[misc] AngularJs expression injection #1287
Comments
|
no plans to address. if someone wants to suggest a PR we can consider, however this is the first time someone has pointed this out, which mean's its not a high priority for us (we prioritise things a lot of people ask for, and prioritise even more when it's paying customer). |
ceolter
changed the title
|
tracked by AG-158 |
|
This library is marked as vulnerable in the most used databases for tracking security issues. |
|
The exploit description at : https://spring.io/blog/2016/01/28/angularjs-escaping-the-expression-sandbox-for-xss The expression sandbox was removed in angular 1.6 to help mitigate its misuse by developers: However... to quote that article: ag-grid may be used to generate templates based on user input, but only if an application doesn't implement an angular-safe cell renderer. i.e it doesn't introduce any new vulnerability/risk that isn't already present when writing all angular applications. It is not a problem specific to ag-grid, but rather a problem with incorrectly written angular applications. I suppose if a cell renderer was not configured and angular compilation is enabled, ag-grid could use a 'span ng-non-bindable' default cell renderer wrapper for safety/convenience. However this is easily mitigated by using a custom renderer that uses a safe template. If an ag-grid application is using angular compilation, in all likely-hood they will be using custom renderers. Would it be possible to get written confirmation of this fact? Advisories such as https://nodesecurity.io/advisories/327 seem to be naively generated from github issues without full investigation. This unfortunately impedes adoption by customers which have policies against third party software with outstanding advisories. A documentation update to highlight this danger and ways to avoid the potential problem might be all that is required. If this issue is closed I assume the advisory would also be marked as resolved. |
I'm also asking for this |
|
If anyone was still looking for a way to prevent this exploit, we ended up using a span ng-non-bindable tag (just like @smhc mentionned above) in a custom cell renderer that we applied to all our rows (not super convenient but it did the job). |
|
@gabriellebourdages |
|
This is a top priority for us as it is preventing our team from using ag-grid in our project because it is high risk. Any update on this? |
|
I consider this high priority as well. I also think the AngularJS section in the documentation should mention this possible vulnerability as well since a lot of users/applications may not be aware of it. |
|
Perhaps @gabriellebourdages could close this issue given that it has been proven not to be an ag-grid problem, but rather a generic known angularjs pitfall. It would hopefully close that baseless advisory which is preventing adoption from enterprise customers. It could be re-raised as a documentation issue if needed, without the words 'XSS vulnerability' to prevent bots scraping it unnecessarily. |
|
@smhc @gabriellebourdages thanks for the updates - we appreciate it |
StephenCooper
changed the title
|
Issue CVE-2017-16009 only applies for Angular JS i.e before Angular 2: AG Grid dropped support for AngularJs in v28 of the grid which is why this CVE is not applicable anymore. This issue doesn't apply to AG Grid version 28 and later. The CVE issue details have been updated to correctly reflect the versions as mentioned above. |
I know that ag-grid already covers HTML injection since #913 , but lately we found out that an XSS attack is still possible with a little bit more work when an application uses angular.
It is possible to escape expression sandboxing (See https://spring.io/blog/2016/01/28/angularjs-escaping-the-expression-sandbox-for-xss ) and inject code that can break the application.
Are there plans to address this issue eventually?
The text was updated successfully, but these errors were encountered: