New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Modifying POST request payload #772
Comments
Hi, @ABM893 to be clear of the vulnerability here, the lines that result in the issue are https://github.com/rstudio/DT/blob/master/R/shiny.R#L514-L515, and the lines being leaked are https://github.com/rstudio/DT/blob/master/R/shiny.R#L569-L570. Is that correct? |
Hi, @akgold that's correct. |
It's not the same as full error sanitizing, but replacing:
with
would at least get rid of the "Error in xxx:" part of the message, which seems to be the cause of most of the concern? A more comprehensive fix would also need:
|
@jcheng5 It would be better, the hard-coded message you propose being better still. I've always liked the behaviour of shiny.sanitize.errors. In that it's a helpful safety net with the ability to add a finer level of control on top of it if needed. Thank you both for your quick response |
Summary
This line of code will display an error in a user's browser if I modify the request body payload by altering the names used in the POST request.
For context we had this line cause a failure in - I believe - pen testing software on the grounds it's leaking the application code. I would argue that but won't here. It feels like the above could be passed back to my R session in the form of an error that I can sanitize when in a Shiny app. Instead of as is, where it's passed to toJSON and displayed as a JSON error.
Steps to reproduce:
if ((k <- col[['search']][['value']]) == '') next
By filing an issue to this repo, I promise that
xfun::session_info('DT')
. I have upgraded all my packages to their latest versions (e.g., R, RStudio, and R packages), and also tried the development version:remotes::install_github('rstudio/DT')
.I understand that my issue may be closed if I don't fulfill my promises.
The text was updated successfully, but these errors were encountered: