Need to do something about this:
https://github.com/apache/lucene-solr/blob/master/solr/webapp/web/js/angular/controllers/cloud.js#L671
* 'http://localhost:8983/solr/libs/themes/default/style.css' not found? what is
this from?
* jquery.jstree.js has issues - might need an upgrade
* jquery-2.1.3.min.js has issues - might need an upgrade
Most of the messages are like:
{code:java}
Either the 'unsafe-inline' keyword, a hash
('sha256-BxgBw5gY+4L6F0VnJCV1SraYT1sZl9r6drbrpfnH3IM='), or a nonce
('nonce-...') is required to enable inline execution.
{code}
I'll keep poking at it.
> fix admin UI to not rely on javascript eval()
> -
>
> Key: SOLR-13987
> URL: https://issues.apache.org/jira/browse/SOLR-13987
> Project: Solr
> Issue Type: Improvement
> Security Level: Public(Default Security Level. Issues are Public)
>Reporter: Robert Muir
>Priority: Major
>
> Followup from SOLR-13982: currently any CSP is weak because it must allow
> this eval: means arbitrary javascript can still be executed.
> Let's fix the admin UI to not require eval so it can be disabled by the
> browser.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
-
To unsubscribe, e-mail: issues-unsubscr...@lucene.apache.org
For additional commands, e-mail: issues-h...@lucene.apache.org
[jira] [Commented] (SOLR-13987) fix admin UI to not rely on javascript eval()
[ https://issues.apache.org/jira/browse/SOLR-13987?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16989605#comment-16989605 ] Jan Høydahl commented on SOLR-13987: Thanks Kevin. I remember having looked at some of this crazy angular CSP at some point, perhpas even tried a quick fix but ran out of time or something. I'm happy to try out whatever you end up with and perhaps help out - I've been around most of the UI earlier. > fix admin UI to not rely on javascript eval() > - > > Key: SOLR-13987 > URL: https://issues.apache.org/jira/browse/SOLR-13987 > Project: Solr > Issue Type: Improvement > Security Level: Public(Default Security Level. Issues are Public) >Reporter: Robert Muir >Priority: Major > > Followup from SOLR-13982: currently any CSP is weak because it must allow > this eval: means arbitrary javascript can still be executed. > Let's fix the admin UI to not require eval so it can be disabled by the > browser. -- This message was sent by Atlassian Jira (v8.3.4#803005) - To unsubscribe, e-mail: issues-unsubscr...@lucene.apache.org For additional commands, e-mail: issues-h...@lucene.apache.org
[jira] [Commented] (SOLR-13987) fix admin UI to not rely on javascript eval()
[ https://issues.apache.org/jira/browse/SOLR-13987?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16989355#comment-16989355 ] Kevin Risden commented on SOLR-13987: - So I think the fix for Angular is as follows based on the reference https://code.angularjs.org/1.3.8/docs/api/ng/directive/ngCsp Robert shared and some more research. * ** https://github.com/apache/lucene-solr/blob/master/solr/webapp/web/index.html#L2 * ** https://github.com/apache/lucene-solr/blob/master/solr/webapp/web/index.html#L26 ** Need to add https://code.angularjs.org/1.3.8/angular-csp.css to solr/webapp/web/css/angular ** Angular 1.3.8 from https://github.com/apache/lucene-solr/blob/master/solr/webapp/web/libs/angular.min.js#L25 * Remove 'unsafe-eval' and 'unsafe-inline' from solr/server/etc/jetty.xml I can try this over the next few days. > fix admin UI to not rely on javascript eval() > - > > Key: SOLR-13987 > URL: https://issues.apache.org/jira/browse/SOLR-13987 > Project: Solr > Issue Type: Improvement > Security Level: Public(Default Security Level. Issues are Public) >Reporter: Robert Muir >Priority: Major > > Followup from SOLR-13982: currently any CSP is weak because it must allow > this eval: means arbitrary javascript can still be executed. > Let's fix the admin UI to not require eval so it can be disabled by the > browser. -- This message was sent by Atlassian Jira (v8.3.4#803005) - To unsubscribe, e-mail: issues-unsubscr...@lucene.apache.org For additional commands, e-mail: issues-h...@lucene.apache.org
[jira] [Commented] (SOLR-13987) fix admin UI to not rely on javascript eval()
[ https://issues.apache.org/jira/browse/SOLR-13987?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16989148#comment-16989148 ] Joel Bernstein commented on SOLR-13987: --- I've add a proposed design to SOLR-14014, which deals with headless mode. I'll ping the dev list to get some feedback as this is fairly major change to how things work. > fix admin UI to not rely on javascript eval() > - > > Key: SOLR-13987 > URL: https://issues.apache.org/jira/browse/SOLR-13987 > Project: Solr > Issue Type: Improvement > Security Level: Public(Default Security Level. Issues are Public) >Reporter: Robert Muir >Priority: Major > > Followup from SOLR-13982: currently any CSP is weak because it must allow > this eval: means arbitrary javascript can still be executed. > Let's fix the admin UI to not require eval so it can be disabled by the > browser. -- This message was sent by Atlassian Jira (v8.3.4#803005) - To unsubscribe, e-mail: issues-unsubscr...@lucene.apache.org For additional commands, e-mail: issues-h...@lucene.apache.org
[jira] [Commented] (SOLR-13987) fix admin UI to not rely on javascript eval()
[
https://issues.apache.org/jira/browse/SOLR-13987?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16988432#comment-16988432
]
Robert Muir commented on SOLR-13987:
I don't disagree with any point you made: thank you for the thoughtful comments.
I know people will hate my changes. But I think I'm kinda the necessary
personality to fix this shit. I'm doing it on my own time with no interference
or bad corporate influence to prevent me from doing the right thing. I am sick
of the vulnerabilities and think we can fix it.
The problem with solr is, it has too many features, especially super-risky ones
like exposing scripting languages, running code from "god knows where", and
admin UI setup like this. It is the very definition of security disaster,
that's why people exploit it. And I look forward to some good fun with solr in
security conference CTFs in the future.
If they want to veto some change to the admin UI, ok fine. I'm not trying to
break functionality, just being honest: we have a problem. If you look at the
linked issue, there is documentation from angular on how to fix it. But I'm
just not that heavy of a JS guy, admitting my weaknesses. I don't care if the
thing is used, i just want {{unsafe-eval}} to disappear from the
Content-Security-Policy.
And on my list, XSS is honestly down there. Its just a matter of priorities.
But because this thing makes it so trivial, its gonna generate tons and tons of
CVEs and problems. Saying "you should firewall this shit" is just an excuse,
sorry. Of course you should firewall it. Of course, even if we secure this solr
thing, you shouldn't expose it to the internet, don't be an idiot.
But we shouldn't have these kind of security bugs and just pretend like they
are ok.
> fix admin UI to not rely on javascript eval()
> -
>
> Key: SOLR-13987
> URL: https://issues.apache.org/jira/browse/SOLR-13987
> Project: Solr
> Issue Type: Improvement
> Security Level: Public(Default Security Level. Issues are Public)
>Reporter: Robert Muir
>Priority: Major
>
> Followup from SOLR-13982: currently any CSP is weak because it must allow
> this eval: means arbitrary javascript can still be executed.
> Let's fix the admin UI to not require eval so it can be disabled by the
> browser.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
-
To unsubscribe, e-mail: issues-unsubscr...@lucene.apache.org
For additional commands, e-mail: issues-h...@lucene.apache.org
[jira] [Commented] (SOLR-13987) fix admin UI to not rely on javascript eval()
[ https://issues.apache.org/jira/browse/SOLR-13987?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16988318#comment-16988318 ] Jason Gerlowski commented on SOLR-13987: bq. doing things like making it opt-in as Joel suggests are really good short term solutions. It seems like there _is_ agreement on creating a headless mode for Solr then. I'll spin that off as a separate jira so it doesn't further confuse this one. Feel free to assign that to yourself if you're willing to pick it up Joel. I'm also happy to help with it. bq. Its really insecure that the current admin UI relies on eval() [...] I will fix this issue if nobody gets there first. Awesome. Of course, I think Joel has a valid point that drastic changes are likely to generate pushback (or even vetos). But there's no point crossing that bridge before we come to it. Maybe the JS changes don't need to be drastic at all. Looking forward to seeing what you (or whoever gets there first) come up with. bq. It is a real security issue. [...] Its bullshit to say that "oh its behind a firewall, so we can write insecure code and be lazy". [...] Insecure code is a problem. The "deploy-behind-firewall" rule isn't there to enable community laziness. It's there because Solr - in deep-rooted ways inherent to its design - is insecure to expose to the world. The way we use ZooKeeper, the way APIs expose network and filesystem information, the metrics that are exposed, the lack of rate limiting and the susceptibility to DoS attacks. _Solr is not and was never designed to be used outside of a firewall._ It's not laziness to say that, it's caution, honesty, and realism. Should we plug the holes we know of? Of course. Should we fix XSS issues? Of course. I'm glad you're doing this. But even with this and other recent security tickets fixed - I still don't think that changes the situation fundamentally. Solr will still be unsafe exposed to the world, and it seems like wishful thinking to tell users otherwise. I guess I just want to make sure that no one reading this jira gets the impression that "Hey, the UI's been fixed up, Solr's safe to expose externally now". > fix admin UI to not rely on javascript eval() > - > > Key: SOLR-13987 > URL: https://issues.apache.org/jira/browse/SOLR-13987 > Project: Solr > Issue Type: Improvement > Security Level: Public(Default Security Level. Issues are Public) >Reporter: Robert Muir >Priority: Major > > Followup from SOLR-13982: currently any CSP is weak because it must allow > this eval: means arbitrary javascript can still be executed. > Let's fix the admin UI to not require eval so it can be disabled by the > browser. -- This message was sent by Atlassian Jira (v8.3.4#803005) - To unsubscribe, e-mail: issues-unsubscr...@lucene.apache.org For additional commands, e-mail: issues-h...@lucene.apache.org
[jira] [Commented] (SOLR-13987) fix admin UI to not rely on javascript eval()
[ https://issues.apache.org/jira/browse/SOLR-13987?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16988291#comment-16988291 ] Robert Muir commented on SOLR-13987: No I don't. according to apache, the only mandatory feature is security. Not this admin UI. I'm not just gonna throw out the admin UI, but if nobody helps and everyone just complains instead, I'll replace it with something secure. > fix admin UI to not rely on javascript eval() > - > > Key: SOLR-13987 > URL: https://issues.apache.org/jira/browse/SOLR-13987 > Project: Solr > Issue Type: Improvement > Security Level: Public(Default Security Level. Issues are Public) >Reporter: Robert Muir >Priority: Major > > Followup from SOLR-13982: currently any CSP is weak because it must allow > this eval: means arbitrary javascript can still be executed. > Let's fix the admin UI to not require eval so it can be disabled by the > browser. -- This message was sent by Atlassian Jira (v8.3.4#803005) - To unsubscribe, e-mail: issues-unsubscr...@lucene.apache.org For additional commands, e-mail: issues-h...@lucene.apache.org
