Chromium Code Reviews
|
|
Chromium Code Reviews
Issue
1704713002:
Fix issue security issue in Gold (Closed)
|
Created:
4 years, 10 months ago by stephana Modified:
4 years, 10 months ago CC:
reviews_skia.org Base URL:
https://skia.googlesource.com/buildbot@master Target Ref:
refs/heads/master Project:
skiabuildbot Visibility:
Public. |
DescriptionFix issue security issue in Gold
To reliably fix internal b/26768421 (not just in gold) we need to wrap the error response in JSON object instead of returning a string.
BUG=skia:
Committed: https://skia.googlesource.com/buildbot/+/6753a5174a9a78020a328298a4fd45507090bfc3
Patch Set 1 #Patch Set 2 : Added more headers to prevent XSS #Patch Set 3 : #Patch Set 4 : Fixed poller_test #Messages
Total messages: 24 (11 generated)
The CQ bit was checked by stephana@google.com to run a CQ dry run
Dry run: CQ is trying da patch. Follow status at https://chromium-cq-status.appspot.com/patch-status/1704713002/1 View timeline at https://chromium-cq-status.appspot.com/patch-timeline/1704713002/1
Description was changed from ========== Fix issue BUG=skia: ========== to ========== Fix issue security issue in Gold To reliably fix this issue (not just in gold) https://b.corp.google.com/u/0/issues/26768421 we need to wrap the error response in JSON object instead of returning a string. BUG=skia: ==========
stephana@google.com changed reviewers: + benjaminwagner@google.com, jcgregorio@google.com
The CQ bit was unchecked by commit-bot@chromium.org
Dry run: Try jobs failed on following builders: Infra-PerCommit-Trybot on client.skia.fyi (JOB_FAILED, http://build.chromium.org/p/client.skia.fyi/builders/Infra-PerCommit-Trybot/b...)
PTAL: I cannot think of a better way to address this issue in general. I will change all the necessary code to switch to the new format for error messages once we agree on a solution.
Description was changed from ========== Fix issue security issue in Gold To reliably fix this issue (not just in gold) https://b.corp.google.com/u/0/issues/26768421 we need to wrap the error response in JSON object instead of returning a string. BUG=skia: ========== to ========== Fix issue security issue in Gold To reliably fix internal b/26768421 (not just in gold) we need to wrap the error response in JSON object instead of returning a string. BUG=skia: ==========
I'm not sure that JSON responses are safe either. See the link in the bug "(1) If it is JSON:".
On 2016/02/16 23:49:50, Ben Wagner wrote: > I'm not sure that JSON responses are safe either. See the link in the bug "(1) > If it is JSON:". If you look at link(1), it suggests to never return content type "text/plain" which is exactly what we are currently doing. IMO, by placing the error message in a JSON string it should be automatically escaped, but I'll investigate more. In the meantime I added all the header suggested by the link.
On 2016/02/17 at 03:15:03, stephana wrote: > On 2016/02/16 23:49:50, Ben Wagner wrote: > > I'm not sure that JSON responses are safe either. See the link in the bug "(1) > > If it is JSON:". > > If you look at link(1), it suggests to never return content type "text/plain" which is exactly what we are currently doing. > IMO, by placing the error message in a JSON string it should be automatically escaped, but I'll investigate more. > > In the meantime I added all the header suggested by the link. The root of the problem is that the user input (query params, form values, etc) are being reflected back to the browser when reporting the error. The simplest fix would be to have ReportError only return the message in the HTTP response and glog.Error the 'err'.
On 2016/02/17 14:41:19, jcgregorio wrote: > On 2016/02/17 at 03:15:03, stephana wrote: > > On 2016/02/16 23:49:50, Ben Wagner wrote: > > > I'm not sure that JSON responses are safe either. See the link in the bug > "(1) > > > If it is JSON:". > > > > If you look at link(1), it suggests to never return content type "text/plain" > which is exactly what we are currently doing. > > IMO, by placing the error message in a JSON string it should be automatically > escaped, but I'll investigate more. > > > > In the meantime I added all the header suggested by the link. > > The root of the problem is that the user input (query params, form values, etc) > are being reflected back to the browser when reporting the error. The simplest > fix would be to have ReportError only return the message in the HTTP response > and glog.Error the 'err'. I changed the behavior of ReportError, but that's not a good long term fix IMO. I filed a bug to improve input validation and rethink the content types we return. https://bug.skia.org/4961
On 2016/02/17 14:41:19, jcgregorio wrote: > On 2016/02/17 at 03:15:03, stephana wrote: > > On 2016/02/16 23:49:50, Ben Wagner wrote: > > > I'm not sure that JSON responses are safe either. See the link in the bug > "(1) > > > If it is JSON:". > > > > If you look at link(1), it suggests to never return content type "text/plain" > which is exactly what we are currently doing. > > IMO, by placing the error message in a JSON string it should be automatically > escaped, but I'll investigate more. > > > > In the meantime I added all the header suggested by the link. > > The root of the problem is that the user input (query params, form values, etc) > are being reflected back to the browser when reporting the error. The simplest > fix would be to have ReportError only return the message in the HTTP response > and glog.Error the 'err'. I changed the behavior of ReportError, but that's not a good long term fix IMO. I filed a bug to improve input validation and rethink the content types we return. https://bug.skia.org/4961
lgtm
Description was changed from ========== Fix issue security issue in Gold To reliably fix internal b/26768421 (not just in gold) we need to wrap the error response in JSON object instead of returning a string. BUG=skia: ========== to ========== Fix issue security issue in Gold To reliably fix internal b/26768421 (not just in gold) we need to wrap the error response in JSON object instead of returning a string. BUG=skia: ==========
The CQ bit was checked by stephana@google.com
CQ is trying da patch. Follow status at https://chromium-cq-status.appspot.com/patch-status/1704713002/40001 View timeline at https://chromium-cq-status.appspot.com/patch-timeline/1704713002/40001
The CQ bit was unchecked by commit-bot@chromium.org
Try jobs failed on following builders: Infra-PerCommit-Trybot on client.skia.fyi (JOB_FAILED, http://build.chromium.org/p/client.skia.fyi/builders/Infra-PerCommit-Trybot/b...)
The CQ bit was checked by stephana@google.com
The patchset sent to the CQ was uploaded after l-g-t-m from jcgregorio@google.com Link to the patchset: https://codereview.chromium.org/1704713002/#ps60001 (title: "Fixed poller_test")
CQ is trying da patch. Follow status at https://chromium-cq-status.appspot.com/patch-status/1704713002/60001 View timeline at https://chromium-cq-status.appspot.com/patch-timeline/1704713002/60001
Message was sent while issue was closed.
Description was changed from ========== Fix issue security issue in Gold To reliably fix internal b/26768421 (not just in gold) we need to wrap the error response in JSON object instead of returning a string. BUG=skia: ========== to ========== Fix issue security issue in Gold To reliably fix internal b/26768421 (not just in gold) we need to wrap the error response in JSON object instead of returning a string. BUG=skia: Committed: https://skia.googlesource.com/buildbot/+/6753a5174a9a78020a328298a4fd45507090... ==========
Message was sent while issue was closed.
Committed patchset #4 (id:60001) as https://skia.googlesource.com/buildbot/+/6753a5174a9a78020a328298a4fd45507090... |
