5ee6971a61
This is attempt 3 at rolling-forward c/106190
New Dependency
==============
This adds polymer-resin as a bower archive.
See `bower info polymer-resin\#1.2.6-beta` for details.
Polymer-resin is part of the larger polymer project so is
license compatible.
Integration
===========
The main application element, app/elements/gr-app.html, now HTML
imports polymer-resin per
github.com/Polymer/polymer-resin/blob/master/getting-started.md#loading
It uses the following configuration:
1. All dynamic IDs are allowed.
2. Policy violation reports are sent to the dev console.
test/common-test-setup.html does the same so that tests are run in the
same environment.
Testing
=======
1. Running local tests
gerrit $ ./polygerrit-ui/app/run_tests.sh
With 1.2.6-beta tests run green on (Chrome, Firefox, Safari).
2. Testing for false positives
I ran two servers.
a. polygerrit-ui/run_server.sh
b. gerrit.war per https://git.eclipse.org/r/Documentation/dev-readme.html
I noticed that in both the dev console showed 'initResin' early and
paging around showed no violation reports.
3. Testing for true negatives
I patched in the diff at the end of this description, and reran
both server environments.
I noted that browsing to localhost:8081/#javascript:alert(1)
and localhost:8080/#javascript:alert(1) both showed a
violation report about javascript:alert(1) being rejected.
Clicking Changes / XSS did not result in a popup.
Differences
===========
This loads the non-debug version but configured with a console reporter
so should minimize code size and speed overhead.
This loads via gr-app so the input is automatically vulcanized.
--- a/polygerrit-ui/app/elements/core/gr-main-header/gr-main-header.js
+++ b/polygerrit-ui/app/elements/core/gr-main-header/gr-main-header.js
@@ -56,6 +56,11 @@
url: '/q/status:abandoned',
name: 'Abandoned',
},
+ { // HACK DO NOT SUBMIT
+ url: (location.hash && location.hash.replace(/^#/, ''))
+ || '/echoes_hash',
+ name: 'XSS',
+ },
],
}];
--- a/polygerrit-ui/app/elements/shared/gr-dropdown/gr-dropdown.js
+++ b/polygerrit-ui/app/elements/shared/gr-dropdown/gr-dropdown.js
@@ -93,6 +93,7 @@
},
_computeRelativeURL(path) {
+if (path && /^\w+\:/.test(path)) { return path; } // HACK DO NOT SUBMIT
const host = window.location.host;
return this._computeURLHelper(host, path);
},
Change-Id: I38bfa124abd4fb35972833f29fc1664ec2404e34
39 lines
1.3 KiB
HTML
39 lines
1.3 KiB
HTML
<!DOCTYPE html>
|
|
<!--
|
|
Copyright (C) 2017 The Android Open Source Project
|
|
|
|
Licensed under the Apache License, Version 2.0 (the "License");
|
|
you may not use this file except in compliance with the License.
|
|
You may obtain a copy of the License at
|
|
|
|
http://www.apache.org/licenses/LICENSE-2.0
|
|
|
|
Unless required by applicable law or agreed to in writing, software
|
|
distributed under the License is distributed on an "AS IS" BASIS,
|
|
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
See the License for the specific language governing permissions and
|
|
limitations under the License.
|
|
-->
|
|
|
|
<link rel="import"
|
|
href="../bower_components/polymer-resin/standalone/polymer-resin.html" />
|
|
<script>
|
|
security.polymer_resin.install({
|
|
allowedIdentifierPrefixes: [''],
|
|
reportHandler(isViolation, fmt, ...args) {
|
|
const log = security.polymer_resin.CONSOLE_LOGGING_REPORT_HANDLER;
|
|
log(isViolation, fmt, ...args);
|
|
if (isViolation) {
|
|
// This will cause the test to fail if there is a data binding
|
|
// violation.
|
|
throw new Error(
|
|
'polymer-resin violation: ' + fmt
|
|
+ JSON.stringify(args));
|
|
}
|
|
},
|
|
});
|
|
</script>
|
|
<link rel="import"
|
|
href="../bower_components/iron-test-helpers/iron-test-helpers.html" />
|
|
<link rel="import" href="test-router.html" />
|