[jira] [Commented] (SOLR-13987) fix admin UI to not rely on javascript eval()
[ https://issues.apache.org/jira/browse/SOLR-13987?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16988175#comment-16988175 ] Joel Bernstein commented on SOLR-13987: --- What you said was: " If i am forced to do that, its gonna look like 1995 geocities all over again." You need consensus on that. > fix admin UI to not rely on javascript eval() > - > > Key: SOLR-13987 > URL: https://issues.apache.org/jira/browse/SOLR-13987 > Project: Solr > Issue Type: Improvement > Security Level: Public(Default Security Level. Issues are Public) >Reporter: Robert Muir >Priority: Major > > Followup from SOLR-13982: currently any CSP is weak because it must allow > this eval: means arbitrary javascript can still be executed. > Let's fix the admin UI to not require eval so it can be disabled by the > browser. -- This message was sent by Atlassian Jira (v8.3.4#803005) - To unsubscribe, e-mail: issues-unsubscr...@lucene.apache.org For additional commands, e-mail: issues-h...@lucene.apache.org
[jira] [Commented] (SOLR-13987) fix admin UI to not rely on javascript eval()
[ https://issues.apache.org/jira/browse/SOLR-13987?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16988172#comment-16988172 ] Robert Muir commented on SOLR-13987: I didn't say i would drop it. I said i would fix the security holes. Its going to happen, try and stop me :) > fix admin UI to not rely on javascript eval() > - > > Key: SOLR-13987 > URL: https://issues.apache.org/jira/browse/SOLR-13987 > Project: Solr > Issue Type: Improvement > Security Level: Public(Default Security Level. Issues are Public) >Reporter: Robert Muir >Priority: Major > > Followup from SOLR-13982: currently any CSP is weak because it must allow > this eval: means arbitrary javascript can still be executed. > Let's fix the admin UI to not require eval so it can be disabled by the > browser. -- This message was sent by Atlassian Jira (v8.3.4#803005) - To unsubscribe, e-mail: issues-unsubscr...@lucene.apache.org For additional commands, e-mail: issues-h...@lucene.apache.org
[jira] [Commented] (SOLR-13987) fix admin UI to not rely on javascript eval()
[ https://issues.apache.org/jira/browse/SOLR-13987?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16988169#comment-16988169 ] Joel Bernstein commented on SOLR-13987: --- Dropping an entire UI because it doesn't meet your timeframe, needs consensus. > fix admin UI to not rely on javascript eval() > - > > Key: SOLR-13987 > URL: https://issues.apache.org/jira/browse/SOLR-13987 > Project: Solr > Issue Type: Improvement > Security Level: Public(Default Security Level. Issues are Public) >Reporter: Robert Muir >Priority: Major > > Followup from SOLR-13982: currently any CSP is weak because it must allow > this eval: means arbitrary javascript can still be executed. > Let's fix the admin UI to not require eval so it can be disabled by the > browser. -- This message was sent by Atlassian Jira (v8.3.4#803005) - To unsubscribe, e-mail: issues-unsubscr...@lucene.apache.org For additional commands, e-mail: issues-h...@lucene.apache.org
[jira] [Commented] (SOLR-13987) fix admin UI to not rely on javascript eval()
[ https://issues.apache.org/jira/browse/SOLR-13987?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16988150#comment-16988150 ] Robert Muir commented on SOLR-13987: There isn't consensus on fixing security holes? News to me. Maybe for the apache solr project, but not anywhere else. > fix admin UI to not rely on javascript eval() > - > > Key: SOLR-13987 > URL: https://issues.apache.org/jira/browse/SOLR-13987 > Project: Solr > Issue Type: Improvement > Security Level: Public(Default Security Level. Issues are Public) >Reporter: Robert Muir >Priority: Major > > Followup from SOLR-13982: currently any CSP is weak because it must allow > this eval: means arbitrary javascript can still be executed. > Let's fix the admin UI to not require eval so it can be disabled by the > browser. -- This message was sent by Atlassian Jira (v8.3.4#803005) - To unsubscribe, e-mail: issues-unsubscr...@lucene.apache.org For additional commands, e-mail: issues-h...@lucene.apache.org
