opendev/gerrit
Code Issues Proposed changes
gerrit/polygerrit-ui/app/index.html
Mike Samuel 5ee6971a61 Integrates polymer-resin into polygerrit-ui 
This is attempt 3 at rolling-forward c/106190

New Dependency
==============
This adds polymer-resin as a bower archive.
See `bower info polymer-resin\#1.2.6-beta` for details.
Polymer-resin is part of the larger polymer project so is
license compatible.

Integration
===========
The main application element, app/elements/gr-app.html, now HTML
imports polymer-resin per
github.com/Polymer/polymer-resin/blob/master/getting-started.md#loading
It uses the following configuration:
1. All dynamic IDs are allowed.
2. Policy violation reports are sent to the dev console.

test/common-test-setup.html does the same so that tests are run in the
same environment.

Testing
=======
1.  Running local tests
    gerrit $ ./polygerrit-ui/app/run_tests.sh
    With 1.2.6-beta tests run green on (Chrome, Firefox, Safari).
2.  Testing for false positives
    I ran two servers.
    a. polygerrit-ui/run_server.sh
    b. gerrit.war per https://git.eclipse.org/r/Documentation/dev-readme.html
    I noticed that in both the dev console showed 'initResin' early and
    paging around showed no violation reports.
3.  Testing for true negatives
    I patched in the diff at the end of this description, and reran
    both server environments.
    I noted that browsing to localhost:8081/#javascript:alert(1)
    and localhost:8080/#javascript:alert(1) both showed a
    violation report about javascript:alert(1) being rejected.
    Clicking Changes / XSS did not result in a popup.

Differences
===========
This loads the non-debug version but configured with a console reporter
so should minimize code size and speed overhead.
This loads via gr-app so the input is automatically vulcanized.

--- a/polygerrit-ui/app/elements/core/gr-main-header/gr-main-header.js
+++ b/polygerrit-ui/app/elements/core/gr-main-header/gr-main-header.js
@@ -56,6 +56,11 @@
         url: '/q/status:abandoned',
         name: 'Abandoned',
       },
+      {  // HACK DO NOT SUBMIT
+        url: (location.hash && location.hash.replace(/^#/, ''))
+            || '/echoes_hash',
+        name: 'XSS',
+      },
     ],
   }];
--- a/polygerrit-ui/app/elements/shared/gr-dropdown/gr-dropdown.js
+++ b/polygerrit-ui/app/elements/shared/gr-dropdown/gr-dropdown.js
@@ -93,6 +93,7 @@
     },

     _computeRelativeURL(path) {
+if (path && /^\w+\:/.test(path)) { return path; }  // HACK DO NOT SUBMIT
       const host = window.location.host;
       return this._computeURLHelper(host, path);
     },

Change-Id: I38bfa124abd4fb35972833f29fc1664ec2404e34
2017-06-26 10:45:10 -07:00

45 lines
1.8 KiB
HTML
Raw Blame History

<!DOCTYPE html>
<!--
Copyright (C) 2015 The Android Open Source Project
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
-->
<html lang="en">
<meta charset="utf-8">
<meta name="description" content="Gerrit Code Review">
<meta name="viewport" content="width=device-width, initial-scale=1, maximum-scale=1, user-scalable=0">
<!--
RobotoMono fonts are used in styles/fonts.css
@see https://github.com/w3c/preload/issues/32 regarding crossorigin
-->
<link rel="preload" href="/fonts/RobotoMono-Regular.woff2" as="font" type="font/woff2" crossorigin>
<link rel="preload" href="/fonts/RobotoMono-Regular.woff" as="font" type="font/woff" crossorigin>
<link rel="stylesheet" href="/styles/fonts.css">
<link rel="stylesheet" href="/styles/main.css">
<script src="/bower_components/webcomponentsjs/webcomponents-lite.js"></script>
<!--
- Content between webcomponents-lite and the load of the main app element
- run before polymer-resin is installed so may have security consequences.
- Contact your local security engineer if you have any questions, and
- CC them on any changes that load content before gr-app.html.
-
- github.com/Polymer/polymer-resin/blob/master/getting-started.md#integrating
-->
<link rel="preload" href="/elements/gr-app.js" as="script" crossorigin="anonymous">
<link rel="import" href="/elements/gr-app.html">
<body unresolved>
<gr-app id="app"></gr-app>
View Git Blame Copy Permalink