Launchpad itself

Merge lp://staging/~henninge/launchpad/devel-744204-escaping-soyuz-base into lp://staging/launchpad

devel-744204-escaping-soyuz-base
Merge into devel

Proposed by Henning Eggers on 2011-04-08

Status:

Merged

Approved by:

Robert Collins on 2011-04-11

Approved revision:

no longer in the source branch.

Merged at revision:

12796

Proposed branch:

lp://staging/~henninge/launchpad/devel-744204-escaping-soyuz-base

Merge into:

lp://staging/launchpad

Diff against target:

156 lines (+21/-31)

4 files modified

lib/lp/registry/javascript/distroseriesdifferences_details.js (+10/-12)
lib/lp/soyuz/javascript/base.js (+9/-17)
lib/lp/soyuz/templates/archive-macros.pt (+1/-1)
lib/lp/soyuz/templates/archive-packages.pt (+1/-1)

To merge this branch:

bzr merge lp://staging/~henninge/launchpad/devel-744204-escaping-soyuz-base

Critical

Fix Released

Link a bug report

Reviewer	Review Type	Date Requested	Status
Robert Collins (community)			Approve on 2011-04-11
William Grant	code*	2011-04-08	Approve on 2011-04-11
Review via email: mp+56978@code.staging.launchpad.net

Commit message

[r=lifeless,wgrant][bug=744204] Made function in Y.lp.soyuz.base escape input properly.

Description of the change

= Summary =

Bug 744204

The javascript code in Y.lp.soyuz.base was not safe against xss
attacks becuse it set innerHTML to values of unknown origin. One of
the call sites actually passes in response.responseText which is one
the attack vectors wgrant described.

== Proposed fix ==

Use string templates and DOM manipulation to create the markup. Most
importantly use set('text', text) to insert the text passed in. This
way it is escaped properly.

== Pre-implementation notes ==

I'd call wgrants email about xss attacks a pre-imp discussion. ;-)

== Implementation details ==

In distroseriesdifferences_details.js Y.Escape had been applied to all
parameters passed into the vulnurable functions to relieve the danger.
Those could now be removed.

Between JSLINT and me we found some dodgy js code which I fixed along
the way.

== Tests ==

As this is a pure refactoring, no tests needed to be changed or added.
The WindmillLayer tests are currently not working on natty but the
relevant js unit test can be run like this:

firefox lib/lp/registry/javascript/tests/test_distroseriesdifferences_details.html

== Demo and Q/A ==

I tried it out locally on
https://launchpad.dev/~mark/+archive/ppa?field.series_filter=breezy-autotest

There is a spinner while the archive size is retrieved and an error
message when it fails. I triggered that by halting the execution in
the debugger and stopping the dev server underneath it. Not sure how
to reproduce that for Q/A. Take down my network?

= Launchpad lint =

Checking for conflicts and issues in changed files.

Linting changed files:
  lib/lp/soyuz/javascript/base.js
  lib/lp/soyuz/templates/archive-macros.pt
  lib/lp/soyuz/templates/archive-packages.pt
  lib/lp/registry/javascript/distroseriesdifferences_details.js

./lib/lp/registry/javascript/distroseriesdifferences_details.js
      37: Expected '===' and instead saw '=='.
      39: Expected '===' and instead saw '=='.
      57: Expected '===' and instead saw '=='.
     247: 'get_extra_diff_info' has not been fully defined yet.
     266: Expected an identifier and instead saw 'arguments' (a reserved word).
     285: Expected '===' and instead saw '=='.
     334: Move 'var' declarations to the top of the function.
     334: Stopping. (59% scanned).
       0: JSLINT had a fatal error.

Revision history for this message

William Grant (wgrant) wrote on 2011-04-11:

While there was no vulnerability before (responseText was escaped), this is much cleaner!

I see further potential for cleanup in makeFailureNode. You can YUI calls something like this:

    var retry_link = failure_message.one('a')
        .addClass('update-retry')
        .set('href', '')
        .set('innerHTML', 'Retry')
        .set('text', 'Retry')
        .on('click', handler);