Skip to content

(fix): Replace unsafe expression evaluation with safe recursive-descent parser in VegaDeclarativeChart#35852

Merged
AtishayMsft merged 5 commits intomicrosoft:masterfrom
AtishayMsft:usr/atisjai/fix-vega-xss
Mar 10, 2026
Merged

(fix): Replace unsafe expression evaluation with safe recursive-descent parser in VegaDeclarativeChart#35852
AtishayMsft merged 5 commits intomicrosoft:masterfrom
AtishayMsft:usr/atisjai/fix-vega-xss

Conversation

@AtishayMsft
Copy link
Copy Markdown
Contributor

@AtishayMsft AtishayMsft commented Mar 9, 2026

Previous Behavior

New Behavior

  • Replace new Function() calls in VegaLiteSchemaAdapter with a safe recursive-descent expression evaluator that only supports the Vega-Lite expression subset
  • Add JSON depth validation at the component boundary to prevent stack overflow / memory exhaustion from deeply nested specs
  • Add 44 security-focused unit tests and 4 end-to-end component tests reproducing the reported attack payloads

Related Issue(s)

  • Fixes #

@AtishayMsft AtishayMsft requested a review from a team as a code owner March 9, 2026 16:23
@github-actions
Copy link
Copy Markdown

github-actions bot commented Mar 9, 2026
edited
Loading

📊 Bundle size report

✅ No changes found

@github-actions
Copy link
Copy Markdown

github-actions bot commented Mar 9, 2026

Pull request demo site: URL

github-actions[bot]
github-actions bot reviewed Mar 9, 2026
View reviewed changes
Comment thread change/@fluentui-react-charts-103891dd-6fd7-4836-8976-65db96c42acb.json
@Hotell
Copy link
Copy Markdown
Contributor

Hotell commented Mar 9, 2026
edited
Loading

Should I close my proposed fix ? #35851

as I mentioned on the issue, having full tokenizer in runtime might be a bit of a huge tax to pay. the use strict approach with regex should be good enough

@AtishayMsft
Copy link
Copy Markdown
Contributor Author

AtishayMsft commented Mar 9, 2026

Should I close my proposed fix ? #35851

as I mentioned on the issue, having full tokenizer in runtime might be a bit of a huge tax to pay. the use strict approach with regex should be good enough

The tokenization is needed for only the transform set which is pretty small. We should be good with this.

@AtishayMsft AtishayMsft merged commit bd7fdfb into microsoft:master Mar 10, 2026
12 checks passed
@AtishayMsft AtishayMsft deleted the usr/atisjai/fix-vega-xss branch March 10, 2026 04:50
tudorpopams pushed a commit to tudorpopams/fluentui that referenced this pull request Apr 14, 2026
@AtishayMsft @atisjai @tudorpopams
(fix): Replace unsafe expression evaluation with safe recursive-desce…
899ba8f 
…nt parser in VegaDeclarativeChart (microsoft#35852)

Co-authored-by: Atishay Jain <atisjai@microsoft.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@github-actions github-actions[bot] github-actions[bot] left review comments

@srmukher srmukher srmukher approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@AtishayMsft @Hotell @srmukher @atisjai