Remove expression sandbox #15094

Closed
wants to merge 1 commit into
from

Projects

None yet

4 participants

@petebacondarwin
Member

What kind of change does this PR introduce? (Bug fix, feature, docs update, ...)

refactor

What is the current behavior? (You can also link to an open issue here)

The angular expression parsers attempts to sandbox the expressions to prevent unrestricted access to the global context.

What is the new behavior (if this is a feature change)?

The sandbox is removed, as it was not a real security feature.

Does this PR introduce a breaking change?

No

Please check if the PR fulfills these requirements

Other information:

TODO:

  • fill out the commit message
  • more refactoring to remove unnecessary vars
  • look into further performance improvements
@googlebot googlebot added the cla: yes label Sep 5, 2016
@petebacondarwin petebacondarwin added this to the 1.6.x milestone Sep 5, 2016
@mgol
Member
mgol commented Sep 5, 2016

Once it has a proper commit message and a couple of unused vars at the top of the file are removed (I only found some cached methods, that's all) I think it's ready to land. Performance improvements can be addressed in subsequent PRs/commits, I like that this one mostly cleanly removes stuff.

Other than that, LGTM.

@gkalpak
Member
gkalpak commented Sep 6, 2016 edited

The changes LGTM. Wrt the commit message:

  • According to this well-respected resource, the type should be refactor 😁
  • Update with URL to blog post. (Just putting it here as a reminder.)
@petebacondarwin
Member
petebacondarwin commented Sep 7, 2016 edited

@gkalpak - I always get that wrong :-(

the type should be refactor

@petebacondarwin petebacondarwin refactor($parse): remove Angular expression sandbox
The angular expression parser (`$parse`) attempts to sandbox expressions
to prevent unrestricted access to the global context.

While the sandbox was not on the frontline of the security defense,
developers kept relying upon it as a security feature even though it was
always possible to access arbitrary JavaScript code if a malicious user
could control the content of Angular templates in applications.

This commit removes this sandbox, which has the following benefits:

* it sends a clear message to developers that they should not rely on
the sandbox to prevent XSS attacks; that they must prevent control of
expression and templates instead.
* it allows performance and size improvements in the core Angular 1
library.
* it simplifies maintenance and provides opportunities to make the
parser more capable.

Please see the [Sandbox Removal Blog Post](http://angularjs.blogspot.com/2016/09/angular-16-expression-sandbox-removal.html)
for more detail on what you should do to ensure that your application is
secure.
10597de
@petebacondarwin petebacondarwin modified the milestone: 1.6.x, 1.6.0 Sep 12, 2016
@petebacondarwin petebacondarwin added a commit that closed this pull request Sep 15, 2016
@petebacondarwin petebacondarwin refactor($parse): remove Angular expression sandbox
The angular expression parser (`$parse`) attempts to sandbox expressions
to prevent unrestricted access to the global context.

While the sandbox was not on the frontline of the security defense,
developers kept relying upon it as a security feature even though it was
always possible to access arbitrary JavaScript code if a malicious user
could control the content of Angular templates in applications.

This commit removes this sandbox, which has the following benefits:

* it sends a clear message to developers that they should not rely on
the sandbox to prevent XSS attacks; that they must prevent control of
expression and templates instead.
* it allows performance and size improvements in the core Angular 1
library.
* it simplifies maintenance and provides opportunities to make the
parser more capable.

Please see the [Sandbox Removal Blog Post](http://angularjs.blogspot.com/2016/09/angular-16-expression-sandbox-removal.html)
for more detail on what you should do to ensure that your application is
secure.

Closes #15094
1547c75
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment