Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with
or
.
Download ZIP

Loading…

Config info leaked in HTML #1206

Open
ooskapenaar opened this Issue · 5 comments

4 participants

@ooskapenaar

https://github.com/yahoo/mojito/wiki/ReleaseNotes0_6_0 suggests that deeply embedded mojits config are not passed to the client. See comments: "// this config is not passed to the client". This is misleading. While the mojitProxy may not have access to this info it is still leaked to the client!!

To reproduce use the https://github.com/yahoo/mojito/tree/develop/examples/developer-guide/binding_events example with the application.json from following gist (https://gist.github.com/ooskapenaar/6089171).

Start the app and go to the page.

Look at the page source and search for "secret", you will find the complete application.json there.

@caridy
Owner

thanks @ooskapenaar, we will look into it. /cc @drewfish

@caridy
Owner

This should have been fixed by now. @lzhan can you validate and close this?

@lzhan

I can still reproduce this issue.

@caridy
Owner

Honestly, I don't remember what behavior is correct. But I think the runtime was an important part of the security protection. I think this will work just fine:

Remove those secrets from the master setting, and put it in server runtime, it will not leak:

[
  {
    "settings": [ "master" ],
    "specs": {
      "frame": {
        "type": "HTMLFrameMojit",
        "config": {
            "deploy": true,
            "child": {
              "type": "PagerMojit",
              "config": {}
            }
        }
      }
    }
  },
  {
    "settings": [ "runtime:server" ],
    "specs": {
      "frame": {
        "config": {
          "child": {
            "config": {
              "secret1": "this is a secret"
            }
          }
        }
      }
    }
  }
]

Which means that the secret is only available for the server runtime, which has a semantic meaning, and makes more sense.

Also, since that syntax is very weird, you could use the extension from @jlecomte to make this easier by using dot notation in json files:

  {
    "settings": [ "runtime:server" ],
    "specs.frame.config.child.config.secret1": "this is a secret"
  }
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Something went wrong with that request. Please try again.