Closed Bug 1663403 Opened 4 years ago Closed 4 years ago

searchengine-devtools has XSS vulnerabilities in configuration handling

Categories

(Firefox :: Search, defect, P2)

Product:
Firefox
Component:
Search
Type:
defect
Points:
3

Tracking

()

Status:
RESOLVED FIXED
Iteration:
86.2 - Dec 28 - Jan 10

People

(Reporter: standard8, Assigned: standard8)

References

(Blocks 1 open bug)

Details

(Keywords: sec-other)

This is a follow-up to bug 1660282. That bug has stopped the XSS for the display of various elements on the UI, but we still need to sanitise / check the configuration before we pass it to the back-end and use it.

I have a few ideas on how to do that, will hopefully get time to look later this week.

Keywords: sec-other
Iteration: 82.2 - Sep 7 - Sep 20 → 83.1 - Sept 21 - Oct 4
Iteration: 83.1 - Sept 21 - Oct 4 → 83.2 - Oct 5 - Oct 18
Iteration: 83.2 - Oct 5 - Oct 18 → 84.1 - Oct 19 - Nov 01

I hope to get to this soon, but no guarantees at the moment.

Iteration: 84.1 - Oct 19 - Nov 01 → ---

I would appreciate if we could address this soon. Originally, the previous version was approved under the agreement that this gets fixed within 1 week. It's been more than 8 weeks now.

Iteration: --- → 85.2 - Nov 30 - Dec 13

Andreas, please can you take a look at this PR I'm working on:

https://github.com/mozilla-extensions/searchengine-devtools/pull/25/files

The basic idea is to use ajv to create a validation function based on the schema, and then use that validation on the loaded configurations.
Unfortunately due to the way ajv works, we have to webpack the validation function.

At the moment the schema is mainly validating the types of fields rather than the content, if this general method looks alright to you, then I'll update the schema to add more in-depth validation of the contents of the fields.

Flags: needinfo?(awagner)

This looks good to me! Thank you for working on it, Mark!

Flags: needinfo?(awagner)

PR is now ready: https://github.com/mozilla-extensions/searchengine-devtools/pull/25

Once we've landed that I'll also update the copies of the schemas from in-tree & on the remote settings servers.

Iteration: 85.2 - Nov 30 - Dec 13 → 86.1 - Dec 14 - Dec 27
Flags: needinfo?(dharvey)

Reviewed

Flags: needinfo?(dharvey)

Andreas, this is now on ship-it and ready for release as 1.1.6.

Flags: needinfo?(awagner)
Iteration: 86.1 - Dec 14 - Dec 27 → 86.2 - Dec 28 - Jan 10

Thanks, I signed off.

Flags: needinfo?(awagner)

Thank you, this is now fully released.

Status: NEW → RESOLVED
Closed: 4 years ago
Resolution: --- → FIXED
Group: firefox-core-security → core-security-release
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.