From 9fdf8312b7262fdcde0f5e0dcd18f9bf421c93f1 Mon Sep 17 00:00:00 2001 From: Brent Dearth Date: Fri, 30 Jun 2017 11:19:53 -0600 Subject: [PATCH] fix(xss): prevent XSS on omniauth external window vector --- .../omniauth_external_window.html.erb | 2 +- .../omniauth_callbacks_controller_test.rb | 22 +++++++++---------- 2 files changed, 12 insertions(+), 12 deletions(-) diff --git a/app/views/devise_token_auth/omniauth_external_window.html.erb b/app/views/devise_token_auth/omniauth_external_window.html.erb index 0739e4c6d..d29f3fa29 100644 --- a/app/views/devise_token_auth/omniauth_external_window.html.erb +++ b/app/views/devise_token_auth/omniauth_external_window.html.erb @@ -15,7 +15,7 @@ Cordova / PhoneGap) */ - var data = <%= @data.to_json.html_safe %>; + var data = JSON.parse(decodeURIComponent('<%= URI::escape( @data.to_json ) %>')); window.addEventListener("message", function(ev) { if (ev.data === "requestCredentials") { diff --git a/test/controllers/devise_token_auth/omniauth_callbacks_controller_test.rb b/test/controllers/devise_token_auth/omniauth_callbacks_controller_test.rb index 34d02a9f3..972c57874 100644 --- a/test/controllers/devise_token_auth/omniauth_callbacks_controller_test.rb +++ b/test/controllers/devise_token_auth/omniauth_callbacks_controller_test.rb @@ -16,6 +16,11 @@ class OmniauthTest < ActionDispatch::IntegrationTest @redirect_url = "http://ng-token-auth.dev/" end + def get_parsed_data_json + encoded_json_data = @response.body.match(/var data \= JSON.parse\(decodeURIComponent\(\'(.+)\'\)\)\;/)[1] + JSON.parse(URI::unescape(encoded_json_data)) + end + describe 'success callback' do setup do OmniAuth.config.mock_auth[:facebook] = OmniAuth::AuthHash.new({ @@ -207,8 +212,7 @@ class OmniauthTest < ActionDispatch::IntegrationTest end def assert_expected_data_in_new_window - data_json = @response.body.match(/var data \= (.+)\;/)[1] - data = ActiveSupport::JSON.decode(data_json) + data = get_parsed_data_json expected_data = @resource.as_json.merge(controller.auth_params.as_json) expected_data = ActiveSupport::JSON.decode(expected_data.to_json) assert_equal(expected_data.merge("message" => "deliverCredentials"), data) @@ -262,8 +266,7 @@ def get_success(params = {}) } assert_equal 200, response.status - data_json = @response.body.match(/var data \= (.+)\;/)[1] - data = ActiveSupport::JSON.decode(data_json) + data = get_parsed_data_json assert_equal({"error"=>"invalid_credentials", "message"=>"authFailure"}, data) end @@ -310,9 +313,8 @@ def get_success(params = {}) auth_origin_url: @bad_redirect_url, omniauth_window_type: 'newWindow' - data_json = @response.body.match(/var data \= (.+)\;/)[1] - data = ActiveSupport::JSON.decode(data_json) - assert_equal "Redirect to '#{@bad_redirect_url}' not allowed.", + data = get_parsed_data_json + assert_equal "Redirect to '#{@bad_redirect_url}' not allowed.", data['error'] end @@ -321,8 +323,7 @@ def get_success(params = {}) auth_origin_url: @good_redirect_url, omniauth_window_type: 'newWindow' - data_json = @response.body.match(/var data \= (.+)\;/)[1] - data = ActiveSupport::JSON.decode(data_json) + data = get_parsed_data_json assert_equal @user_email, data['email'] end @@ -332,8 +333,7 @@ def get_success(params = {}) auth_origin_url: @good_redirect_url, omniauth_window_type: 'newWindow' - data_json = @response.body.match(/var data \= (.+)\;/)[1] - data = ActiveSupport::JSON.decode(data_json) + data = get_parsed_data_json assert_equal @user_email, data['email'] end