[jira] [Commented] (SOLR-13987) fix admin UI to not rely on javascript eval()
[ https://issues.apache.org/jira/browse/SOLR-13987?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16988137#comment-16988137 ] Joel Bernstein commented on SOLR-13987: --- There needs to consensus on issues like this, I'm certain there is no consensus on something like dropping the entire UI yet, or replacing it with something drastically different. Let's mitigate the risk first. And come to consensus about a long term plan for UI. I'm happy to move forward with the headless solutions as an interim step. > fix admin UI to not rely on javascript eval() > - > > Key: SOLR-13987 > URL: https://issues.apache.org/jira/browse/SOLR-13987 > Project: Solr > Issue Type: Improvement > Security Level: Public(Default Security Level. Issues are Public) >Reporter: Robert Muir >Priority: Major > > Followup from SOLR-13982: currently any CSP is weak because it must allow > this eval: means arbitrary javascript can still be executed. > Let's fix the admin UI to not require eval so it can be disabled by the > browser. -- This message was sent by Atlassian Jira (v8.3.4#803005) - To unsubscribe, e-mail: issues-unsubscr...@lucene.apache.org For additional commands, e-mail: issues-h...@lucene.apache.org
[jira] [Commented] (SOLR-13987) fix admin UI to not rely on javascript eval()
[ https://issues.apache.org/jira/browse/SOLR-13987?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16988104#comment-16988104 ] Robert Muir commented on SOLR-13987: Its really insecure that the current admin UI relies on eval(). It is a real security issue. I *will* fix this issue if nobody gets there first. Its bullshit to say that "oh its behind a firewall, so we can write insecure code and be lazy". There is such a thing as internal threats, for example. And its important to not just disable dangerous things by default, but ultimately either fix or remove them. Insecure code is a problem. Separately, doing things like making it opt-in as Joel suggests are really good short term solutions. > fix admin UI to not rely on javascript eval() > - > > Key: SOLR-13987 > URL: https://issues.apache.org/jira/browse/SOLR-13987 > Project: Solr > Issue Type: Improvement > Security Level: Public(Default Security Level. Issues are Public) >Reporter: Robert Muir >Priority: Major > > Followup from SOLR-13982: currently any CSP is weak because it must allow > this eval: means arbitrary javascript can still be executed. > Let's fix the admin UI to not require eval so it can be disabled by the > browser. -- This message was sent by Atlassian Jira (v8.3.4#803005) - To unsubscribe, e-mail: issues-unsubscr...@lucene.apache.org For additional commands, e-mail: issues-h...@lucene.apache.org
[jira] [Commented] (SOLR-13987) fix admin UI to not rely on javascript eval()
[
https://issues.apache.org/jira/browse/SOLR-13987?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16988042#comment-16988042
]
Jason Gerlowski commented on SOLR-13987:
Personally, I like the idea of having the Admin UI be disable-able via a flag.
It's a quick change (relative to other proposed options), doesn't require
scarce Javascript/angular expertise, and users who have followed the
community's advice and kept their Solr behind a firewall can use the same old
UI without security concerns.
Does a headless mode obviate the need for the {{eval}} work? The answer
probably depends on what use-case we're trying to target here, as Joel
mentioned above. Is the concern defending people who accidentally leave Solr
open? Or are we trying to support users who intentionally are deploying Solr
world-open, and want to use all the bells and whistles (Admin UI, etc.)?
> fix admin UI to not rely on javascript eval()
> -
>
> Key: SOLR-13987
> URL: https://issues.apache.org/jira/browse/SOLR-13987
> Project: Solr
> Issue Type: Improvement
> Security Level: Public(Default Security Level. Issues are Public)
>Reporter: Robert Muir
>Priority: Major
>
> Followup from SOLR-13982: currently any CSP is weak because it must allow
> this eval: means arbitrary javascript can still be executed.
