Fix XSS vulnerability in ClientJsonParser

ClientJsonParser was calling a GWT API that used eval() to parse JSON content rather than JSON.parse(). A maliciously crafted project containing an extension components.json file with Javascript instead of JSON would allow injecting arbitrary Javascript into the user's session. This commit switches to strict parsing and includes exception handling to report corrupt/invalid components.json to the user. Change-Id: Iafaaf004310ac45cf0c1cea18eae1cfd58de17ef

Fix XSS vulnerability in ClientJsonParser
ClientJsonParser was calling a GWT API that used eval() to parse JSON content rather than JSON.parse(). A maliciously crafted project containing an extension components.json file with Javascript instead of JSON would allow injecting arbitrary Javascript into the user's session. This commit switches to strict parsing and includes exception handling to report corrupt/invalid components.json to the user. Change-Id: Iafaaf004310ac45cf0c1cea18eae1cfd58de17ef
902ac3d8 · Evan W. Patton · 563ec8c2 · 902ac3d8 · 902ac3d8 · 902ac3d8
Commit 902ac3d8 authored Aug 17, 2017 by Evan W. Patton
3 changed files
--- a/appinventor/appengine/src/com/google/appinventor/client/OdeMessages.java
+++ b/appinventor/appengine/src/com/google/appinventor/client/OdeMessages.java
@@ -593,6 +593,18 @@ public interface OdeMessages extends Messages {
  @Description("For importing from a URL")
  String componentImportFromURL();

+  @DefaultMessage("The component database in the project \"{0}\" is corrupt.")
+  @Description("Error message when the component database is not valid.")
+  String componentDatabaseCorrupt(String projectName);
+
+  @DefaultMessage("The extension description of \"{0}\" in the project \"{1}\" is corrupt.")
+  @Description("Error message when the component descriptors for an extension are not parsable.")
+  String extensionDescriptorCorrupt(String extensionName, String projectName);
+
+  @DefaultMessage("The project \"{0}\" contains an invalid extension. App Inventor will attempt to continue.")
+  @Description("Error message when an extension descriptor pathname does not have the correct structure.")
+  String invalidExtensionInProject(String projectName);
+
  //Connect
  @DefaultMessage("Connect")
  @Description("Label of the button leading to Connect related cascade items")

--- a/appinventor/appengine/src/com/google/appinventor/client/editor/youngandroid/YaProjectEditor.java
+++ b/appinventor/appengine/src/com/google/appinventor/client/editor/youngandroid/YaProjectEditor.java
@@ -39,6 +39,7 @@ import com.google.appinventor.shared.storage.StorageUtil;
 import com.google.appinventor.shared.youngandroid.YoungAndroidSourceAnalyzer;
 import com.google.common.collect.Maps;
 import com.google.gwt.core.client.Scheduler;
+import com.google.gwt.json.client.JSONException;
 import com.google.gwt.user.client.Command;
 import com.google.gwt.user.client.rpc.AsyncCallback;

@@ -471,8 +472,7 @@ public final class YaProjectEditor extends ProjectEditor implements ProjectChang
  }
  
  public void addComponent(final ProjectNode node, final Command afterComponentAdded) {
-    final ProjectNode compNode = node;
-    final String fileId = compNode.getFileId();
+    final String fileId = node.getFileId();
    AsyncCallback<ChecksumedLoadFile> callback = new OdeAsyncCallback<ChecksumedLoadFile>(MESSAGES.loadError()) {
      @Override
      public void onSuccess(ChecksumedLoadFile result) {
@@ -483,7 +483,23 @@ public final class YaProjectEditor extends ProjectEditor implements ProjectChang
          this.onFailure(e);
          return;
        }
-        JSONValue value = new ClientJsonParser().parse(jsonFileContent);
+        JSONValue value = null;
+        try {
+          value = new ClientJsonParser().parse(jsonFileContent);
+        } catch(JSONException e) {
+          // thrown if jsonFileContent is not valid JSON
+          String[] parts = fileId.split("/");
+          if (parts.length > 3 && fileId.endsWith("components.json")) {
+            ErrorReporter.reportError(Ode.MESSAGES.extensionDescriptorCorrupt(parts[2], project.getProjectName()));
+          } else {
+            ErrorReporter.reportError(Ode.MESSAGES.invalidExtensionInProject(project.getProjectName()));
+          }
+          numExternalComponentsLoaded++;
+          if (afterComponentAdded != null) {
+            afterComponentAdded.execute();
+          }
+          return;
+        }
        COMPONENT_DATABASE.addComponentDatabaseListener(YaProjectEditor.this);
        if (value instanceof JSONArray) {
          JSONArray componentList = value.asArray();
@@ -625,7 +641,12 @@ public final class YaProjectEditor extends ProjectEditor implements ProjectChang

  private void resetExternalComponents() {
    COMPONENT_DATABASE.addComponentDatabaseListener(this);
-    COMPONENT_DATABASE.resetDatabase();
+    try {
+      COMPONENT_DATABASE.resetDatabase();
+    } catch(JSONException e) {
+      // thrown if any of the component/extension descriptions are not valid JSON
+      ErrorReporter.reportError(Ode.MESSAGES.componentDatabaseCorrupt(project.getProjectName()));
+    }
    externalComponents.clear();
    extensionsInNode.clear();
    extensionToNodeName.clear();

--- a/appinventor/appengine/src/com/google/appinventor/client/properties/json/ClientJsonParser.java
+++ b/appinventor/appengine/src/com/google/appinventor/client/properties/json/ClientJsonParser.java
@@ -18,6 +18,6 @@ public class ClientJsonParser implements JSONParser {
  @Override
  public JSONValue parse(String source) {
    return source.isEmpty() ? null
-        : ClientJsonValue.convert(com.google.gwt.json.client.JSONParser.parseLenient(source));
+        : ClientJsonValue.convert(com.google.gwt.json.client.JSONParser.parseStrict(source));
  }
 }