Closed Bug 652848 Opened 13 years ago Closed 13 years ago

Validator can be bypassed using string manipulation, like window['set'+ 'Timeout']

Categories

(addons.mozilla.org Graveyard :: Developer Pages, defect)

Product:
addons.mozilla.org Graveyard
Component:
Developer Pages
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED FIXED
Milestone:
Q2 2011

People

(Reporter: jorgev, Assigned: basta)

References

(
URL
)

Details

(Whiteboard: [ReviewTeam])

Attachments

(1 file)

Add-on version with bypass code
87.46 KB, application/x-xpinstall
Details 
The attached file demonstrates how to bypass some validator flags, specifically the setTimeout flag. On file chrome/content/azan.js, you'll see the following:

timeoutID = window['set'+ 'Timeout'](azan.run, 1000);

In this case the bypass is harmless and just an innocent attempt to clear some warnings, but it could be problematic if done with more sensitive flags. We need to make the validator recognize these patterns and show the right flags.
Does this actually bypass the current validator? It shouldn't we have tests already for things like

window["ev"+"al"]

This is done through the lazy evaluation of the script. If it's not being detected, I'd imagine that the problem is likely a more general issue that's preventing an error from being raised.

I'll look into it soon.
There was a minor bug in the MemberExpression evaluator. It should be fixed here:

https://github.com/mattbasta/amo-validator/commit/56930d91ea199322a784528ba3de3ca9d686ad9c
Merged:

https://github.com/mozilla/amo-validator/commit/51115834a5f1d7d87a62fd9ed3a3e287b71bc4a5
Status: NEW → RESOLVED
Closed: 13 years ago
Resolution: --- → FIXED
Reclassifying editor bugs and changing to a new whiteboard flag. Spam, spam, spam, spam...
Whiteboard: [required amo-editors] → [ReviewTeam]
Product: addons.mozilla.org → addons.mozilla.org Graveyard
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: