All users were logged out of Bugzilla on October 13th, 2018

Validator can be bypassed using string manipulation, like window['set'+ 'Timeout']

RESOLVED FIXED in Q2 2011

Status

RESOLVED FIXED
8 years ago
3 years ago

People

(Reporter: jorgev, Assigned: basta)

Tracking

unspecified
Q2 2011

Details

(Whiteboard: [ReviewTeam], URL)

Attachments

(1 attachment)

(Reporter)

Description

8 years ago
Created attachment 528341 [details]
Add-on version with bypass code

The attached file demonstrates how to bypass some validator flags, specifically the setTimeout flag. On file chrome/content/azan.js, you'll see the following:

timeoutID = window['set'+ 'Timeout'](azan.run, 1000);

In this case the bypass is harmless and just an innocent attempt to clear some warnings, but it could be problematic if done with more sensitive flags. We need to make the validator recognize these patterns and show the right flags.
(Assignee)

Comment 1

8 years ago
Does this actually bypass the current validator? It shouldn't we have tests already for things like

window["ev"+"al"]

This is done through the lazy evaluation of the script. If it's not being detected, I'd imagine that the problem is likely a more general issue that's preventing an error from being raised.

I'll look into it soon.
(Assignee)

Comment 2

8 years ago
There was a minor bug in the MemberExpression evaluator. It should be fixed here:

https://github.com/mattbasta/amo-validator/commit/56930d91ea199322a784528ba3de3ca9d686ad9c
(Assignee)

Comment 3

8 years ago
Merged:

https://github.com/mozilla/amo-validator/commit/51115834a5f1d7d87a62fd9ed3a3e287b71bc4a5
Status: NEW → RESOLVED
Last Resolved: 8 years ago
Resolution: --- → FIXED
(Reporter)

Comment 4

7 years ago
Reclassifying editor bugs and changing to a new whiteboard flag. Spam, spam, spam, spam...
Whiteboard: [required amo-editors] → [ReviewTeam]
Product: addons.mozilla.org → addons.mozilla.org Graveyard
You need to log in before you can comment on or make changes to this bug.