> Let's fix the admin UI to not require eval so it can be disabled by the
> browser.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
-
To unsubscribe, e-mail: issues-unsubscr...@lucene.apache.org
For additional commands, e-mail: issues-h...@lucene.apache.org
[jira] [Commented] (SOLR-13987) fix admin UI to not rely on javascript eval()
[ https://issues.apache.org/jira/browse/SOLR-13987?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16988023#comment-16988023 ] Robert Muir commented on SOLR-13987: Related issue about users exposing solr to the internet: SOLR-13985 Modern software packages just don't expose themselves to all network interfaces by default like Solr currently does. > fix admin UI to not rely on javascript eval() > - > > Key: SOLR-13987 > URL: https://issues.apache.org/jira/browse/SOLR-13987 > Project: Solr > Issue Type: Improvement > Security Level: Public(Default Security Level. Issues are Public) >Reporter: Robert Muir >Priority: Major > > Followup from SOLR-13982: currently any CSP is weak because it must allow > this eval: means arbitrary javascript can still be executed. > Let's fix the admin UI to not require eval so it can be disabled by the > browser. -- This message was sent by Atlassian Jira (v8.3.4#803005) - To unsubscribe, e-mail: issues-unsubscr...@lucene.apache.org For additional commands, e-mail: issues-h...@lucene.apache.org
[jira] [Commented] (SOLR-13987) fix admin UI to not rely on javascript eval()
[
https://issues.apache.org/jira/browse/SOLR-13987?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16988007#comment-16988007
]
Robert Muir commented on SOLR-13987:
+1 to your suggestion to disable stuff by default if it has risks.
personally on this issue, i was just trying to defend against stuff like XSS
attacks, so the project is not distracted by them. If you instruct the browser
to disable inline javascript and {{eval}} completely, it helps a whole hell of
a lot in preventing the injection of javascript code :)
> fix admin UI to not rely on javascript eval()
> -
>
> Key: SOLR-13987
> URL: https://issues.apache.org/jira/browse/SOLR-13987
> Project: Solr
> Issue Type: Improvement
> Security Level: Public(Default Security Level. Issues are Public)
>Reporter: Robert Muir
>Priority: Major
>
> Followup from SOLR-13982: currently any CSP is weak because it must allow
> this eval: means arbitrary javascript can still be executed.
> Let's fix the admin UI to not require eval so it can be disabled by the
> browser.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
-
To unsubscribe, e-mail: issues-unsubscr...@lucene.apache.org
For additional commands, e-mail: issues-h...@lucene.apache.org
[jira] [Commented] (SOLR-13987) fix admin UI to not rely on javascript eval()
[ https://issues.apache.org/jira/browse/SOLR-13987?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16987117#comment-16987117 ] ASF subversion and git services commented on SOLR-13987: Commit c8c9c1002353db3b8a4d89d21849bf67bc4f0931 in lucene-solr's branch refs/heads/gradle-master from Robert Muir [ https://gitbox.apache.org/repos/asf?p=lucene-solr.git;h=c8c9c10 ] SOLR-13982: set security-related http response headers by default Unfortunately, as a first start this is very weak protection against e.g. XSS. This is because some 'unsafe-xxx' rules must be present due to the insecurity of angular JS: Until SOLR-13987 is fixed, XSS & co are still easy. > fix admin UI to not rely on javascript eval() > - > > Key: SOLR-13987 > URL: https://issues.apache.org/jira/browse/SOLR-13987 > Project: Solr > Issue Type: Improvement > Security Level: Public(Default Security Level. Issues are Public) >Reporter: Robert Muir >Priority: Major > > Followup from SOLR-13982: currently any CSP is weak because it must allow > this eval: means arbitrary javascript can still be executed. > Let's fix the admin UI to not require eval so it can be disabled by the > browser. -- This message was sent by Atlassian Jira (v8.3.4#803005) - To unsubscribe, e-mail: issues-unsubscr...@lucene.apache.org For additional commands, e-mail: issues-h...@lucene.apache.org
