mojito
mojito copied to clipboard
YahooArchive
Config info leaked in HTML
https://github.com/yahoo/mojito/wiki/ReleaseNotes0_6_0 suggests that deeply embedded mojits config are not passed to the client. See comments: "// this config is not passed to the client". This is misleading. While the mojitProxy may not have access to this info it is still leaked to the client!!
To reproduce use the https://github.com/yahoo/mojito/tree/develop/examples/developer-guide/binding_events example with the application.json from following gist (https://gist.github.com/ooskapenaar/6089171).
Start the app and go to the page.
Look at the page source and search for "secret", you will find the complete application.json there.
Honestly, I don't remember what behavior is correct. But I think the runtime was an important part of the security protection. I think this will work just fine:
Remove those secrets from the master setting, and put it in server runtime, it will not leak:
[
{
"settings": [ "master" ],
"specs": {
"frame": {
"type": "HTMLFrameMojit",
"config": {
"deploy": true,
"child": {
"type": "PagerMojit",
"config": {}
}
}
}
}
},
{
"settings": [ "runtime:server" ],
"specs": {
"frame": {
"config": {
"child": {
"config": {
"secret1": "this is a secret"
}
}
}
}
}
}
]
Which means that the secret is only available for the server runtime, which has a semantic meaning, and makes more sense.
Also, since that syntax is very weird, you could use the extension from @jlecomte to make this easier by using dot notation in json files:
{
"settings": [ "runtime:server" ],
"specs.frame.config.child.config.secret1": "this is a secret"
}
The extension @caridy refers to is https://github.com/yahoo/mojito-config-expansion
