appsmith
appsmith copied to clipboard
appsmithorg
chore: fix list widget data parsing
Description
The usage of single quote to parse the field values in a list widget opened up the possibility of XSS in list widget.
The line {{((currentItem) => { ${next}})(JSON.parse('${escapedStringifiedListItem}'))}} can be manipulated the following way.
Let say, the escapedStringifiedListItem's value is a JSON that looks like this {"username": '+showAlert(1.toString())+'}, then {{((currentItem) => { ${next}})(JSON.parse('{"username" : '+showAlert(1.toString())+'}'))}} would parse incorrectly and showAlert would get executed when this snippet is sent for evaluation.
Type of change
- Bug fix (non-breaking change which fixes an issue)
How Has This Been Tested?
- Manual
Checklist:
- [ ] My code follows the style guidelines of this project
- [ ] I have performed a self-review of my own code
- [ ] I have commented my code, particularly in hard-to-understand areas
- [ ] I have made corresponding changes to the documentation
- [ ] My changes generate no new warnings
- [ ] I have added tests that prove my fix is effective or that my feature works
- [ ] New and existing unit tests pass locally with my changes
The latest updates on your projects. Learn more about Vercel for Git ↗︎
| Name | Status | Preview | Updated |
|---|---|---|---|
| appsmith | ✅ Ready (Inspect) | Visit Preview | Oct 20, 2022 at 8:21AM (UTC) |
![vercel[bot] avatar](https://avatars.githubusercontent.com/in/8329?v=4 "Published by a pub.dev verified publisher"){kind=small}
Unable to find test scripts. Please add necessary tests to the PR.
![github-actions[bot] avatar](https://avatars.githubusercontent.com/in/15368?v=4 "Published by a pub.dev verified publisher"){kind=small}
Tests running at: https://github.com/appsmithorg/appsmith/actions/runs/3273533441.
Workflow: Appsmith External Integration Test Workflow.
Commit: 0ba13cc.
PR: 17666.
Perf tests will be available at https://app.appsmith.com/app/performance-infra-dashboard/pr-details-63465d4789020c7ac296d08d?pr=17666&runId=3273533441_1
Tests running at: https://github.com/appsmithorg/appsmith/actions/runs/3273951404.
Workflow: Appsmith External Integration Test Workflow.
Commit: c0f2969.
PR: 17666.
Perf tests will be available at https://app.appsmith.com/app/performance-infra-dashboard/pr-details-63465d4789020c7ac296d08d?pr=17666&runId=3273951404_1
Tests running at: https://github.com/appsmithorg/appsmith/actions/runs/3279120590.
Workflow: Appsmith External Integration Test Workflow.
Commit: c0f2969.
PR: 17666.
Perf tests will be available at https://app.appsmith.com/app/performance-infra-dashboard/pr-details-63465d4789020c7ac296d08d?pr=17666&runId=3279120590_1
Deployment failed with the following error:
Resource is limited - try again in 23 minutes (more than 100, code: "api-deployments-free-per-day").
Deployment failed with the following error:
Resource is limited - try again in 6 minutes (more than 100, code: "api-deployments-free-per-day").
Tests running at: https://github.com/appsmithorg/appsmith/actions/runs/3281668976.
Workflow: Appsmith External Integration Test Workflow.
Commit: f3b516d.
PR: 17666.
Perf tests will be available at https://app.appsmith.com/app/performance-infra-dashboard/pr-details-63465d4789020c7ac296d08d?pr=17666&runId=3281668976_1
Tests running at: https://github.com/appsmithorg/appsmith/actions/runs/3282283401.
Workflow: Appsmith External Integration Test Workflow.
Commit: 2f35113.
PR: 17666.
Perf tests will be available at https://app.appsmith.com/app/performance-infra-dashboard/pr-details-63465d4789020c7ac296d08d?pr=17666&runId=3282283401_1
Tests running at: https://github.com/appsmithorg/appsmith/actions/runs/3287985429.
Workflow: Appsmith External Integration Test Workflow.
Commit: 6cbfc02.
PR: 17666.
Perf tests will be available at https://app.appsmith.com/app/performance-infra-dashboard/pr-details-63465d4789020c7ac296d08d?pr=17666&runId=3287985429_1