[jira] [Commented] (SOLR-13987) fix admin UI to not rely on javascript eval()
[ https://issues.apache.org/jira/browse/SOLR-13987?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16987020#comment-16987020 ] Ishan Chattopadhyaya commented on SOLR-13987: - A bit off topic, but I feel the UI shouldn't be available out of the box. If a user wants, he can pull in the UI from some external source (like a GitHub based plugin/package etc.). Our UI is right now a first class entity, but is extremely buggy, unsupported and unsafe. Having the UI as part of Solr, though useful for users, is a liability for us committers, who don't even have the expertise to do anything with it. > fix admin UI to not rely on javascript eval() > - > > Key: SOLR-13987 > URL: https://issues.apache.org/jira/browse/SOLR-13987 > Project: Solr > Issue Type: Improvement > Security Level: Public(Default Security Level. Issues are Public) >Reporter: Robert Muir >Priority: Major > > Followup from SOLR-13982: currently any CSP is weak because it must allow > this eval: means arbitrary javascript can still be executed. > Let's fix the admin UI to not require eval so it can be disabled by the > browser. -- This message was sent by Atlassian Jira (v8.3.4#803005) - To unsubscribe, e-mail: issues-unsubscr...@lucene.apache.org For additional commands, e-mail: issues-h...@lucene.apache.org
[jira] [Commented] (SOLR-13987) fix admin UI to not rely on javascript eval()
[ https://issues.apache.org/jira/browse/SOLR-13987?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16986954#comment-16986954 ] Robert Muir commented on SOLR-13987: javascript developers change frameworks every day. and talk about it even more. Like i said, if this issue gets left to me to fix, everyone will be unhappy. I'll pick no framework at all, pull the data it needs with XMLHttpRequest, and it will look like 1995 geocities. > fix admin UI to not rely on javascript eval() > - > > Key: SOLR-13987 > URL: https://issues.apache.org/jira/browse/SOLR-13987 > Project: Solr > Issue Type: Improvement > Security Level: Public(Default Security Level. Issues are Public) >Reporter: Robert Muir >Priority: Major > > Followup from SOLR-13982: currently any CSP is weak because it must allow > this eval: means arbitrary javascript can still be executed. > Let's fix the admin UI to not require eval so it can be disabled by the > browser. -- This message was sent by Atlassian Jira (v8.3.4#803005) - To unsubscribe, e-mail: issues-unsubscr...@lucene.apache.org For additional commands, e-mail: issues-h...@lucene.apache.org
[jira] [Commented] (SOLR-13987) fix admin UI to not rely on javascript eval()
[ https://issues.apache.org/jira/browse/SOLR-13987?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16986947#comment-16986947 ] Erick Erickson commented on SOLR-13987: --- There was some discussion on SOLR-12276. Part of the discussion is whether to migrate to Angular2 or a completely different framework. IDK whether Angular2 suffers the same vulnerabilities or not or even whether it's really easier than a new framework... > fix admin UI to not rely on javascript eval() > - > > Key: SOLR-13987 > URL: https://issues.apache.org/jira/browse/SOLR-13987 > Project: Solr > Issue Type: Improvement > Security Level: Public(Default Security Level. Issues are Public) >Reporter: Robert Muir >Priority: Major > > Followup from SOLR-13982: currently any CSP is weak because it must allow > this eval: means arbitrary javascript can still be executed. > Let's fix the admin UI to not require eval so it can be disabled by the > browser. -- This message was sent by Atlassian Jira (v8.3.4#803005) - To unsubscribe, e-mail: issues-unsubscr...@lucene.apache.org For additional commands, e-mail: issues-h...@lucene.apache.org
[jira] [Commented] (SOLR-13987) fix admin UI to not rely on javascript eval()
[ https://issues.apache.org/jira/browse/SOLR-13987?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16986836#comment-16986836 ] Robert Muir commented on SOLR-13987: If nobody understands angular enough to fix this, my fallback is to replace the admin UI with something that doesn't use angular. I guarantee that isn't a preferred option. If i am forced to do that, its gonna look like 1995 geocities all over again. > fix admin UI to not rely on javascript eval() > - > > Key: SOLR-13987 > URL: https://issues.apache.org/jira/browse/SOLR-13987 > Project: Solr > Issue Type: Improvement > Security Level: Public(Default Security Level. Issues are Public) >Reporter: Robert Muir >Priority: Major > > Followup from SOLR-13982: currently any CSP is weak because it must allow > this eval: means arbitrary javascript can still be executed. > Let's fix the admin UI to not require eval so it can be disabled by the > browser. -- This message was sent by Atlassian Jira (v8.3.4#803005) - To unsubscribe, e-mail: issues-unsubscr...@lucene.apache.org For additional commands, e-mail: issues-h...@lucene.apache.org
[jira] [Commented] (SOLR-13987) fix admin UI to not rely on javascript eval()
[ https://issues.apache.org/jira/browse/SOLR-13987?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16986808#comment-16986808 ] ASF subversion and git services commented on SOLR-13987: Commit 55b77358cff29ae1ebf8d8bcab754450e14b1a0a in lucene-solr's branch refs/heads/branch_8x from Robert Muir [ https://gitbox.apache.org/repos/asf?p=lucene-solr.git;h=55b7735 ] SOLR-13982: set security-related http response headers by default Unfortunately, as a first start this is very weak protection against e.g. XSS. This is because some 'unsafe-xxx' rules must be present due to the insecurity of angular JS: Until SOLR-13987 is fixed, XSS & co are still easy. > fix admin UI to not rely on javascript eval() > - > > Key: SOLR-13987 > URL: https://issues.apache.org/jira/browse/SOLR-13987 > Project: Solr > Issue Type: Improvement > Security Level: Public(Default Security Level. Issues are Public) >Reporter: Robert Muir >Priority: Major > > Followup from SOLR-13982: currently any CSP is weak because it must allow > this eval: means arbitrary javascript can still be executed. > Let's fix the admin UI to not require eval so it can be disabled by the > browser. -- This message was sent by Atlassian Jira (v8.3.4#803005) - To unsubscribe, e-mail: issues-unsubscr...@lucene.apache.org For additional commands, e-mail: issues-h...@lucene.apache.org
[jira] [Commented] (SOLR-13987) fix admin UI to not rely on javascript eval()
[ https://issues.apache.org/jira/browse/SOLR-13987?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16986806#comment-16986806 ] ASF subversion and git services commented on SOLR-13987: Commit c8c9c1002353db3b8a4d89d21849bf67bc4f0931 in lucene-solr's branch refs/heads/master from Robert Muir [ https://gitbox.apache.org/repos/asf?p=lucene-solr.git;h=c8c9c10 ] SOLR-13982: set security-related http response headers by default Unfortunately, as a first start this is very weak protection against e.g. XSS. This is because some 'unsafe-xxx' rules must be present due to the insecurity of angular JS: Until SOLR-13987 is fixed, XSS & co are still easy. > fix admin UI to not rely on javascript eval() > - > > Key: SOLR-13987 > URL: https://issues.apache.org/jira/browse/SOLR-13987 > Project: Solr > Issue Type: Improvement > Security Level: Public(Default Security Level. Issues are Public) >Reporter: Robert Muir >Priority: Major > > Followup from SOLR-13982: currently any CSP is weak because it must allow > this eval: means arbitrary javascript can still be executed. > Let's fix the admin UI to not require eval so it can be disabled by the > browser. -- This message was sent by Atlassian Jira (v8.3.4#803005) - To unsubscribe, e-mail: issues-unsubscr...@lucene.apache.org For additional commands, e-mail: issues-h...@lucene.apache.org
